The number of security vulnerabilities detected in the financial services sector has increased by over 418% in the last four years, according to new research from global cyber security and risk mitigation expert NCC Group.
The company analysed vulnerabilities found in 168 financial services organisations using a number of different scanning methods. The results revealed that the number of security vulnerabilities detected within the sector has increased dramatically in recent years, rising from an average per organisation of 217 in 2013 to 910 in 2016.
Of the issues marked as high and medium risk, 24.7% were web application framework vulnerabilities within the software designed to support the development of web applications including web APIs, services and resources. This number had increased almost five-fold since 2013.
David Morgan, executive principal at NCC Group, said: “Although the type of scan used can impact the detection of vulnerabilities in certain categories, the sheer size of the increase in web application framework issues means that the rise can’t be entirely attributed to this.
“The sector is increasingly taking a digital-first approach to better engage with customers, and a consequence of this is organisations will be exposed to an increased number of security vulnerabilities, so it’s important that they are aware of the risks.”
It was found that all of the high and medium risk web application framework vulnerabilities could be fixed by updating the affected platforms or tools. 98.2% of these vulnerabilities were mitigated by updating PHP, as the newest versions of the scripting language can mitigate a number of security bugs. Other fixes included updating ASP.net and Apache Tomcat, which are both used to power mission-critical web applications.
Morgan added: “Since they are a frequent target for cyber criminals, financial services companies should be continuously monitoring for vulnerabilities and regularly updating their software, particularly when these tools form the building blocks of what are often business-critical web applications.”