The study - carried out by the Ponemon Institute and sponsored by Imperva and WhiteHat Security - found that, despite the potential seriousness of the issue, firms are only allocating 18% of their IT security budgets to protect their sites.
Delving into the report - entitled `The State of Application Security' - reveals that most businesses, despite having numerous mission-critical applications accessible via their websites, are failing to allocate sufficient financial and technical resources to secure and protect their web applications.
Commenting on the findings, Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said that it confirms the overwhelming value of taking a strategic and prescriptive posture to the many challenges that organisations face in protecting their data.
"Sadly, too many organisations remain paralysed by the false notion that security is too complex a challenge. This study shows otherwise; there's no excuse for failing to make progress toward better security", he said.
Over at WhiteHat Security, Jeremiah Grossman, the firm's chief technology officer, said that most of the largest and recent data breaches to date have been a result of attacks against web applications.
"To address today's real cyber threats, companies must shift their security strategy - and budgets- from being predominately infrastructure-based and prioritise the data and applications directly", he said.
The report, which took in responses from more than 600 IT professionals on both sides of the Atlantic, says that, whilst only 18% of IT security budgets are allocated to address the problem, a hefty 43% of budgets are being allocated to network and host security, even though these areas are those that respondents felt are of least concern.
Interestingly, the study found that 61% of respondents said they have up to 100 public-facing web applications that transact or access millions of customer records
And yet, researchers found that most organisations have not made application security a high priority.
The survey also found that the vast majority of developers are too busy to respond to website security issues.
The recommendations of the report are that businesses cannot secure what they do not own and should therefore inventory their applications to gain visibility into what data is at risk and where attackers can exploit the money or data transacted.
Businesses are also advised to designate someone who can own and drive data security and is strongly empowered to direct numerous teams for support.
Firms are also advised not to wait for developers to take charge of security. They should deploy shielding technologies to mitigate the risk of vulnerable applications.
The final recommendation of report, a cop of which can be downloaded here, is that businesses should shift some of their IT security budget from infrastructure over to application security.
With the proper resource allocation, the report notes, corporate risk can be dramatically reduced.