This week, we report on two disturbing pieces of news. The first is the theft of a laptop containing data on 800,000 American doctors. We also report the stunning news that PayChoice, a large provider of payroll processing services, has shut down its online portal because of a security breach for a second time this month.

Day after day, company computer networks are hit with spam, viruses, and phishing attacks. Some of these attacks are disasters, others are inconvenient--slowing down systems or requiring lots of overtime by the IT departments to make things right.

Security problems will never go away, the bad guys will always try to stay one step ahead, and businesses make different spending choices that sometimes end up costing them more money and cause big headaches. But even the companies taking action to protect themselves may not be taking the right actions.

In a recent interview with Govinfosecurity.com, Alan Paller, director of research and a security expert with the Sans Institute, offered some insight into the problem and shared some advice for businesses. Paller said organizations are generally doing a good job protecting their operating systems, but many companies are leaving their critical applications vulnerable to dangerous cyber threats.

"The key message is that the attackers have concentrated their weapons and their activities on a couple of vulnerability sets that the user organizations are not fixing, meaning the users are focusing their attention in a different direction, the attackers have found that and they are exploiting it at enormous rates and having unreasonable success...," Paller told Govinfosecurity.com.

He said vulnerabilities in the applications are not getting patched quickly. The result is that the intruders do not go after operating systems like Windows and Unix but instead attack Microsoft Office, Adobe products, QuickTime and other applications.

Paller also said that many enterprises have websites scanned for vulnerabilities, but not the program applications on those sites.

"You can't allow the application vulnerabilities to last the way they are lasting," he said. "On average, the average operating system gets 80 percent of its patches installed within a few weeks. In the average applications, they aren't patched; only about 20 percent of them are patched within six or eight weeks."

Businesses should heed Paller's advice. It may be time for companies to examine whether they are spending their money wisely or doing enough to protect their computer systems from attack. There is no panacea, but there are steps that can provide increased safety. - Judi