Enterprises not doing enough to secure their business-critical applications
Threats / Enterprises not doing enough to secure their business-critical applications
4 April 2019
Nearly 70 percent of enterprises are not taking sufficient steps to secure their business-critical applications against emerging cyber threats even though a breach of such applications could have a major impact on productivity and could cost a lot of time and money to mitigate.
Business-critical applications, such as Enterprise resource planning (ERP) applications or Customer-relationship management (CRM) applications are vital tools for enterprises, so much so that they are used at all times and by multiple departments at the same time either for operational reasons or for communicating with vendors, supply-chain firms, or customers.
According to Analysing Business, the failure of business-critical applications may result in serious financial costs, legal loss, customer dissatisfaction, and loss in productivity. Depending on the sector an enterprise serves, an airline reservation system or a bank’s transaction process could be tagged as business-critical applications.
IT teams not prioritising the security of business-critical applications
However, despite how much enterprises depend on them, IT security teams at nearly 70 percent of enterprises in Western Europe are not prioritising the protection of their business-critical applications. This was revealed in a survey of 1,450 business and IT decision makers, primarily from Western European economies by CyberArk. The lack of emphasis is also despite the fact that 61% of IT decision makers agree that the failure of a business-critical applicaion could have a severe impact on an organisation’s productivity.
“From banking systems and R&D to customer service and supply chain, all businesses in all verticals run on critical applications. Accessing and disrupting these applications is a primary target for attackers due to their day-to-day operational importance and the wealth of information that resides in them – whether they are on-premises or in the cloud,” said David Higgins, EMEA technical director at CyberArk.
CyberArk found that 72 percent of IT decision makers at enterprises are confident of effectively stopping all data security attacks or breaches at the perimeter even though 56 percent of organisations have experienced data loss, integrity issues or service disruptions affecting business-critical applications in the previous two years.
This misplaced confidence in their detection and prevention tools and perimeter security solutions could result in significant disruption and could even halt business operations in the aftermath of a successful cyber attack as security strategies are not focussed on what is most important to organisations, the firm noted.
It also observed that considering 74 percent of organisations have either shifted their business-critical applications to the cloud or are planning to do so in the next two years, a risk-prioritised approach to protecting these assets is necessary for this transition to be managed successfully.
“CISOs must take a prioritised, risk-based approach that applies the most rigorous protection to these applications, securing in particular privileged access to them and assuring that, regardless of what attacks penetrate the perimeter, they continue to run uncompromised,” Higgins added.
Focus on DevSecOps a must to secure enterprise applications
Earlier this month, a survey carried out by Claranet revealed that even though 88% of enterprises based in the UK have either adopted a DevOps approach or are planning to do so in the next two years, less than 20% of enterprises are confident of integrating security into their entire DevOps lifecycle- basically migrating from DevOps to DevSecOps.
The inability of enterprises to establish DevSecOps into their on-premise and cloud environments could result in major security vulnerabilities of their applications due to prevailing weaknesses in IT infrastructure, cloud applications, IoT environments, and endpoint security solutions.
“Given the frequent development cycles that are an inherent characteristic of DevOps, seeing security as a separate entity can slow processes down and reduce efficiency, which either compromises the agility which is so central to any DevOps philosophy, or leads to windows where vulnerabilities can be released and won’t be spotted until the next security testing cycle,” said Sumit (Sid) Siddarth, Director at NotSoSecure.
To remedy this, Siddarth said that enterprises should prioritise the training of staff throughout the IT department, should adopt new approaches to security testing, and should carry out continuous monitoring and analytics throughout the DevOps lifecycle, whether this be in planning, coding, pre-production or decommissioning. To do this, businesses should be willing to enlist the expertise of third parties who are well-versed in meeting the DevSecOps challenge.