Application Security: Our Takeaways From the Cybersecurity Insiders Report
Nov 1, '18 by Joerg Schneider-Simon
Our friends at Cybersecurity Insiders recently released their 2018 Application Security Report, which contains some eyebrow-raising results. For example, only 62 percent of respondents feel (at best) moderately confident in their organization’s application security posture.
Not an ideal situation, to put it mildly.
What are the other noteworthy results, especially for organizations using SAP applications? After reviewing the report, we put together the top takeaways that SAP managers (and any IS professional charged with SAP cybersecurity) should focus on.
The Skills Shortage Is a Crisis
We’ve spoken before about the cybersecurity skills shortage (and how that shortage is even more acute when it comes to finding SAP cybersecurity professionals). In the CI report, we’ve hearing from the front lines: 37 percent of respondents say that lack of skilled personnel is inhibiting their organization from adequately defending against cyberthreats. It’s closely followed by lack of budget, at 35 percent, and then lack of management support/awareness at 33 percent.
These are not technical issues, they are leadership issues:
- Those in charge of organizational budget decisions tend to woefully underestimate the resources needed for adequate cybersecurity.
- Companies are unwilling to train promising but uncredentialed newcomers, forcing promising young talent to forgo the field due to not being able to afford studying for a bachelor’s degree.
- Due to chronic understaffing, IS teams are grossly overworked, leading many experts (particularly those with family obligations) to start looking elsewhere.
Certain Applications Are Particularly Vulnerable
Not all applications are created equal, and not all of them face the same security risk. When asked “Which types of applications present the highest security risk to your business?” 41 percent of respondents mentioned customer-facing web applications. These applications are particularly vulnerable to threats like cross-site scripting or SQL and OS injection attacks, where cyberattackers insert malicious code into user-input fields. In fact, over 50 percent of the 3000+ security notes that SAP has published to date concern vulnerabilities that users can exploit when entering information.
Another identified vulnerability? Business applications like ERP systems and supply chain management, which was mentioned by 28 percent of respondents. These systems often rely on content being uploaded and shared between internal offices and external partners. This makes them particularly vulnerable to content-based attacks, like malware hiding in PDF or MS Office documents. In addition, the cybersecurity practices of these external partners may not be quite up to par, making it easy for cybercriminals to steal login credentials and access their bigger target’s SAP system.
Malware Is a Constant Threat
While there are a wide range of possible cyberattacks that can be leveled against applications, malware remains the most widely used, affecting the organizations of 31 percent of the respondents in the last 12 months.
To combat malware, organizations typically install an OS-level anti-virus solution. Unfortunately, these solutions are ineffective at protecting SAP systems — a fact that is unbeknownst to many companies. Because data uploaded to SAP is sent via encrypted connection and stored in a separate database or repository, OS-level antivirus programs never have the opportunity to scan the files, allowing malware to remain tucked away until it’s used in a process.
Companies Are Trying to Shore up Their Defenses
While upper-level executives may not fully recognize today’s precarious cybersecurity environment, the “boots on the ground” are suffering from no such illusions. 53 percent of the study’s respondents indicate that they do not have enough resources to detect and remediate vulnerabilities in applications in a timely manner. This is no surprise, given the lack of budget, support, and personnel facing most cybersecurity teams.
Fortunately, there is good news on the horizon. Half of the respondents say their application security budget will increase over the next 12 months, signaling a welcome change in how organizations are prioritizing their cybersecurity. It’s not a big increase — most of the increases will be by less than 15 percent — but it’s a step in the right direction.
To help make up for the lack of resources, many Information Security teams are looking outside their own doors, turning to managed services or outsourcing for their application security. Their standards for application security tools are justifiably high, given the stakes: 54 percent want ease of integration, with pricing, scalability, accuracy, and ease of use rounding out the top five.
Business applications, particularly those offered by SAP, are an indispensable component to many organizations’ operations. As Cybersecurity Insiders has made clear, because these applications are so mission-critical, it is vital to acknowledge the threats they face and to commit the resources needed to protect them.