Press Release

Cybersecurity Research Reveals Risk is Shifting to Midsized Businesses

November 13, 2019

Coalfire Labs’ Annual Penetration Risk ReportShows Continued Migrations to Cloud Force Reprioritization of Security

  • Large enterprises are closing gaps faster while midsize businesses scramble to keep up
  • Environments leveraging multiple cloud providers still face challenges
  • Financial services sector most susceptible

WESTMINSTER, CO – November 13, 2019 – Coalfire, a provider of cybersecurity advisory and assessment services, today released its second annualPenetration Risk Report. The research, based on hundreds of engagements performed by the company’s adversarial simulation and penetration testing team, Coalfire Labs, shows that the highest risk factors have flipped from large enterprises to midsized businesses over the last year due to the continuing migration to cloud computing across all public and private sectors.

“Last year, the data surprised us by showing that midsized businesses hit the cybersecurity ‘sweet spot’ despite the higher security budgets and resources of larger enterprises,” said Coalfire Labs Vice President Mike Weber. “In 2019, large enterprises are filling the gaps faster, and midsized businesses find themselves scrambling to keep up.”

2019 Report Findings

Coalfire Labs separated cloud service providers from enterprises in the 2019 report to reveal the risks in each environment. The top vulnerabilities in the enterprise space were out-of-date software and insecure protocols. For cloud providers, security misconfiguration was the highest risk factor.

The top five application vulnerabilities for 2019 included cross-site scripting, injection, security misconfiguration, password flaws, and sensitive data exposure. A few of the top vulnerabilities from 2018 fell off the chart this year: broken authentication/session management, using known vulnerable components, and missing function-level access control.

“The good news is that app security has improved from last year due to the allocation of more resources and skilled professionals to get the job done as the threat of cloud-specific vulnerabilities increases,” said Weber. “Despite this, internal network security remains soft as organizations continue to prioritize external risk protections. Midsize businesses are especially vulnerable in this regard.”

Organizations struggle to get configurations right as they leverage multiple cloud infrastructure providers and hybrid environments. “When building applications in the cloud, program managers should evaluate all components and leverage cloud services into their threat models to create effective, layered security solutions,” advised Weber.

Phishing continues to be a serious issue in 71% of Coalfire Labs’ testing engagements, organizations experienced at least one full compromise of credentials. In 20% of the tests, organizations saw approximately half of their targeted employees give up their credentials.

Vertical markets’overall security posture shifted dramatically in 2019. Compared to the wide variables between verticals last year, more vertical markets have become similar in vulnerability rates, and almost all show fewer high-risk findings. “We believe that this is due to the shift toward cloud solutions in every vertical, which reduces the need to secure and maintain on-premise IT assets,” said Weber.

The technology/cloud, retail and healthcare verticals maintained security postures similar to 2018. However, although financial services was strong last year, it fell behind in 2019. Compliance struggles, privacy management, increasing third-party vendor assessments and ongoing payment card industry challenges are taxing, and combined to produce a 17% external risk increase over last year. Education, the newest category researched in the report, showed amazing results with secure code, and the data disproved the perception that educational institutions lack diligence in hardening systems.

“Though application vulnerabilities are declining, threats from out-of-date software and security misconfiguration are on the rise, and everyone should pay closer attention to the basic, routine security tasks that are clearly still being neglected,” said Weber. “Threat awareness is strong, and must continue – the stakes are getting higher with the proliferation of the ‘internet of everything,’ and as companies of all sizes and in all sectors continue the march to the cloud.”

Read Report:

About Coalfire Labs

The Coalfire Labs team leverages highly skilled penetration testers with focused expertise in helping organizations of all sizes improve their security posture by thinking and acting like an attacker. Coalfire Labs simulates threats, evades your defenses, and hunts for active breaches in your environment, and then helps you understand the risk and impact to your organization.

About Coalfire

Coalfire is the trusted cybersecurity advisor that helps private and public-sector organizations avert threats, close gaps and effectively manage risk. By providing independent and tailored advice, assessments, technical testing and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives and fuel their continued success. Coalfire has been a cybersecurity thought leader for nearly 20 years and has offices throughout the United States and Europe.

Press Contact:
Mike Gallo
For Coalfire