A new survey coming out of BT finds that more companies than ever have embraced penetration testing as the best way to manage risk and prevent future data breaches.
Earlier this month, the newshounds over at Dark Reading got their hands on a yet-to-be-released research report that should make everyone in the penetration testing and “ethical hacking” world feel pretty good about the future of our market space.
Dovetailing with other recent reports that have charted growing uptake of penetration testing among IT security practitioners, the Dark Reading story detailed a paper that will soon be released by security services giant BT (yes, the telco also has a huge security consulting business) which found that most companies are already budgeting for pen testing in some form or fashion – with others growing more interested in the process as they look for new ways to deal with the data breach issue.
The study also found that organizations who are already conducting penetration tests feel more confident about their ability to prevent breach incidents than those who have not adopted the practice.
Overall, organizations are clearly struggling to handle the data theft problem in general. Of the 200 IT pros interviewed by the services company, a whopping 94 percent said that they expect their operations to be successfully hacked, and to have electronic information stolen from them, sometime within the next year.
However, at the same time, respondents who are currently conducting penetration tests already feel better about their chances of reducing risk, at least compared to those who are not. According to the BT data, as reported by Dark Reading, organizations who currently pen test their networks estimated their chances of being hacked at 26 percent, while those not performing pen tests estimated that they have a 38 percent chance of getting fleeced.
In a previous BT ethical hacking study published in 2007, almost 50 percent of all the IT staffers surveyed said that their organizations had a less than 10 percent chance of getting hacked. However, that number dropped to about 40 percent in 2009, illustrating a growing lack of confidence among end users in stemming potential breaches.
In total, roughly 60 percent of organizations have already committed some of their budgets to pen testing, while only 38 percent have no program in place at all, BT reported. At the same time, an even higher number, 80 percent, admitted that they have performed penetration tests sometime in the last two years.
Some 70 percent said they were primarily concerned with finding code-level vulnerabilities via their assessments, and of all the forms of testing, 60 percent of respondents told BT that they feel network reviews remain the most important variety in terms of preventing data breaches, according to the Dark Reading piece.
And, while BT experts quoted by the publication cited compliance regulations including PCI as the primary catalysts for impending growth of pen testing programs, respondents seemed to indicate that the larger benefits of improving security through self assessment ranked as their top reason for running the exams.
Around 43 percent of those surveyed by BT said that the top benefit of testing is “improving their security posture,” while 22 percent said it was protection of intellectual property. Some 20 percent said that regulatory or legislative mandates were indeed their top motivators for embracing the process.
On the flip side, of those organizations not performing tests, 44 percent said that they aren’t doing it mainly because they do not have the manpower to fix the problems they might find. Boy, that wouldn’t seem to be a very good reason not to figure out where your weaknesses may be – it sounds more like a form of living in denial, which won’t keep your name out of the news when the hackers come knocking.
So, in summary, based on this piece of research, more organizations than ever before are performing penetration tests as they have recognized the process as the best way to prevent a data breach – to understand precisely how attackers will try to infiltrate their IT systems and emulate that behavior to isolate their most signifcant risks.
Suffice to say, that all sounds familiar to us, as it’s what we’ve been saying around these parts for a good long time.
-Matt Hines, Chief Blogger