Most businesses have failed to allocate sufficient financial and technical resources to secure Web applications, leaving corporate data vulnerable to theft.
These are among the key findings of the 'The State of Application Security' survey released on 26 April 2010 by IT security and data protection firms Imperva, WhiteHat Security and the Ponemon Institute.
The Ponemon study surveyed 627 IT and IT security practitioners from more than 400 US-based multinational enterprises and government organisations, and assessed the data security risks of insecure websites.
According to the study, despite the awareness that insecure Web applications posed the greatest threat to corporate data, organisations merely allocated "18 per cent of the security budget to protect them".
"Too many organisations remain paralysed by the false notion that security is too complex a challenge," said Larry Ponemon, chairman and founder of the Ponemon Institute.
Although most organisations have numerous mission-critical applications accessible via their websites, they did not view application security as a strategic initiative.
The study found that "61 per cent of responding organisations have up to 100 public-facing Web applications that access millions of customer records, but have not made application security a high priority".
The survey respondents did not believe their organisations had sufficient resources specifically budgeted to Web application security. A major percentage of IT security budgets were allocated to network and host security.
"Most of the largest and recent data breaches to date have been a result of attacks against Web applications," said Jeremiah Grossman, WhiteHat founder and chief technology officer.
To tackle today's cyber threats, "companies must shift their security strategy and budgets from being predominantly infrastructure-based and prioritise the data and applications directly".
"The cyber threat landscape has shifted from bringing down networks to stealing data," said Imperva chief executive officer, Shlomo Kramer, "and it's time to stop fighting yesterday's war."
This story, "Defenseless against cyber attacks" was originally published by MIS Asia.