Cyber leaders say penetration testing is not full proof

  • published date: 2021-05-04 00:00:00 UTC


<div class="body gsd-paywall article-body"><p>Research shows that while organizations invest significantly and rely heavily on penetration testing for security, the widely used approach doesn’t accurately measure their overall security posture or breach readiness — the top two stated goals among security and IT professionals. The <a href="" target="_blank">research</a>, conducted by Informa Tech and commissioned by CyCognito, surveyed enterprises with 3,000 or more employees and found that 70% of organizations perform penetration tests as a way to measure their security posture and 69% to prevent breaches, yet only 38% test more than half of their attack surface annually.</p><p>Many organizations are conducting penetration tests to detect and mitigate threats yet remain dangerously vulnerable. CyCognito’s research shows that when using penetration testing as a security practice organizations lack visibility over their Internet-exposed assets, resulting in blind spots that are vulnerable to exploits and compromise. Just as locking the front door of a house but leaving the back door and windows unlocked creates an attractive target, attackers will naturally focus on those IT assets organizations leave untested.</p> <div id="div-gpt-ad-article-body-sky-mobile" class="advertisement"></div> <p><strong>Key findings include:</strong></p><ul> <li>It’s common for organizations with 3,000 employees or more to have upwards of 10,000 internet-connected assets, however <strong>36%</strong> of survey respondents said that only 100 or fewer assets are covered by pen tests; <strong>58%</strong> said 1,000 or fewer assets are covered by pen tests.</li> <li> <strong>60% </strong>report that they are concerned pen testing gives them limited coverage or leaves them with too many blind spots</li> <li> <strong>47%</strong> say that pen testing detects only known assets and not new or unknown ones</li> <li> <strong>45%</strong> of respondents conduct pen tests only once or twice per year and <strong>27%</strong> do it once per quarter, which is woefully inadequate given the fast pace of threat evolution and how quickly infrastructure/applications change .</li> <li> <strong>79%</strong> believe that pen tests are costly. <strong>78%</strong> would utilize pen tests on more apps if the costs were lower.</li> <li>It takes <strong>71% </strong>of respondents anywhere from one week to one month to conduct a penetration test. Then, <strong>more than 26%</strong> have to wait between one to two weeks to get test results, and <strong>13% </strong>wait even longer than that. </li> </ul> <div id="div-gpt-ad-sidebar-sky-mobile" class="advertisement"></div> </div>