Enterprises are looking at the wrong sort of security threats and are leaving their organizations wide open to Web and client-side attacks, according to a new insecurity report. The SANS Institute said that most organizations are focusing their patching efforts and vulnerability scanning on the operating system.

However it points out that 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications, such as Microsoft Office and Adobe Flash, according to actual attack data gathered for the report. To make matters worse enterprises are taking twice as long to patch their applications than to patch their OSes, the report says.

The SANS report is a compilation of data and analysis from multiple sources, including SANS Internet Storm Center. It includes attack data from 6,000 organisations running TippingPoint IPS systems, and vulnerability data from 9 million systems. Corporates seem to ignore SQL injection and cross-site scripting (XSS).

Enterprises are patching OS vulnerabilities twice as quickly as they are patching vulnerabilities in Office and other applications, according to the report. SANS says that organisations need to reprioritise their patching and scanning efforts.