Most Companies Willing to Spend More on App Security Only After a Breach, Ponemon Study Shows

Most companies admit they don't invest enough in application security until after they've suffered a breach, and almost half lack clear visibility into their business-critical apps, according to new data sourced by Ponemon Institute.

Ponemon ran a poll for Arxan Technologies, who wanted to better understand the risk applications pose to businesses when running in unsecured environments, as well as to see if IT and IT security practitioners are addressing this risk. Some 43,000 respondents in more than a dozen industries across the US, EU and APAC were surveyed.

Nearly 75% of organizations were likely to or definitely experienced a cyber-attack or data breach within the last year due to a vulnerable or otherwise compromised application, the study revealed. 63% said they were very concerned they will be hacked through a flawed application, and 54% said they expected threats to grow more severe in 2018.

Given these numbers, one would expect these same organizations to invest heavily in cyber-resilience, yet only 25% of respondents said their organization is making “a significant investment in solutions to prevent application attacks.”

“The results indicated a predominant global issue: application breaches are rising and so are the security risks of running business critical apps in zero-trust environments. However, companies are not adequately investing in application security measures until after breaches occur, resulting in loss of productivity, customer trust and revenue,” according to the press release.

According to Arxan, the average data breach costs around $4 million, after factoring in lost customers, impact on operations, and increased insurance costs.

48% believe app performance and speed are more important than security. However, 56% of IT managers ranked performance and security as equally important. Worryingly, 65% admitted they’d be spurred to increase application protection only after customers are negatively affected.

The study further uncovered that, without visibility of the application threat landscape, businesses do not have the necessary intelligence to secure customer-facing applications and protect their business. In a similar survey by Oyutpost24, 16% of IT security professionals said they ignore critical security issues if they don’t know how to fix them.