Many organizations prioritize external cyber threats and use various tools and technologies to protect against such issues. However, these organizations may also be more likely than others to overlook internal cyber threats that lead to security vulnerabilities and data breaches, according to the fourth annual Securealities Penetration Risk Report from cybersecurity and cloud services provider (CSP) Coalfire.
Security Misconfiguration is an Ongoing Vulnerability
High-risk internal attack vectors are more than three times higher than external ones and nearly four times higher than app-related vectors, Coalfire's report shows. In addition, large cloud services providers hold 55% of high risks, small CSPs account for 37% and midsize CSPs account for 8%.
More than 3,100 penetration tests and four research reports indicate that the top vulnerabilities fluctuate over time, but security misconfiguration is "always at the top," Coalfire's report indicated.
This is likely due to the fact that many organizations:
- Lack an understanding of their own asset inventory
- Use legacy systems that drive multiple vulnerabilities
- And/or have poor cyber hygiene
Technology Sector Leads Penetration Testing
Other notable findings from Coalfire's report include:
- Fewer than 50% of organizations tested were compromised through social engineering tests. More organizations than ever before are teaching their workers about social engineering attacks and the dangers associated with them.
- The technology sector is leading the way with penetration testing. Tech organizations have lowered their high-severity threats nearly 30 percentage points over the last three years to 17% overall, due in part to their use of pentesting tools and technologies.
- Web application penetration testing delivers long-lasting results. On average, organizations that have run testing programs for at least three years saw a 25% reduction in high-severity threats.
Organizations can use multilayered cybersecurity strategies to detect, limit and prevent cyberattacks and data breaches, Coalfire stated. These strategies can include automated security testing throughout the web and application lifecycle and regular pentests. That way, organizations can establish risk management priorities, mitigate security weaknesses and keep pace with current and emerging cyber threats.