Penetration testing is a critical part of many organizations’ cybersecurity strategies. It’s easy to see why, given its ability to uncover previously unknown vulnerabilities, informing needed updates before cybercriminals capitalize on them. Despite this advantage, pen testing can often lull security leaders into a false sense of security.
Just 17% of businesses today say they never pentest. Most companies perform these assessments several times a year. That’s good news, but breaches are still common, even with such a high frequency of inspections. Clearly, penetration testing alone is not a complete solution, but why, and could it even increase risks at some companies?
Why Penetration Testing Isn’t a Perfect Solution
Pen testing’s biggest weakness is that its accuracy depends on the assessment’s thoroughness and the tester’s knowledge. You can only look for vulnerabilities you know exist. Consequently, while such an examination may reveal gaps the business doesn’t know about, it won’t uncover weaknesses unknown to the service provider.
This discrepancy can be dangerous in light of how quickly cybercrime evolves. In 2023, Google researchers discovered 97 zero-day exploits that criminals took advantage of in the wild. That’s a worrying figure, and it doesn’t even include new malware strains, which can also present previously unknown threats.
Artificial intelligence (AI) has exacerbated this trend. Roughly 47% of global organizations cite AI-powered attacks as their primary security concern, and it’s easy to see why. The rise of generative AI has led to an explosion in new, sophisticated attack techniques and more convincing social engineering attacks. As AI continues to grow, cybercrime’s rate of change will do the same, making it increasingly difficult for pentests to keep up.
Mere practicality poses an issue, too. Pentesters only have so long and so many resources to complete their assessments. While automated solutions make it easier to simulate a wider range of attacks in less time, it’s still impossible to try everything before the clock runs out. Businesses pushing through audits quickly to minimize spending or improve agility further constrain tests’ comprehensiveness.
None of these shortcomings are unreasonable. Nothing will ever be 100% perfect. However, the problem arises when pen testing feels more comprehensive than it is. Complacency and a false sense of security are common. Roughly one-third of businesses achieving just the lowest level of Cybermaturity are confident in their ability to stop cyberattacks, nonetheless.
What You Can Do to Secure Your Business
The pitfalls of pen testing don’t mean you shouldn’t perform such assessments. Still, they do stress the importance of doing more. Here are some additional steps to go beyond penetration testing and optimize your security posture.
Improve Incident Response
The most important step is to emphasize breach detection and response. No security audit covers every weakness, and cybercriminals will always find ways around defenses, so you need a way to identify and mitigate incidents before they cause too much damage.
Real-time vigilance is essential. Given the current shortage of 4 million cybersecurity workers, automation is your best friend for this purpose. AI network monitoring or user and entity behavior analytics (UEBA) solutions can detect and contain potential breaches almost immediately without a large security department. Such responsiveness helps you stop the bleeding even when a cybercriminal exploits a vulnerability you didn’t know about.
Emphasize Security by Design
Secondly, recognize that pen testing is a way to estimate your cyber-resilience, not the foundation of your security posture. Aim to tighten your defenses as much as possible from the beginning instead of basing all protections on an assessment’s results.
A DevSecOps approach to software development is crucial. Instead of building an IT environment and then plugging the holes in its perimeter, teams should consider how each design and development choice impacts cybersecurity. Centering workflows around cybersecurity from the start won’t eliminate all vulnerabilities, but it will significantly reduce them and streamline future patching.
Zero-trust architecture is another critical factor. The Cybersecurity and Infrastructure Security Agency has published a zero-trust maturity model you can use as a guide when creating and implementing such a setup.
Address Human Error
Businesses must also avoid complacency over the human factor. Many pen tests cover social engineering, but just because insiders don’t fall for phishing in one instance doesn’t mean they can’t later on. Up to 36% of employees in 2022 made a security-compromising mistake that year despite rising awareness around cybersecurity issues.
Regular training is crucial, but you must also restrict privileges as much as possible to prevent a human error-related breach from spreading. Adhere to the principle of least privilege, which means only giving access to certain data and systems to those who need it to perform their jobs correctly. Frequent retraining to familiarize employees with new cybersecurity best practices and surprise simulations can also help.
Go Beyond Pen Testing
Penetration testing is a helpful resource, but it cannot be the sole source of security for your organization. It has too many blind spots, and cybercriminals evolve too quickly.
Recognizing these shortcomings is the first step toward better cybersecurity. Once you know why assessments are imperfect, you can avoid complacency and take appropriate action to provide more comprehensive coverage.
Zac Amos is the Features Editor at ReHack, where he covers phishing, ransomware, and other cybersecurity topics. He has also been featured in publications like VentureBeat, the Global Cybersecurity Alliance, and Cyber Defense Magazine.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.