Organisation lack confidence to close security gaps

HackerOne has released The 2022 Attack Resistance Report that captures IT professionals’ assessments of their cyberattack readiness. The report reveals organizations face a significant gap between what they are able to protect and what they need to protect — coined the attack resistance gap.

  • 2 years ago Posted in

The report, compiled from survey responses from enterprise organizations in North America and Europe, investigated four areas critical for organizations to increase their resistance to attack:

 

An understanding of their attack surface 

The cadence of application testing compared to release cycles

The depth and style of security testing

The availability of technical talent capable of carrying out these tasks 

 

Overall, organizations had a confidence score of 63% across a composite of these four areas.

 

"Awareness reduces risk. Only organizations who know their attack resistance gap are equipped to reduce it,” said Marten Mickos, CEO of HackerOne. “We conducted this research to illustrate the problem and show the way toward improvement. Organizations that broaden their scope of testing, and do it continuously, are seeing their attack resistance gap shrink."

 

One-third of respondents say they monitor less than 75% of their attack surface. Almost 20% of participants believe that over half of their attack surface is unknown or not observable, leaving them vulnerable to external threats, especially as digital transformation and development continue at an accelerated pace.

 

Additionally, 44% of organizations stated they are not totally confident that they can close the attack resistance gap. The cyber skills shortage exacerbates their ability to protect the full attack surface — 80% of respondents expressed concern about a lack of available skills and experienced security talent. 

 

The report demonstrates that siloed and insufficient testing of products adds further pressure on organizations, with one-third (33%) citing team silos as the main reason behind shortcomings in security testing and scanning tools. Development, security, and operations teams cite continuously changing requirements and priorities as their top two challenges, alongside technical and security debt in legacy systems. 

 

The over-reliance on security and scanning tools as a quick fix or a one-size-fits-all approach is also an area of concern. Data also demonstrated how many companies see Attack Surface Management (ASM) as a compulsory security exercise, rather than a strategic tool in their overall security plan. Only 22% of companies use ASM solutions to minimize exposed development infrastructure and weak, insecure, or deprecated crypto. 

Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security...
Talent and training partner, mthree, which supports major global tech, banking, and business...
Cloud-native organisations to gain full understanding over every identity in the cloud, secured...
MSSPs identify regulatory compliance as additional factor as organisations seek to shift...
Orange Business (Norway), a global leader in digital services, has selected ARMO’s advanced...
Gigamon and Exclusive Networks have expanded their existing distribution partnership, broadening...
Trustwave and Cybereason have announced a definitive merger agreement offering a comprehensive and...
FortiDLP’s unified approach to data protection enables enterprise organizations to anticipate and...