Are you spending enough on app security? Probably not
5 min read
01 March 2017
As anyone with a website will know, app security is always a concern, whether it's your website being disrupted by a DDoS attack or a cyber criminal hacking into your system to steal sensitive data.
When it comes to creating an online app for your business, you’re probably all for it. Getting your brand out there and offering some form of service for desktop and mobile users is a great way to boost your bottom line. However, as keen as many of us are to push out a web application or two, very few of us are actually investing the adequate amount of time and money into making them truly secure.
As anyone with a website will know, app security is always a concern. Whether it’s your website being disrupted by a DDoS attack or a cyber criminal hacking into your system to steal sensitive data, there are always potential dangers when you have a virtual presence. In fact, according to a UK government-backed study in 2016, almost 66 per cent of businesses had suffered some form of attack within a 12-month period.
Government urges business owners to help themselves
In a bid to combat these threats, the government has invested £1.9bn to help protect the business sector. However, ministers have also stressed that companies need to do better at protection. The Cyber Essentials scheme has been launched as a first port of call for small businesses, but that on its own isn’t enough. As outlined by a 2016 SANS Institute report, most companies aren’t spending enough on application security (AppSec).
Surveying 475 businesses, SANS Institute found that only 30 per cent of respondents tasked their web app development teams with app security testing. More significantly, 29 per cent of those surveyed said they spend one per cent or less of their IT budget on AppSec. Additionally, just 23 per cent spend between two per cent and five per cent, while 24 per cent said they didn’t even know how much they were spending.
This lack of spending not only falls short of what’s required, it’s leaving small businesses vulnerable to issues such as cross-site scripting and SQL injections that could cause serious damage. As we’ve said, the government’s Cyber Essentials scheme is a great starting point, but security experts suggest that web application firewalls (WAFs) are now essential.
With cloud services making this app security technology more affordable, all businesses with web applications are being encouraged to enlist the services of a dedicated WAF provider. Indeed, as explained by Incapsula, WAFs not only protect against OWASP’s Top 10 Threats, they also “prevent disruption to your application and improve website performance”.
Prevention is cheaper than a cure
“But I don’t have the budget or capacity to employ the services of a WAF provider.” This is a common response from security-phobic business owners, but prevention is always better than desperately looking for a cure. The stats show that web applications are vulnerable and people aren’t spending enough on security, from this the evidence suggests that an attack could cost your businesses thousands.
In 2016, an IBM-sponsored study found that the average cost of a data breach was up 29 per cent to $4m/£3.1m. Naturally, this study includes major corporations, but broken down, the report shows that a company in the retail industry could lose $172/£137 per stolen record. So, let’s assume you had a web application that wasn’t protected by a WAF and hadn’t been properly tested. The app is vulnerable and a hacker decides to exploit its weakness and steal ten client records. If you’re in the retail industry, the potential cost of this breach would cost £1,370.
App security is certainly a growing market, but that doesn’t mean you should simply ignore it until it matures. The cost of an app security breach could vastly outweigh the amount you’d need to spend to ensure your online portals are correctly tested and protected. So, the next time you review your online security budget, ask yourself: am I spending enough? If you’re one of the businesses that aren’t spending enough, you might want to think about making that a strategic priority in 2017.