Canadian Underwriter
News

Fifth of surveyed U.S. businesses have not done any recent security testing for vulnerabilities


September 15, 2016   by Canadian Underwriter


Print this page Share

About a fifth of surveyed businesses south of the border admit not having done any security testing for at least six months despite the lion’s share of respondents also reporting their organizations have encountered at least one security issue, notes a report issued Wednesday by Osterman Research, Inc. and Trustwave.

Many of the polled businesses in the U.S. fail to conduct frequent security testing despite believing it is critically important to securing systems and data, states Security Testing Practices and Priorities: An Osterman Research Survey Report.

The report – which explores top trends in security testing and vulnerability management – is based on an Osterman Research survey of 126 security professionals, members of a company survey panel, with knowledge about or responsibility for security testing within their organizations.

Carried out in July and commissioned by managed security services provider Trustwave, the survey has a margin of error of +/- 8.7.

While 95% of respondents reported encountering one of the dozen common security issues associated with security vulnerabilities, notes a Trustwave statement, one in five of the businesses surveyed for the report admit their organizations have not done security testing of any kind in the past six months.

Security testing is defined in the statement as the process of testing databases, networks and applications for vulnerabilities that could allow bad actors to penetrate them and steal sensitive or confidential information, encrypt data, disable intended functionality, or otherwise cause harm.

“It is important to note the fairly significant drop-off between network testing and other types of testing and the vulnerabilities this can create in an organization,” the report points out.

“Since corporate applications, databases and mobile apps serve as gateways to sensitive data, such as email stores and customer information, it is imperative that all potential areas of vulnerability be tested,” it adds.

Security IssuesAmong those organizations that do conduct security testing – the majority use a combination of in-house resources and third-party testing services – “66% do so only monthly or less frequently, and most do not perform regular security testing after every infrastructure change,” Trustwave reports.

Specifically, the report notes, just 5% of respondents say their organizations do detailed reviews of security testing to assess vulnerabilities on a daily basis, 4% do so two to three times a week, 20% do so weekly, 4% do so two to three times a month, 20% do so monthly, 2% do so every other month, 14% do so quarterly, 11% do so annually, and 20% do so on an as-needed basis.

On the last point, Trustwave argues, this is “creating a situation where businesses are simply guessing when to test their systems.”

Just 23% of respondents report that their organizations are “very proactive” with regard to security testing, 48% are somewhat proactive, 16% are somewhat reactive, 10% are very reactive and 3% are non-existent.

Those findings contrast that two-thirds of respondents say they believe security testing is a valuable best practice. In fact, the report shows, 67% of respondents regard automated vulnerability scanning as a valuable or extremely valuable key security testing practice; 69% feel the same about in-depth penetration testing.

But even those organizations that are open to carrying out reviews face challenges around testing and the security skills shortage.

Respondents cite the most common challenge to be “insufficient staffing, insufficient time with which to perform the security tests, and insufficient skills to support regular testing,” Trustwave notes.

Organizational Security Testing ChallengesThat may be worrisome in light of the fact that the report makes clear no one is immune to cyber attacks:

  • 71% of respondent organizations had experienced a phishing and/or social engineering attack during the previous 12 months;
  • 59% had been victims of malware infiltrations; and
  • 28% had experienced a distributed denial-of-service (DDoS) attack.

“The potential success of phishing attempts and other infiltrations varies based on a number of factors, including the victim’s gullibility, their training, the vulnerability of their applications, their organization’s security infrastructure and other factors,” the report points out.

It goes on to cite four key reasons that phishing has proved so successful today:

  • many applications in common use have one or more security vulnerabilities and the number of these vulnerabilities is increasing, coupled with security awareness training in most organizations not being adequate to help users defend against phishing attacks;
  • users share an enormous amount of information through social media channels, providing cyber criminals with information they can use to craft personalized and more believable messages;
  • cyber criminals are getting better at penetrating corporate defences, including vulnerable applications; and
  • some anti-phishing solutions are not supported with a robust database of real-time intelligence.

The cloud, for its part, is increasingly becoming the focus of corporate applications, with the most common delivery platform for new IT-related projects or updated existing projects over the last 12 months being the cloud.

“Many believe that the use of cloud-based solutions to deal with phishing attempts and other malicious content from reaching endpoints can be an important best practice in either bolstering an existing, on-premises security solution or adding another layer of defence to a cloud solution,” the report states.

“Emerging trends like shadow IT, mobility and Internet of Things make regular security testing more important than ever,” Kevin Overcash, director of SpiderLabs at Trustwave, emphasizes in the company statement.

This testing “includes both automated security scanning, which will help uncover potential vulnerabilities and weak configurations, and in-depth penetration testing, which is designed to exploit vulnerabilities just like criminals would in the real world,” Overcash reports.

Businesses and government agencies should understand “a new approach and strategy for security vulnerability testing is required to better fortify databases, networks and applications against data theft and breaches,” Michael Osterman of Osterman Research adds in the Trustwave statement.

“Organizations need to look at security testing more comprehensively and perform it more frequently,” Osterman continues.