Despite Cybersecurity Investments, Breaches Increasing
A survey of 300 CIOs, CISOs and security executives from enterprises in Europe and the U.S. that have more than 1,000 employees found 88% of organizations have been breached in the past two years. This is despite the fact that, on average, they have 44 security solutions in place. Nearly half of the respondents (45%) have been breached in the last 12 months.
Conducted by Surveyz Research on behalf of Pentera, a provider of an automated platform for validating cybersecurity controls, the survey published today also found that only 6% of respondents said their organization has less than 10 security tools and platforms in place.
On average, the number of platforms is also likely to increase despite a downturn in the global economy. A full 92% of respondents expect IT security budgets to increase in 2023, with the average amount of budget specifically allocated to penetration testing being $208,224.
Chen Tene, vice president of customer operations for Pentera, said more organizations are employing penetration testing to better understand how cyberattacks view their IT environments. Armed with those insights, it then becomes possible to apply cybersecurity controls more effectively, he noted.
The challenge is a modern IT environment is highly dynamic, so there must be a means to automate continuous penetration tests, said Tene. Otherwise, each change to an IT environment could potentially create another attack vector for cybercriminals to exploit, he added.
Most organizations can’t hire and retain enough cybersecurity professionals to manually conduct those tests, so the only way to keep pace is to rely more on automation, Tene added.
Organizations, of course, have been relying on external service providers to conduct and report on penetration testing for years. Most of those reports, however, are out of date once the next update is made to an IT environment. In some cases, organizations make multiple code updates to their IT environments daily. The days when penetration testing was used primarily to achieve compliance with mandates have given way as organizations more proactively look for ways to lock down their IT environments, noted Tene.
It’s not clear whether organizations are actually acting on the results of the penetration tests they conduct, but as attacks continue to grow in volume and sophistication, there is a clear need to better understand the attack vectors used.
Cybercriminals typically employ a range of techniques and tactics that differ based on the types of platforms found in an IT environment. Most enterprise IT organizations have a range of platforms that are often complex to provision and manage, so the probability a cybersecurity mistake will be made is high.
There may never be such a thing as perfect security, but it’s clear a lot more could be done to address fundamental issues that often make it easier for cybercriminals to succeed. The issue, of course, is that there’s only so much time in a day for the small number of cybersecurity professionals to determine which attack vectors represent the highest level of risk to an organization.
