Based on regional analysis conducted for the report by the Ponemon Institute, UK businesses know the least about their application situation – only 32% are “confident” or “very confident” that they have full oversight –whereas Germans are the most confident, with 45% claiming to know the full story.
The Application Protection Report, which is the most extensive study of its kind yet, also identified grossly inadequate web application security practices, with 60% of businesses stating they don’t test for web application vulnerabilities, have no pre-set schedule for tests, are unsure if tests happen, or only test annually.
Furthermore, 46% of surveyed respondents disagreed or strongly disagreed that their organisation had adequate resources to detect application vulnerabilities. 49% said the same about their remediation capabilities.
“Many businesses fail to keep pace with technological developments and make unwitting and dangerous security compromises as they have a worrying lack of insight into their application environments. This is a big problem. The pressure has never been higher to deliver applications with unprecedented speed, adaptive functionality, and robust security — particularly against the backdrop of increasing European data protection legislation,” said David Warburton, Senior EMEA Threat Research Evangelist, F5 Networks.
Counting the cost
According to the Ponemon Institute’s regional review, the global average for web app frameworks and environments in use is 9,77. The US has the most (12,09), with both the UK (9,72) and Germany (10,37) claiming to be above average.
On average, global businesses consider 33,85% all apps to be “mission critical”. In EMEA, the percentage is 35% and 33% for the UK and Germany, respectively. All regions identified the same top three critical apps: document management and collaboration; communication apps (such as email and texting); and Microsoft Office suites.
Global respondents were also unanimous that the three most devastating threats facing businesses today are credential theft, DDoS attacks, and web fraud.
In EMEA, 76% of German respondents are most concerned about credential theft, which is second only to Canada (81%). DDoS attacks (64%) and web fraud (49%) are German business’ next biggest concerns.
Interestingly, the UK is more threatened by web fraud than anyone else (57% of respondents). Nevertheless, its biggest worries are credentials theft (69%) and DDoS attacks (59%).
Unsurprisingly, web app attacks are a major operational blight in all countries. 90% of respondents in the US and Germany said it would be “very painful” if an attack resulted in the denial of access to data or apps. The UK is the next most potentially vulnerable country with 87% concurring.
The global average incident cost for app denial of service is $6,86m. The US endures the costliest range of attacks with losses of $10,64m on average, closely followed by Germany’s $9,17 million. The UK is slightly below the global average with an average of $6,57m per incident.
Regional differences are also apparent when estimating the incident cost of confidential or sensitive information leaks, such as intellectual property or trade secrets. Globally, the average cost stands at $8,63m. The US pays out the most, having to foot an average bill $16,91m. Germany is second with typical losses of $11,30m. The UK fares better with average losses of $8,10m, which is almost half the US estimate.
Meanwhile, the global average estimated incident cost for leakage of personally identifiable information (customer, consumers or employees) stands at $6,29m. The US is once again hardest hit at an average of $9,37m, ahead of Germany ($8,48m), India ($6,63m), and the UK ($5,63m).
Tools and tactics
According to surveyed businesses, the three main tools for keeping apps safe are Web Application Firewalls (WAF), application scanning, and penetration testing
WAF takes the top spot in the US (30%), Brazil (30%), UK (29%), Germany (29%), Canada (26%) and India (26%). Penetration testing is most prominent in India (24%), followed China (20%), Brazil (19%), Germany (20%), Canada (20%), the UK (18%) and the US (18%). India is again in the lead for app scanning (24%), trailed by China (22%), Brazil (21%), Canada (19%), the US (18%), Germany (16%), and the UK (13%).
The business community’s growing appetite for WAF is further echoed in F5’s 2018 State of Application Delivery report3, which revealed that 61% of surveyed global businesses currently use WAFs to protect applications – a trend largely driven by soaring multi-cloud usage.
The Ponemon Institute also reported that DDoS mitigation and backup technologies are the most widely used technologies to achieve high web application availability. German and Brazilian respondents were the strongest DDoS mitigation advocates (both 64%), edging out the US (62%), the UK (60%) and China (60%). Backup technologies are most popular in Canada (76%), the UK (74%), and Germany (73%).
Storage encryption is also seen as a critical defensive tool. Germany leads the way in this respect, with 50% of businesses using the technology “most of the time”, ahead of Canada (44%), the US (40%) and the UK (39%).
Safeguarding the future
“A company’s reputation depends on a comprehensive security architecture. Firms across the globe can no longer rely on traditional IT infrastructures. Technologies such as bot protection, application-layer encryption, API security, and behavior analytics, as we see in advanced WAFs, are now essential to defend against attacks. Thanks to automated tools with enhanced machine learning, businesses can start to detect and mitigate cybercrime with the highest level of accuracy yet,” said Warburton.