Midsized businesses are benefitting from a security sweet
spot that has allowed them to outperform their larger competitors, according to
new research from Coalfire,
a trusted provider of cybersecurity advisory services.
The first annual Coalfire
Penetration Risk Report found that, contrary to accepted wisdom on
cybersecurity, large enterprises are not the best prepared to protect against
cybercrime, despite having bigger budgets and resources.
Although large organizations are best at protecting against
phishing and other social engineering attacks, the report - which was based on
more than 300 penetration tests in 148 companies worldwide - found a
cybersecurity sweet spot among midsized businesses, which performed best at
protecting their assets and mitigating their security risks in tests.
Coalfire's extensive penetration test results flip the
thinking that large enterprises are the most secure overall, even with the
largest cybersecurity budgets and investments in staffing and other resources.
Across all sizes and sectors, however, people remain companies' biggest
weakness, whether through human error or creating opportunities for social
engineering hacks, the report found.
"While overall, our results have found that the midsized
business is in the technological sweet spot, conversely, we can conclude that
humans - employees, vendors and customers - still represent the greatest
vulnerability as they are prone to social engineering techniques, shortcuts or
inadvertent oversights in the IT/security management process," said Mike Weber,
Vice President, Coalfire Labs. "Most organizations today, as they increasingly
leverage the cloud and virtualization, concern themselves more with external
network security than internal network defenses, creating significant internal
security gaps and vulnerabilities that need to be addressed."
The Coalfire Penetration Risk Report used customer
penetration test data to analyze the security challenges within enterprises of
various sizes and in different industries, including retail, healthcare,
financial and technology/cloud service provider industries, and compared the
security posture between small, midsized and large organizations.
Coalfire concluded that security gaps
weren't left through negligence, with organizations that did have weaknesses
often struggling with restrictive budgets, competing priorities, staffing
shortfalls and a lack of highly trained cybersecurity talent.
Financial services lead the way
Globally, the financial services industry performed better
at cybersecurity than tech and cloud.
Healthcare had the worst external security posture, while
retail performed three times worse than other industries when it comes to cyber
defenses.
Common weak points
The report found that a range of vulnerabilities in external
and internal networks and in applications enabled cyber attackers to progress
through the cyberattack chain and infiltrate an organization.
Phishing was demonstrated to be highly successful as the
"foot in the doorway" for attackers who use it as an entry point to infiltrate
the organization, then pivot to navigate internally to escalate for greater
control.
Out-of-date software, insecure protocols, misconfiguration
and password flaws were found to be the greatest threats to external networks,
while insecure protocols, password flaws and patching flaws were the top
vulnerabilities in internal networks.