Business spend is failing to protect against top threat to data security, study finds

A lack of protection for web-based applications means many businesses are at a high risk of cyberattack, a survey has found.

Business allocates an...

A lack of protection for web-based applications means many businesses are at a high risk of cyberattack, a survey has found.

Business allocates an average of only 18% of IT security budget to protecting highly vulnerable web-based applications, according to a study by the Ponemon Institute, Imperva and WhiteHat Security.

That is despite the fact that web-based applications are widely recognised as the most popular way of attacking businesses among cybercriminals.

Some 93% of the top data thefts in 2009 used attacks against web applications, according to a Privacy Rights Organisation report.

Only 30% of more than 400 organisations polled said application security was a strategic initiative and they believed they had enough resources to mitigate this risk.

On average, the biggest share of the budget (43%) still goes to network and host security, even though 61% of organisations polled had up to 100 public-facing web applications accessing millions of customer records.

This is mainly because of a lack of awareness, particularly among smaller organisations, according to Amichai Shulman, chief technology officer at Imperva.

"Many business still have the false notion that if they are small enough they will not be targeted, but nowadays professional cybercriminals will go after any business regardless of size," he told Computer Weekly.

Security efforts also tend to be focused on networks because security professionals traditionally come from a network background and, therefore, concentrate most on the risks they best understand, he said.

Businesses also tend to believe that the best way to address web application vulnerabilities is through secure code development, but this is a flawed approach, according to Shulman.

"Developers are getting paid to deliver functionality and should be thinking about what applications can do. They cannot spend their time and creativity thinking about what applications should not be doing," he said.

While infrastructure security is still important, the most proactive organisations are typically spending up to 25% of their IT security budget on protecting web-based applications, said Shulman.

The more reactive organisations, mostly smaller ones, have failed to shift their budgets in time and are still allocating about 12% of budget to application security, although this is expected to increase in the coming years, he said.

To address today's real cyberthreats, companies must shift their security strategy and budgets from being predominantly infrastructure-based and prioritise data and applications directly, said Jeremiah Grossman, WhiteHat chief technology officer.

Research confirms the value of taking a strategic, prescriptive posture to the challenges of protecting valuable data, said Larry Ponemon, chairman of the Ponemon Institute.

"This includes a greater than 60% rate of improvement in fixing known vulnerabilities," he said.

Read more on Hackers and cybercrime prevention