Global cybersecurity firm Coalfire has released its fourth annual Securealities Penetration Risk Report, which analyzes enterprise and cloud service providers (CSPs) internal and external attack vectors, application development and mobile app security, social engineering and phishing, and PCI- and FedRAMP-specific findings, with data segmented by industry and company size. Additional mobile application security analysis was provided by NowSecure.
Coalfire’s long-term data shows that cyber risk significantly shifts year over year based on company size, vertical market, and many other factors. Due to a surge of publicized catastrophic breaches, the dominating focus on external risk means that internal threats are allowed to persist. This creates points of weakness that increase the potential for internal exploits from the growing cadre of attackers.
Key findings include:
- Web application penetration testing pays off over time: Successful AppSec initiatives are continuous, and no longer point-in-time activities. Results show that organizations that have run testing programs for at least three years saw reduced high-severity findings by 25%.
- Financial services organizations are challenged with securing mobile apps: Within Coalfire’s application risk data on financial services, high risk was a low 8%. However, NowSecure found that high risk for mobile apps was 37%, meaning mobile apps performed much worse than web or desktop apps.
- More than 3,100 penetration tests show security misconfiguration is always the top vulnerability: Year-over-year consistency of the top application vulnerabilities shows that many companies lack an understanding of their own asset inventory, continue using legacy systems that expose multiple vulnerabilities, and have poor cyber hygiene.
- Improvements in social engineering test results: For the first time ever, fewer than 50% of companies tested were compromised through social engineering tests, indicating progress in raising employee awareness and lowering the risks of human compromise.
- Training gaps threaten FedRAMP Authority to Operate: While overall social engineering results show improvement, a lack of training, particularly around social engineering, accounts for 41% of all FedRAMP vulnerabilities—216% higher than in 2020.
- Large CSPs are improving, but still carry the majority of high-risk vulnerabilities: Over the last two years, the large CSPs reduced high-level risk exposure by more than one-third. In contrast, smaller cloud companies saw a 15% increase in the number of vulnerabilities, primarily due to continuing misconfigurations and out-of-date software problems.
The report reflects the results of more than 3,100 penetration tests from nearly 1,600 client engagements in the technology, financial services, healthcare, and retail sectors.