Even with advanced technology, fraudsters need a lot of help to get their hands on secure payment or personal data. One in five businesses apparently are unwittingly providing that help by not performing any security testing, according to new research.
Further, fewer than one in four organizations rank themselves as "very proacative" when it comes to security testing, while nearly half are "somewhat proactive," Trustwave and Osterman Research said in a report released Sept. 14.
Most of these organizations cited insufficient staffing and time to perform the needed tests, as well as a lack of skills to support regular testing.
“Emerging trends like shadow IT, mobility and Internet of Things make regular security testing more important than ever,” said Kevin Overcash, director of SpiderLabs at Trustwave, a Chicago-based security technology provider and researcher. “This includes both automated security scanning, which will help uncover potential vulnerabilities and weak configurations, and in-depth penetration testing, which is designed to exploit vulnerabilities just like criminals would in the real world.”
Osterman and Trustwave surveyed 126 security professionals who have knowledge of, or responsibility for, security testing within their organizations. For the survey, security testing is described as testing databases, networks and applications for vulnerabilities that would allow fraudsters to steal data and disable intended functions.
While financial and resource constraints come into play for organizations that do not perform security testing, many simply do not take a proactive approach to security, Overcash said.
"Many organizations still do not prioritize security testing until an incident occurs," Overcash added. "Even more troubling, if an organization does not test their security and understand their risk, they will have difficulty properly protecting their assets and may not even be aware that a security breach has already occurred."
Nearly a third of the businesses surveyed consider themselves "somewhat" to "very" reactive about security testing, or that their security testing posture is "non-existent."
Among those that do not conduct security testing on a regular basis, 66% said they test only monthly or less frequently, and most do not perform regular security testing after an infrastructure change.
"Frequency of testing is a balance between risk and resources," Overcash said. "With that said, new patches are frequently released on a monthly basis by Microsoft and Oracle, so at a minimum testing should be performed monthly to ensure that patches are applied as soon as possible to reduce risk exposure."
Exhaustive testing should be performed whenever there are major infrastructure changes or new functionality is added to an application, Overcash added.
Despite the fact that many organizations do not perform security testing, two-thirds believe that security testing is a valuable practice, the report said.
The report concludes that far too many businesses are leaving security "up to fate." For those businesses, security testing and reviews of those tests are not common. And only 5% performed detailed reviews of security testing to assess vulnerabilities on a daily basis, while 24% did so on a weekly basis.
In a statistic illustrating no organization is immune from attacks, 95% of respondents reported encountering one of the dozen common security issues listed in the survey. Phishing and social engineering was most common, with 91% saying they had encountered it, while 59% mentioned malware infiltration. Twenty-eight percent cited distributed denial-of-service attacks, while 23% had dealt with a Web or mobile application attack.
“This report should be a major wake-up call for businesses and government agencies that a new approach and strategy for security vulnerability testing is required to better fortify databases, networks and applications against data theft and breaches,” said Michael Osterman of Osterman Research. “Organizations need to look at security testing more comprehensively and perform it more frequently. Increasingly, security-savvy organizations are turning to managed security services providers for help in this area.”
More than half of the organizations did indicate they turn to third parties for help with security testing, with 31% saying they do so already and another 21% planning to do so next year.
The need for businesses to keep an eye on their own houses has become even more critical, based on Trustwave's 2016 Global Security report issued in April.
Trustwave reported that EMV chip cards were helping reduce the number of data compromises worldwide, but fraudsters were after bigger prizes in attacking corporate and internal networks to the tune of 40% of attacks in 2015, up from 18% the year before.