Businesses across the world still struggle to understand, optimise, and protect their rapidly expanding application environments, according to new F5 sponsored research from the Ponemon Institute.
A survey of 3 135 IT and security practitioners from businesses across the UK, Germany, USA, Canada, Brazil, China, and India reveals how a full 38% of respondents have “no confidence” they have supervision over all applications in use. UK businesses know the least about their application situation (32%), whereas Germans are the most confident (45%).
The Ponemon Institute conducted the regional analysis as a part of F5 Lab’s recently released 2018 Application Protection Report. (1)
“Many businesses fail to keep pace with technological developments and make unwitting and dangerous security compromises as they have a worrying lack of insight into their applications. This is a big problem. The pressure has never been higher to deliver applications with unprecedented speed, adaptive functionality, and robust security and in front of the backdrop of increasing European information security legislation,” said David Warburton, Senior Threat Research Evangelist EMEA, F5 Networks.
Counting the cost
According to the Ponemon Institute, the global average for web app frameworks and environments in use is 9.77. The US has the most (12.09), with both the UK (9.72) and Germany (10.37) claiming to be above average.
On average, global businesses consider 33.85% all apps to be “mission critical”. The percentage drops slightly in EMEA, with 35% critical apps reported in the UK and 33% in Germany. All regions identified the same top three critical apps: document management and collaboration; communication apps (such as email and texting); and Microsoft Office suites.
The respondents were unanimous that the three most devastating threats facing businesses today are credential theft, DDoS attacks, and web fraud.
In EMEA, 76% of German respondents are most concerned about credential theft, which is second only to Canada (81%). DDoS attacks (64%) and web fraud (49%) are German business’ next biggest concerns.
Interestingly, the UK is more threatened by web fraud than anyone else (57% of respondents). Nevertheless, its biggest worries are credentials theft (69%) and DDoS attacks (59%).
Unsurprisingly, web app attacks are a major operational blight in all countries. 90% of respondents in the US and Germany said it would be “very painful” if an attack resulted in the denial of access to data or apps. The UK is the next most potentially vulnerable country with 87% agreeing to the same.
The global average incident cost for app denial of service is $6.86m. The US endures the costliest range of attacks with losses of $10.64m on average, closely followed by Germany’s $9.17 million. The UK is slightly below the global average with an average of $6.57m per incident.
Regional differences are also apparent when estimating the incident cost of confidential or sensitive information leaks, such as intellectual property or trade secrets. Globally, the average cost stands at $8.63m. The US pays out the most, having to foot an average bill $16.91m. Germany is second with typical losses of $11.30m. The UK fares far better with average losses $8.10m – almost half the US estimate.
Meanwhile, the global average estimated incident cost for leakage of personally identifiable information (customer, consumers or employees) stands at $6.29m. The US is once again hardest hit at an average of $9.37m, ahead of Germany ($8.48m), India ($6.63m), and the UK ($5.63m).
Tools and tactics
According to the survey, the three main tools for keeping apps safe are Web Application Firewalls (WAF), application scanning, and penetration testing.
WAF takes the top spot in the US (30%), Brazil (30%), UK (29%), Germany (29%), Canada (26%) and India (26%). Penetration testing is most prominent in India (24%), followed China (20%), Brazil (19%), Germany (20%), Canada (20%), the UK (18%) and the US (18%). India is again in the lead for app scanning (24%), trailed by China (22%), Brazil (21%), Canada (19%), the US (18%), Germany (16%), and the UK (13%).
The business community’s growing appetite for WAF is further echoed in F5’s 2018 State of Application Delivery report, which revealed that 61% of surveyed global businesses currently use WAFs to protect applications – a trend largely driven by soaring multi-cloud usage.
“These new findings clearly show the growing importance of WAFs as more and more organisations are realising that relying on secure coding alone just isn’t enough,” said David Warburton.
“Uptake of Advanced WAF technology (AWAF) is now accelerating across the world, particularly as companies adapt to the potential of the multi-cloud. Unlike standard WAFs, an AWAF solution is proactive in its defenses and can manage traffic by smartly delineating between automated bots and actual human visitors. This is hugely beneficial. It reduces workloads and, therefore, costs in the cloud and it also generates incisive, actionable data to drive smarter, faster, and safer operations,” added Warburton.
The Ponemon Institute also reported that DDoS mitigation and backup technologies are the most widely used technologies to achieve high web application availability. German and Brazilian respondents were the strongest DDoS mitigation advocates (both 64%), edging out the US (62%), the UK (60%) and China (60%). Backup technologies are most popular in Canada (76%), the UK (74%), and Germany (73%).
Another of the report’s emerging trends is the growing importance of transport layer encryption. Here, the percentage of web applications using Secure Sockets Layer (SSL) and Transport Layer Security (TLS) technology is highest in the UK, India, and Canada (all 66%). The US and Germany are hot on their heels with 65% followed by Brazil (64%) and China (46%).
Storage encryption is also seen as a critical defensive tool. Germany leads the way in this respect, with 50% of businesses claiming to use the technology “most of the time” ahead of Canada (44%), the US (40%) and the UK (39%).
Safeguarding the future
“A company’s reputation depends on a comprehensive security architecture. Firms across the globe can no longer rely on traditional IT infrastructures because technological innovation and malicious hackers continue to move at an unprecedented speed. Traditional, signature based WAFs, just can’t cope with advanced threats. Technologies such as bot protection, application-layer encryption, API security, and behavior analytics, as we see in Advanced WAFs, are now essential to defend against attacks. Thanks to automated tools with enhanced machine learning, businesses can start to detect and mitigate cybercrime with the highest level of accuracy yet,” said Warburton.