Ponemon notes that this misalignment in the allocation of security budget may be a result of old-think in the security profession.
"Older security professionals have done most of their training around network security and the perimeter," Ponemon says. "That's what they know."
More Than IT Is to Blame
Steve Durbin, global vice president of the Information Security Forum (ISF), a nonprofit association that assesses security and risk management issues on behalf of its members, says the business and the board of directors must bear some of the responsibility.
"We have always been concerned about the perimeter," Durbin says. "It's an easier message for the board or the risk management committee to understand. Increasingly, we are seeing the question being asked around cybersecurity: 'How protected are we?' The easy answer is that our perimeter is secure."
"The pursuit of 100 percent security is just folly," Durbin says. "It's a fool's goal. You have to assume that even though you're doing your best, you're going to be breached at some point in time. That is not a palatable message to deliver to the board."
And that often leads security professionals to focus on initiatives that appeal to the board rather efforts to mitigate the damage when breaches do occur.
Simple Advice: Follow the Database
Only one-third of respondents in the survey said they monitor for active databases continuously or daily. Many scan for active databases irregularly (25 percent) or don't bother scanning at all (22 percent). Only 48 percent of respondents said they test or validate third-party software to make sure it's not vulnerable to SQL injection. And while 44 percent of respondents said they do use professional penetration testers to identify vulnerabilities in their IT systems, 65 percent of that group said the penetration tests do not include testing for SQL injection vulnerabilities.
"It's well-known that database breaches, including these high-profile attacks against retailers, are devastating to merchants in terms of lost sales and damage to their reputation," says Brett Helm, chairman and CEO of DB Networks. "This study sheds additional light on the likely attack chain so that all retailers can now be more prepared in the future."
Sign up for CIO Asia eNewsletters.