The Black Report, published by Nuix, looks at organisations’ cyber security strategy from an unconventional point of view – that of the pen testers.
These are the main findings:
- 81% of pen testers said they could identify and exfiltrate data in less than 12 hours
- 88% said it took less than 12 hours to compromise a target
- 84% said they used social engineering when attacking the target
- 69% said they have never been caught in the act by security teams
Organisations don’t follow up on their results
What frustrated them the most was the lack of commitment organisations exhibit in fixing vulnerabilities: 75% of the time, organisations focused on critical and high-risk vulnerabilities, conducting a limited remediation after a penetration test – and only 10% did a full remediation (all vulnerabilities fixed and retested).
What they said about effective countermeasure
They were asked to identify the most effective countermeasures to integrate into the cyber security strategy in order to reduce cyber risks and they identified:
- Employee education – 52% said it was extremely important
- Goal-oriented penetration testing – 46% said it was important
- Vulnerability scanning – 37% said it was extremely important
Employee education may seem out of place compared to the other, more immediately technical recommendations, but penetration testers suggested investing in it because, if endpoint technological controls are bypassed, trained staff are the last line of defence.
Where to spend the security budget
Based on their experience, the penetration testers suggested companies spend their security budget on intrusion detection and prevention systems (37% of pen testers) and penetration testing (25%). Furthermore, they recognised the effectiveness of a combination of controls, security training, staff education and processes as a combined effort to reduce the risk of data breach in case any single control fails.
Learn from the experts, book a penetration test today.
Call us on +44 (0)845 070 1750 to discuss your requirements in more detail.