Internal security failures pose biggest cyber risk to businesses

The third annual Penetration Risk Report from cyber security consultancy Coalfire, carried out 837 security tests on 353 businesses to assess their susceptibility to a range of hacking techniques and security vulnerabilities.

In the vast majority of cases (87%), firms’ internal IT systems were found to be at risk of a security breach, with half (50%) at high risk. 

In almost all tests (90%), social engineering tactics like phishing resulted in a security compromise where employees gave up at least some sensitive credentials. Close to two thirds (61%) of these tests resulted in employees offering all the details needed for a malicious actor to fully access internal systems.

The research discovered that firms are making basic security mistakes like allowing staff to use weak passwords, failing to provide adequate IT training and not setting up account permissions that limit which systems employees can access.

Andy Barratt, UK managing director at Coalfire, said: “Our research shows that businesses are making life easy for hackers. In most cases, firms expose a soft underbelly that enables cybercriminals to access security credentials through social engineering attacks and then wreak havoc on under-protected internal systems.

“Even the most rudimentary hacking approaches like phishing are still incredibly effective which suggests business and their employees aren’t getting much better at spotting and reporting these types of attack. The financial cost of getting these security basics wrong can be devastating and the economic pressures of Covid-19 mean it’s more vital than ever that companies protect themselves.

“Firms must acknowledge the importance of guarding against these threats and more widely introduce proper security protocols, such as two-factor authentication, wherever possible. They also need be proactive in educating their employees on what responsible use of IT looks like, the social engineering threats they are vulnerable to and how to recognise them.”

Coalfire’s Securealities: 2020 Penetration Risk Report collates data from 837 security tests carried out on 353 businesses from a range of sectors including retail, financial services, tech and healthcare. The tests simulate the real-world tactics deployed by hackers to assess how vulnerable businesses are to cyberattacks and data breaches.

2020 penetration risk key findings:

The study found:

• Large cloud providers saw tremendous security gains over the last year and are 46% less likely to suffer a breach than large enterprises.

• As more workloads and supply chains move into cloud environments, top vulnerabilities remain in place: security misconfiguration and cross-site scripting.

• Phishing continues to dominate as the easiest breach: 61% of phishing attempts result in full compromise of access credentials.

• In a major turnaround toward safer systems, applications doubled their security posture during 2020.

• Insecure protocols dominated (22.7%) top vulnerabilities across all verticals except technology.

• Companies are moving from point-in-time to continuous, on-demand compliance monitoring.

• Large businesses have the best security posture overall, compare to small and mid-sized firms.

Mike Weber, vice president of Coalfire Labs – the security firm’s penetration testing division – said: “We believe that the improved security postures we’re seeing are due to the shift toward cloud solutions. This reduces the need to secure and maintain on-premise IT assets and enables businesses to benefit from their service providers security infrastructure.

“There is a misconception from many that cloud adoption automatically means accepting more risk, but this is only true if it’s done poorly.  Program managers should evaluate all components and leverage cloud services into their threat models to create effective, layered security solutions when building applications in the cloud.”