Some penetration testing stats

It was the great Gordon Ramsay that said, “I don’t like looking back. I’m always constantly looking forward. I’m not the one to sort of sit and cry over spilt milk. I’m too busy looking for the next cow.” But still, it can’t hurt to keep track of how the cow-hunting is going, so in this post, we’ll present some penetration testing stats from the past two years, and we’ll see if we can glean some insights and perspectives.

Penetration testing (also known as “pen testing”) involves a trained expert searching for vulnerabilities in a computer system which could be exploited by an attacker. There are many types of pen tests that focus on many kinds of targets, such as:

Web applications
Networks
Mobile applications
APIs
Wifi networks
Social engineering
Physical access

There are two benefits to pen testing. Firstly, pen tests allow you, our client, to identify and remediate vulnerabilities in your systems in an ethical, safe way by running what is effectively a controlled cyber attack that (unlike the real thing!) won’t leave you high and dry.

The second, almost secondary benefit of performing regular pen tests is that our client’s can check that their organisation’s security systems are equipped to handle the effects of an attack if one was to take place. Some might say that including an incident-detection and response (IDR) component into the exercise makes it more like a red-teaming event. Red-teaming however brings with it many other considerations, and Dotsec believes it is important to include an element of IDR when pen testing our client’s systems, to help them be ready to detect any attackers that later come their way!

A quick summary of our pen testing process

At Dotsec, our pentesting process is both effective and client-centric. The process includes the following steps:

Scoping and timeline – We’ll have a quick chat with you to discuss the scope and understand your goals and the time frames you’re working with.
Rules of engagement – We’ll work with you to establish the rules of engagement, which will be followed at all times during testing.
Testing time – We’ll begin testing, providing you with daily updates and notifying you immediately of any high-severity findings. You’ll know exactly what we’re working on at all times.
Reporting – Once testing it over, we’ll produce a detailed report which contains our findings and recommendations for remediation.
Remediation and retesting – We’ll arrange a meeting to go through the report and answer any questions you have. After you have made improvements to address the findings in the report, we can also perform retesting to confirm that your changes worked.

What’s to show for all of this? A client who can sleep more easily knowing that they have been able to identify, understand and remediate the vulnerabilities in their systems.

So, on to our review, which we’ve neatly summarised in just three graphs.

Trending increasing in number of tests

At DotSec, we perform a lot of pen tests. We collected data about the last 2 years of pen tests we’ve done and looked for interesting trends in the number of tests, industry types of our clients, and the size of their organisation.

The graph below shows the number of pen tests conducted from Q3 2020 to Q3 2022. We’ve seen an increase of approximately three times the number of pen tests in that time period. We believe this is a result of several things:

Scary news headlines describing companies that are faced with multi-million dollar ransoms after being compromised. (https://www.abc.net.au/news/rural/2021-06-10/jbs-foods-pays-14million-ransom-cyber-attack/100204240).
Company directors becoming more aware of their responsibilities under current legislation. According to (https://www.afr.com/chanticleer/company-directors-issued-with-a-cyber-alert-20220817-p5ban6) 35% of Australian business had been hit by a ransomware attack and 83% had paid a ransom. However, directors have certain legal obligations (e.g. potential disclosure obligations to the ASX or the Privacy Commissioner or if they offer ‘critical’ services they have mandatory disclosure requirements under the Security of Critical Infrastructure Act) in the event of such an attack and are likely looking to minimise the chance of such an attack occurring in the first place.
Increased remote work infrastructure required to support working from home, and the increased risks associated with the migration of internal services to allow external access.
Increased compliance requirements such as CPS234 (https://www.apra.gov.au/sites/default/files/cps_234_july_2019_for_public_release.pdf), which requires APRA-regulated entities to take proactive measures to become more resilient to cyber attacks.
Increased difficulty in obtaining cyber insurance. According to (https://techhq.com/2022/08/cyber-insurance-can-companies-afford-it-any-more/), premiums doubled in the first 3 months of 2022.
Customers holding companies to higher standards. Several of our customers have had pen tests at the request of their customers, who want to see evidence that pen testing has occurred.

And don’t forget that we’re only three quarters through 2022, so it looks like the trend is continuing.

Trends in client industry sector

We also thought it would be interesting to compare which industry types appeared to be more interested in pen testing. We thought about this a fair bit and while we’re a bit concerned that our sample size isn’t large enough to make any concrete statements, but we were able to observe that:

Technology companies, law firms, and manufacturing companies have consistently been prioritising pen testing, and this appears to be increasing over time.
Financial companies have maintained a steady interest in pen testing.
Education, Retail, Healthcare, Construction, and Government organisations have not shown much interest in pen testing, and aside from Education, this doesn’t look like it’s changing.

The industry types who are performing regular pen tests appear to correlate to the increased requirements for security. For example, law firms are commonly being asked by their customers for attestations to show that regular pen testing is being done. Technology companies who are surrounded by IT news are well aware of the risks of not performing regular pen tests. We hope to get in touch with the industry types who haven’t contacted us about pen tests though!

Trends related to organisational size

What about the size of our clients? There are lots of theories out there: Are large organisations more likely to do pen testing because they have the budget? Or are small organisations more likely because there are less stages of approval slowing things down?

Actually, our data doesn’t support either theory! From our perspective:

It appears that organisations of all sizes are increasingly engaging us to perform pen testing. Organisation size does not appear to be a determining factor for performing pen tests.
Q1 of 2021 was a bad time… try to forget… keep trying…
Small business numbers peaked around this time last year and have declined over the subsequent three quarters. We don’t know for sure but perhaps events such as the Hafnium attacks in Q1 were a motivating factor.
There is an increasing chorus of “cyber fatigue” as described in this (very flash, I must say!) KPMG report. Perhaps this so-called cyber fatigue is a contributing factor in the decline of small-business penetration testing jobs.

The numbers don't lie! Do they?

Of course, we all know the saying about the value of statistics…

But none the less, before we get back to our cow-hunting, what do we think we have learned from looking at our historical data?

There has been a dramatic increase in the demand for pen testing services over the last two years. We think this is for a range of reasons, from the increased number of cyberattacks, to increased security requirements from the customers, insurance companies, and the government, and an increase in staff members working from home as a result of Covid-19.
Certain industry types, such as technology companies, law firms, and manufacturing companies, are much more interested in pen testing services, now. Other industry types seem to be increasingly interested over time, and others don’t appear to be too interested at all.
Business size does not appear to play much of a role in whether an organisation would like to perform pen testing, except for small businesses which seem to be requiring testing services on a less frequent basis. But all sectors are still represented. After all organisations of any size have data they need to protect, right?

So what should you consider?

If your organisation is part of an industry sector which is increasingly validating its security through penetration tests, but you have yet to join the party, consider the benefits that would be gained with increased confidence in your security controls and their ability to withstand attacks in today’s nefarious Internet.

On the other hand, if your organisation is part of a sector which typically eschews penetration testing and you consider it to be an unworthy expense, consider the advantages of overtaking your competitors with your proactive approach to security which is increasingly in the public’s eye given the number of breaches being publicised nowadays.

And finally, if you are in a sector without competitors (e.g. a government organisation) consider how grateful your customers (i.e. the tax/ratepayers) will be for protecting their PII by undertaking regular testing

Even if you regularly undertake penetration tests, consider rotating your testing provider: Just like a toothbrush which gets worn out scraping the same nooks and crannies in your teeth, sometimes changing your toothbrush will uncover new cavities.. and everyone enjoys a good filling!

In closing: We enjoy pen testing because we love helping our clients by identifying vulnerabilities in their systems, and then helping them to remediate the shortcomings. And our clients enjoy pen testing because they receive peace of mind that local experts (with lots of experience and no egotistical baggage) have tested their systems before the hackers do.