The second annual Penetration Risk Report from cybersecurity consultancy Coalfire tested 525 businesses for their susceptibility to a range of different hacking techniques and security vulnerabilities.
Employees at 71 percent of these businesses willingly offered up access credentials when targeted with phishing attacks by Coalfire’s penetration testers. In 20% of cases, credentials were shared by more than half of employees.
Human error was a persistent theme across throughout the research with weak passwords and insecure internal procedures both in the top three most common vulnerabilities discovered by the research, alongside out-of-date software.
Andrew Barratt, UK managing director at Coalfire, said: “Our research proves that you’re only as strong as your weakest link when it comes to cybersecurity. A lot of businesses are taking steps to upgrade their security infrastructure, particularly as they migrate more systems into the cloud, but still aren’t addressing some of the fundamentals.
“The continued vulnerability to basic hacking techniques like phishing is a disaster waiting to happen for a lot of businesses. Coupled with the increased risk caused by out-of-date software and security misconfiguration our research uncovered, it’s clear that some routine security tasks are clearly still being neglected.
“It only takes one employee to click on the wrong link or unwittingly share sensitive information to a fraudulent email and a hacker is in. This makes security basics like limiting employee access based on their role as well as educating staff on how to use IT safely and how to spot suspicious activity vitally important.”
Organisations struggle to get cloud configurations right
Overall, businesses exhibited fewer high-risk vulnerabilities than they did in Coalfire’s 2018 report. But as firms move more systems into the cloud, coordinating and configuring multiple infrastructure providers and hybrid environments has become a major challenge.
Mike Weber, vice president Coalfire Labs – the security firm’s technical testing division – said: “We believe that the improved security postures we’re seeing are due to the shift toward cloud solutions. This reduces the need to secure and maintain on-premise IT assets and enables businesses to benefit from their service providers security infrastructure.
“There is a misconception from many that cloud adoption automatically means accepting more risk but this is only true if it’s done poorly. Program managers should evaluate all components and leverage cloud services into their threat models to create effective, layered security solutions when building applications in the cloud.”
The threat landscape changes in the cloud
Coalfire Labs tested cloud service providers and general businesses separately to pinpoint the risks specific to each environment. For non-cloud enterprises the top three vulnerabilities were out-of-date software, insecure protocols and password flaws.
The top three cloud application vulnerabilities were cross-site scripting, injection and security misconfiguration.
Retailers are streaking ahead when it comes to reducing risk
Coalfire’s research looked at five key sectors – tech, retail, healthcare, education and financial services. It found that retail businesses had made the most progress in reducing vulnerability in their IT environments.
Financial services saw the biggest increase in risk from external attacks, compared to 2018. Compliance struggles, privacy management, increasing third-party vendor assessments and ongoing payment card industry challenges combined to produce a 17% external risk increase over the last year.
Big businesses close the gap
Coalfire’s 2018 report found that medium-sized businesses were generally better at protecting themselves against cybersecurity threats than their larger peers. But this has been flipped on its head this year with large enterprises, across all sectors, exhibiting less vulnerability.
The testing found that big businesses were more likely to have taken the time to proactively test solutions before going to market.