Cybersecurity Research Reveals Risk is Shifting to Midsized Businesses
Thursday, November 14th, 2019
Coalfire, a provider of cybersecurity advisory and assessment services, released its second annual Penetration Risk Report. The research, based on hundreds of engagements performed by the company's adversarial simulation and penetration testing team, Coalfire Labs, shows that the highest risk factors have flipped from large enterprises to midsized businesses over the last year due to the continuing migration to cloud computing across all public and private sectors.
"Last year, the data surprised us by showing that midsized businesses hit the cybersecurity 'sweet spot' despite the higher security budgets and resources of larger enterprises," said Coalfire Labs Vice President Mike Weber. "In 2019, large enterprises are filling the gaps faster, and midsized businesses find themselves scrambling to keep up."
2019 Report Findings
Coalfire Labs separated cloud service providers from enterprises in the 2019 report to reveal the risks in each environment. The top vulnerabilities in the enterprise space were out-of-date software and insecure protocols. For cloud providers, security misconfiguration was the highest risk factor.
The top five application vulnerabilities for 2019 included cross-site scripting, injection, security misconfiguration, password flaws, and sensitive data exposure. A few of the top vulnerabilities from 2018 fell off the chart this year: broken authentication/session management, using known vulnerable components, and missing function-level access control.
"The good news is that app security has improved from last year due to the allocation of more resources and skilled professionals to get the job done as the threat of cloud-specific vulnerabilities increases," said Weber. "Despite this, internal network security remains soft as organizations continue to prioritize external risk protections. Midsize businesses are especially vulnerable in this regard."
Organizations struggle to get configurations right as they leverage multiple cloud infrastructure providers and hybrid environments. "When building applications in the cloud, program managers should evaluate all components and leverage cloud services into their threat models to create effective, layered security solutions," advised Weber.
Phishing continues to be a serious issue – in 71% of Coalfire Labs' testing engagements, organizations experienced at least one full compromise of credentials. In 20% of the tests, organizations saw approximately half of their targeted employees give up their credentials.
Vertical markets' overall security posture shifted dramatically in 2019. Compared to the wide variables between verticals last year, more vertical markets have become similar in vulnerability rates, and almost all show fewer high-risk findings. "We believe that this is due to the shift toward cloud solutions in every vertical, which reduces the need to secure and maintain on-premise IT assets," said Weber.
The technology/cloud, retail and healthcare verticals maintained security postures similar to 2018. However, although financial services was strong last year, it fell behind in 2019. Compliance struggles, privacy management, increasing third-party vendor assessments and ongoing payment card industry challenges are taxing, and combined to produce a 17% external risk increase over last year. Education, the newest category researched in the report, showed amazing results with secure code, and the data disproved the perception that educational institutions lack diligence in hardening systems.
"Though application vulnerabilities are declining, threats from out-of-date software and security misconfiguration are on the rise, and everyone should pay closer attention to the basic, routine security tasks that are clearly still being neglected," said Weber. "Threat awareness is strong, and must continue – the stakes are getting higher with the proliferation of the 'internet of everything,' and as companies of all sizes and in all sectors continue the march to the cloud."