Despite widespread and highly publicized security breaches, most companies still fail to require necessary security controls for accessing enterprise applications, including those applications behind the corporate firewall.
A Vidder and King Research survey of more than 400 InfoSec professionals revealed 63 percent of respondents said that 10 percent or more of their enterprise applications are behind the corporate firewall and are accessed by non-employees.
"Although our survey respondents indicated that stringent access controls are highly useful, their execution in this regard is still lagging," Ross King, principal analyst of King Research, told eWEEK. "We know this because when we asked these InfoSec professionals about the authentication methods they use to provide access to enterprise applications, the most frequently mentioned method they use is simple passwords."
The respondents also said their top security concerns, on a scale of 1 to 10, are server vulnerabilities (7.6%); phishing (7.3%); server misconfigurations (7.3%), and denial of service attacks (6.9%).
While multi-factor identification (MFA) was indicated as a highly useful solution, 60 percent of those surveyed said their organizations do not require MFA for non-employees to access enterprise applications.
"We feel that so few people use MFA because when it comes to the fobs, it’s just one more thing you need to worry about and carry," King said. "So for the users the issue is convenience." He explained that on the IT side, they experience the complexity of having to manage MFA not just for their employees’ access but also for every kind of external partner, contractor, and so on."
He noted to increase adoption of more stringent security controls, MFA solutions need to be easy to manage for IT without having any impact on user experience.
"This is the reason why so many organizations do not use sufficient MFA, and why the research findings reveal that characteristics of software-defined perimeter are seen as highly useful due to its transparent multifactor authentication," he explained.
In addition, while 57 percent of respondents’ organizations allow bring your own device (BYOD) for access to enterprise applications, 42 percent do not require non-employees to adhere to the corporate BYOD policies.
"Organizations will continue to struggle with application security in the future. Applications hosted on the Internet are constantly being scanned for vulnerabilities and misconfigurations, and new vulnerabilities are being exposed every week," Anna Luo, senior director of marketing at Vidder, told eWEEK. "Because of this, applications will continue to be compromised. And, this may even be truer of applications hosted inside the enterprise perimeter where applications are considered to be safer, but where phishing attacks render them almost as exposed as servers on the Internet."