More spending, less secure

According to the 2009 Verizon Business Data Breach Investigations Report released Wednesday April 15th, more electronic records were breached in 2008 than the previous four years combined, mainly by outsiders targeting financial services and retail firms.

The most disturbing portion of the study, though, is the part that reports that despite widespread concern over desktops, mobile devices, and portable media, 99 percent of all breached records were compromised from servers and applications.

Couple this with three disturbing facts from the recently released Computing Technology Industry Association (CompTIA) study and you’ve got a pathetic mix of mis-focused spending and awareness:

• The average severity of a breach in 2008 was ranked as 5.6 on a ten-point scale, up from 5.3 in 2007 and 4.8 in 2006.
• Most organizations are holding steady or increasing their security spending
• Even though the severity of breaches is on the increase, most organizations continue to rely on traditional tools — such as firewalls and antivirus suites as their primary defense against them.

Being a curmudgeon, I’m naturally caustic… but when I see the same mistakes being made over and over again, I get downright depressed. How long have we, as an industry, been lamenting over the fact that application security is the biggest culprit of security breaches — a veritable Greenfield for attackers both internal and external. Yet, we do little to address the problem.

Last May, yours truly delivered a webcast on the Application Security Maturity (ASM) Model which introduced the results of a 10-year study — the study shows where organizations get stuck, where the best ROI’s are (it’s in people and process and not in tools, btw) and provides the basis of a roadmap forward. I’m speaking on the same topic next week at RSA Con… and I’m bewildered at how little has changed in the past 2 years since I first spoke on the topic.