Persistent attacks, despite bulging security funds and multilayered protections, call for more frequent penetration testing. Multilayered, well-funded cybersecurity systems are unable to protect enterprises in the US and Europe from cyberattacks, according to a report by automated security validation firm Pentera.The report, which was based on a survey of 300 CIOs, CISOs and security executives to get insights on their current IT and security budgets and cybersecurity validation practices, noted that the financial slowdown has had a minimal impact on cybersecurity budgets.“We’re seeing more organizations increase the cadence of pentesting, but what we really need to achieve is continuous validation across the entire organization,” Aviv Cohen, chief marketing officer of Pentera, said in a press note. “Annual pentesting assessments leave security teams in the dark most of the year regarding their security posture. Security teams need up-to-date information about their exposure using automated solutions for their security validation.” Pentesting, also known as penetration testing, is a practice of testing computer systems, networks, or web applications to identify vulnerabilities that an attacker could potentially exploit. This is achieved by simulating an attack on a system or application in a controlled environment to uncover security weaknesses and provide recommendations for remediation. Defense-in-depth approach is not enoughOn average, the survey found, a company was found to have deployed nearly 44 security solutions, suggesting that they follow a defense-in-depth (also security-in-depth) approach that involves layering multiple security solutions to offer maximum protection to critical assets. However, despite having a substantial number of security measures in place, 88% of organizations acknowledge experiencing a cybersecurity incident within the last two years.The numbers are consistent with the observations of other experts. “Defense-in-depth is not just about prevention, detecting and responding to attacks are part of the strategy as well,” said Erik Nost, a Forrester analyst. “In fact, it is likely that these organizations’ defense-in-depth strategies are what detected these breaches and mitigated their impact. The reality is that organizations have sprawling attack surfaces, some of which they don’t know about. Assessing attack surfaces for vulnerabilities and exposures can lead to lengthy findings, which then need prioritizing and time to remediate.”The report noted that a slowed down world economy may not affect the cybersecurity budgets in 2023. As per the survey, 92% of organizations have increased their IT security budgets, and 85% have increased their budget for pentesting.“While greater emphasis on validation of the entire security stack must be put in by the CISOs, I’m encouraged to see security teams are getting the budgets they need to protect their organizations,” Chen Tene, vice president of Customer Operations at Pentera said in a press note.Security validation among the top pentesting drivers Although the initial need for pentesting was driven by regulatory demands, the key reasons for conducting it were found to be security validation, assessment of potential damage, and cybersecurity insurance, according to the report.Only 22% of respondents considered compliance as their primary motivation for pentesting, indicating regulatory or executive mandates are not the primary driving force behind the practice.“While in our 2020 survey, regulatory compliance was the second most common answer among CISOs, today it has dropped all the way to the bottom,” Cohen said. “This is a positive shift showcasing how security executives aren’t waiting for regulations to mandate further action.” Cybersecurity insurance policies emerged as another prominent driver for pentesting amid pandemic-induced surge in cyberattacks, as 36% of survey participants identified it as their primary reason for conducting pentesting. This contrasts with the 2020 findings, where only 2% considered cybersecurity insurance as their top driver for pentesting.“Sometimes an initial push from a regulator or governing body is what some organizations need to get a buy-in to make a change,” Nost said. “But as security solutions, technology, and threats evolve, it is unlikely that regulatory requirements will be able to evolve with it to maintain relevancy.”The report found that 82% of companies are already implementing pentesting in some way. However, the main obstacle to the adoption of this practice is the apprehension regarding business continuity. Both companies — that currently conduct pentesting and those that do not — identify the risk to business continuity as their primary concern when contemplating increasing the frequency of pentesting.About 45% of participants who already conducted pentesting, whether manual or automated, said that the risk to business applications or network availability prevented them from increasing the pentesting frequency, and this number increased to 56% for those who didn’t conduct pentesting assessments at all. Related content news Iranian hackers harvest credentials through advanced social engineering campaigns Mandiant observed several malicious campaigns with threat actors impersonating journalists and harvesting the victim’s cloud environment credentials. By Shweta Sharma May 02, 2024 4 mins Hacker Groups Social Engineering news Dropbox Sign hack exposed user data, raises security concerns for e-sign industry The names and email addresses of those customers were also exposed who had never created an account with Dropbox Sign but had “received or signed a document through Dropbox Sign.” By Gyana Swain May 02, 2024 5 mins Data Breach news UnitedHealth hack may impact a third of US citizens: CEO testimony Despite paying a $22 million ransom in Bitcoin to regain access to encrypted files, the company cannot confirm whether copies of the data were made or published online. By Prasanth Aby Thomas May 02, 2024 4 mins Data Breach Ransomware Hacking news Most interesting products to see at RSAC 2024 Tools, platforms, and services that the CSO team recommends 2024 RSA Conference attendees check out. By CSO Staff May 02, 2024 6 mins RSA Conference Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe