Many organizations, including the likes of Panera, UnderArmour, Delta and Sears, have suffered the consequences of a "golden child" app that runs wild. They all have experienced high-value web-app attacks.
A new study released by Arxan, 2018 Global Study on Application Security, takes a look at the impact apps running in unsecured environments pose to businesses and the specific tools and techniques businesses are currently using to get in front of these risks.
The study of nearly 1,400 IT and IT security practitioners across the US, EU and APAC indicates that effective app visibility to stop attacks is still lacking and that the motivator for improved app protection comes after the damage is done – loss of productivity, customer trust and revenue.
It's loss, not prevention, that continues to drive investment in application security. As application breaches continue to rise, so do the security risks of running business-critical apps in zero-trust environments.
The majority of organizations (75%) that participated in the study reported that they likely, most likely or definitely experienced a material cyber-attack or data breach within the last year due to a compromised application. More than half (54%) of respondents expect to see a significant increase in threats in 2018, and 64% of respondents are concerned that they will be hacked through an application.
“This is a big deal, it’s not pocket change. The average data breach costs almost $4 million when you include lost customers, the impact to operations, and your insurance costs going up,” said Rusty Carter, vice president of product management, Arxan. “Companies have to change the way they think about investing in app security because threats are only getting worse.”
Despite the anticipation of increased risk, only 25% of respondents report making significant investment in solutions to prevent application attacks, likely because 48% of respondents believe that app performance and speed are more important than security.
The findings in this study points to two struggles companies have faced for some time. "Giving organizations the visibility into the security posture of their deployed applications allows them to optimize their security and customer experience," said Carter. "Yet security professionals lack an awareness about the status of their app's security."
As a result, "they will be ineffective at responding to attacks before they lead to full-blown breaches," said Carter.