Well-funded security systems fail to prevent cyberattacks in US and Europe: Report

Multilayered, well-funded cybersecurity systems are unable to protect enterprises in the US and Europe from cyberattacks, according to a report by automated security validation firm Pentera.

The report, which was based on a survey of 300 CIOs, CISOs and security executives to get insights on their current IT and security budgets and cybersecurity validation practices, noted that the financial slowdown has had a minimal impact on cybersecurity budgets.

“We’re seeing more organizations increase the cadence of pentesting, but what we really need to achieve is continuous validation across the entire organization,” Aviv Cohen, chief marketing officer of Pentera, said in a press note. “Annual pentesting assessments leave security teams in the dark most of the year regarding their security posture. Security teams need up-to-date information about their exposure using automated solutions for their security validation.”

Pentesting, also known as penetration testing, is a practice of testing computer systems, networks, or web applications to identify vulnerabilities that an attacker could potentially exploit. This is achieved by simulating an attack on a system or application in a controlled environment to uncover security weaknesses and provide recommendations for remediation.

Defense-in-depth approach is not enough

On average, the survey found, a company was found to have deployed nearly 44 security solutions, suggesting that they follow a defense-in-depth (also security-in-depth) approach that involves layering multiple security solutions to offer maximum protection to critical assets. However, despite having a substantial number of security measures in place, 88% of organizations acknowledge experiencing a cybersecurity incident within the last two years.

The numbers are consistent with the observations of other experts.

“Defense-in-depth is not just about prevention, detecting and responding to attacks are part of the strategy as well,” said Erik Nost, a Forrester analyst. “In fact, it is likely that these organizations’ defense-in-depth strategies are what detected these breaches and mitigated their impact. The reality is that organizations have sprawling attack surfaces, some of which they don’t know about. Assessing attack surfaces for vulnerabilities and exposures can lead to lengthy findings, which then need prioritizing and time to remediate.”

The report noted that a slowed down world economy may not affect the cybersecurity budgets in 2023. As per the survey, 92% of organizations have increased their IT security budgets, and 85% have increased their budget for pentesting.

“While greater emphasis on validation of the entire security stack must be put in by the CISOs, I’m encouraged to see security teams are getting the budgets they need to protect their organizations,” Chen Tene, vice president of Customer Operations at Pentera said in a press note.

Security validation among the top pentesting drivers

Although the initial need for pentesting was driven by regulatory demands, the key reasons for conducting it were found to be security validation, assessment of potential damage, and cybersecurity insurance, according to the report.

Only 22% of respondents considered compliance as their primary motivation for pentesting, indicating regulatory or executive mandates are not the primary driving force behind the practice.

“While in our 2020 survey, regulatory compliance was the second most common answer among CISOs, today it has dropped all the way to the bottom,” Cohen said. “This is a positive shift showcasing how security executives aren’t waiting for regulations to mandate further action.”

Cybersecurity insurance policies emerged as another prominent driver for pentesting amid pandemic-induced surge in cyberattacks, as 36% of survey participants identified it as their primary reason for conducting pentesting. This contrasts with the 2020 findings, where only 2% considered cybersecurity insurance as their top driver for pentesting.

“Sometimes an initial push from a regulator or governing body is what some organizations need to get a buy-in to make a change,” Nost said. “But as security solutions, technology, and threats evolve, it is unlikely that regulatory requirements will be able to evolve with it to maintain relevancy.”

The report found that 82% of companies are already implementing pentesting in some way. However, the main obstacle to the adoption of this practice is the apprehension regarding business continuity. Both companies — that currently conduct pentesting and those that do not — identify the risk to business continuity as their primary concern when contemplating increasing the frequency of pentesting.

About 45% of participants who already conducted pentesting, whether manual or automated, said that the risk to business applications or network availability prevented them from increasing the pentesting frequency, and this number increased to 56% for those who didn’t conduct pentesting assessments at all.