There are a number of measures organizations can and should take to help reduce the risk of cybersecurity attacks and data breaches. Unfortunately, about a third of organizations say they are largely unprepared for such attacks, according to eSecurity Planet‘s newly released 2019 State of IT Security survey.
The survey asked about specific threats and how well organizations are prepared to defend against them.
Among the most common and pervasive vulnerabilities found in applications is SQL injection, which can potentially lead to remote code execution and data breaches. Across organization of all sizes, over a quarter of respondents (26.8 percent) said they have doubts about their defenses against SQL injection attacks.
Advanced persistent threats (APTs) are one of the most damaging cyberattacks, with attackers residing within an organization’s network for some time searching for high-value targets such as sensitive data stores and trade secrets. Organizations are least confident about their ability to handle such attacks, with 37.5 percent doubting their preparedness for APTs, the highest in the survey.
In recent years, ransomware attacks have become a challenge for many organizations.? Just under 30 percent of respondents doubt their preparedness for ransomware threats.
Insider threats (34 percent) and DDoS attacks (32 percent) are two other areas where organizations are concerned about their readiness.
Companies come up short in security testing
One of the most important activities that organizations can do to prepare for potential cyberattacks is to conduct penetration testing exercises. Regular penetration testing is so important for preparedness that it’s a requirement (R11) in the Payment Card Industry Data Security Standard (PCI-DSS). In a penetration test, IT security professionals attempt to bypass or “penetrate” the defenses of an organization to see which vulnerabilities or misconfiguration are present.
Across organizations of all sizes, 21 percent reported that they conduct penetration testing infrequently, and 18 percent say they never conduct penetration testing. That’s 39 percent of companies neglecting a critical IT security exercise.
Penetration testing isn’t the only type of exercise that can be used to help an organization with security readiness. The 2019 State of IT Security survey also asked how often organizations make use of breach and attack simulation (BAS) software to help gauge an organization’s defenses and response capabilities. Use of BAS was even lower than penetration testing, with 25.9 percent of respondents reporting that they use BAS very infrequently, and 22.3 percent saying they never use the technology. Threat hunting is another important IT security exercise, in which organizations actively seek out threats that might already be present in their organization, yet half of organizations are never doing it or only doing it infrequently.
Security preparedness favors large organizations
Overall security readiness favors larger organizations, the survey found. For organizations with 10,000 or more employees, 15 percent indicated that they infrequently or never do penetration testing. Across organizations with fewer than 100 employees, 60 percent of respondents indicated that don’t do penetration testing frequently, if ever.
Larger organizations were also more actively engaged in threat hunting, with 51 percent engaged in threat hunting once a year or more frequently. That number drops to 40 percent for organizations of 100 employees or fewer.
The differences in company size were more pronounced in overall security preparedness, with small companies overwhelmingly less likely to feel prepared than large organizations. Small IT companies are the exception, with most very confident in their security defenses. Heavily regulated companies such as those in financial services and healthcare are also far more likely to report strong security and compliance preparedness.
Lessons for IT security teams
Being prepared for cybersecurity threats isn’t just the domain of large companies; it’s something that should concern companies of all sizes. When it comes to security vulnerabilities, hackers are often just automatically scanning wide swaths of the internet without prejudice for the size of an organization.
To help improve cybersecurity preparedness, there are several gaps that the 2019 State of IT Security survey identified that organizations should focus on.
Regularly engage in vulnerability testing
Whether it’s penetration testing exercises conducted by an internal team, an external resource or with breach and attack simulation technology, organizations of all sizes should invest in frequent, if not continuous, vulnerability testing.
Threat hunting is for everyone
The unfortunate reality about the modern IT cybersecurity landscape is that some attacks will get through an organization’s defenses. But just because an attack was able to get into an organization doesn’t mean that the attack should persist. With regular threat hunting, organizations can identify risks faster.
Review preparedness regularly
Being prepared shouldn’t be a snapshot of a single point in time. Regular review of technologies, processes and deployments is a core element of continually ensuring that an organization is better prepared for cyber threats.