Press Release

Midsized Businesses Hit Cybersecurity ‘Sweet Spot,’ Leaving SMEs and Large Enterprises Lagging, New Research Finds

June 25, 2018

  • Midsized firms outperform larger competitors on a range of penetration tests designed to breach cyber defenses
  • New report based on more than 300 tests finds that companies’ staff remain their biggest cybersecurity weakness
  • Globally, healthcare firms performed the worst on external security posture, although retail also fared badly in comparison with other sectors

Westminster, CO – June 25, 2018 – Midsized businesses are benefitting from a security sweet spot that has allowed them to outperform their larger competitors, according to new research from Coalfire, a trusted provider of cybersecurity advisory services.

The first annual Coalfire Penetration Risk Report found that, contrary to accepted wisdom on cybersecurity, large enterprises are not the best prepared to protect against cybercrime, despite having bigger budgets and resources.

Although large organizations are best at protecting against phishing and other social engineering attacks, the report – which was based on more than 300 penetration tests in 148 companies worldwide – found a cybersecurity sweet spot among midsized businesses, which performed best at protecting their assets and mitigating their security risks in tests.

Coalfire’s extensive penetration test results flip the thinking that large enterprises are the most secure overall, even with the largest cybersecurity budgets and investments in staffing and other resources. Across all sizes and sectors, however, people remain companies’ biggest weakness, whether through human error or creating opportunities for social engineering hacks, the report found.

“While overall, our results have found that the midsized business is in the technological sweet spot, conversely, we can conclude that humans – employees, vendors and customers – still represent the greatest vulnerability as they are prone to social engineering techniques, shortcuts or inadvertent oversights in the IT/security management process,” said Mike Weber, Vice President, Coalfire Labs. “Most organizations today, as they increasingly leverage the cloud and virtualization, concern themselves more with external network security than internal network defenses, creating significant internal security gaps and vulnerabilities that need to be addressed.”

The Coalfire Penetration Risk Report used customer penetration test data to analyze the security challenges within enterprises of various sizes and in different industries, including retail, healthcare, financial and technology/cloud service provider industries, and compared the security posture between small, midsized and large organizations.

Coalfire concluded that security gaps weren’t left through negligence, with organizations that did have weaknesses often struggling with restrictive budgets, competing priorities, staffing shortfalls and a lack of highly trained cybersecurity talent.

Financial services lead the way

Globally, the financial services industry performed better at cybersecurity than tech and cloud.

Healthcare had the worst external security posture, while retail performed three times worse than other industries when it comes to cyber defenses.

Common weak points

The report found that a range of vulnerabilities in external and internal networks and in applications enabled cyber attackers to progress through the cyberattack chain and infiltrate an organization.

Phishing was demonstrated to be highly successful as the “foot in the doorway” for attackers who use it as an entry point to infiltrate the organization, then pivot to navigate internally to escalate for greater control.

Out-of-date software, insecure protocols, misconfiguration and password flaws were found to be the greatest threats to external networks, while insecure protocols, password flaws and patching flaws were the top vulnerabilities in internal networks.


The Coalfire Labs team leverages highly skilled penetration testers with focused expertise in helping organizations of all sizes improve their security posture by thinking and acting like an attacker. Coalfire Labs simulates threats, evades your defenses, and hunts for active breaches in your environment, and then helps you understand the risk and impact to your organization.


Coalfire is the trusted cybersecurity advisor that helps private and public-sector organizations avert threats, close gaps and effectively manage risk. By providing independent and tailored advice, assessments, technical testing and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives and fuel their continued success. Coalfire has been a cybersecurity thought leader for more than 17 years and has offices throughout the United States and Europe.

For more information, visit

Press Contact:

Michael Gallo
For Coalfire