If there were a huge growth in burglaries in a neighborhood wouldn’t most people step up their household security? After all, if they knew that properties like theirs were being specifically and precisely targeted by experienced thieves, they would surely take active measures to secure their property, anticipate the potential points of entry and take preventative measures? If that property held precious items belonging to other people you would think their sense of responsibility would make them even more vigilant?
But when we frame the same conversation within the context of cybersecurity, it is surprising to see how many organizations are prepared to accept the risk to their digital estate that they would not tolerate in their bricks and mortar assets.
The fact is that a huge number of businesses are ignoring the warnings, neglecting to respond to the increased threat of cyber hacking – leaving themselves, their data and their customers’ data vulnerable. Yet we know all too well that it is a hostile environment out there. Cyber threats are the unavoidable reality in today’s business world with incidences of data theft and ransom demands on the rise. This is not scare-mongering; let’s examine the evidence.
A leading insurer conducted a survey of 5,400 small, medium and large businesses across fifteen sectors in the UK, Europe, and the US. It found a sharp increase in data theft, fraud, sabotage and extortion with 60 percent of firms reporting one or more attacks. That is up 40 percent in 2018. Statistics reveal that 55 percent of British firms were attacked in 2019 with the average loss from a breach at £189,000 (across all sizes of business).
Smaller firms often consider themselves to be comparatively safe because hackers focus on larger targets. Although larger firms are still most likely to suffer cyberattacks the proportion of small businesses (employing fewer than 50 people) which reported a breach went up this year from 33 percent to 47 percent. There is no escaping the facts: cyberattacks are on the increase across all sizes of business.
While it appears that GDPR has prompted many into making some changes to their security posture, statistics for the UK reveal the lowest budget for cybersecurity of any country. What is more, in the cyber readiness survey, 72 percent of UK businesses fell into the ‘novice’ category for cyber readiness.
One of the key indicators for cyber maturity is, of course, a proactive penetration testing strategy. The benefits of combining automated vulnerability assessments with penetration testing in the hands of experienced professionals are significant. And yet there are many organizations in the UK – of all shapes and sizes – that aren’t familiar with penetration testing at all.
This lack of awareness is something that the information security community must undoubtedly take some responsibility for; it is their job to work hard to raise awareness as the scale of the threat landscape increases all the time.
However, it remains important that this does not simply take the form of scare-mongering. Utilizing fear can certainly get attention but it will only gain short-term traction within organizations. Instead, it is the community’s responsibility to focus on building a positive approach to risk posture into the culture of businesses.
As we know, pen testers use skill, ingenuity, and experience, to get into the mindset of a potential hacker, using this knowledge on behalf of their client. Yet it is the value of the follow-up report, identifying threats and explaining the mitigating steps required, that should really catch the eye of board members and senior managers within risk-aware businesses.
After all, these steps are every bit as relevant to organizations as closing all the windows and checking all the office locks at the end of the working day.
Note: This article is a guest post by an author who would like to remain anonymous this article is posted by JavaRockstar on the author’s behalf.