Fresh Stats on Cyber & Privacy Risks

We have a fascinating new snapshot of cybersecurity risks these days — including companies racing to embrace cloud computing without fully understanding the security fundamentals, insecure mobile applications, and persistent bad habits with software patching and encryption.

Said snapshot comes from Coalfire, one of the more notable cybersecurity and compliance software firms, which just released its 2023 Penetration Risk Report. The report reviewed the results of more than 800 penetration tests (hired hackers who try to find vulnerabilities in your cybersecurity regime) and reviews of 2,500 mobile apps. Altogether, the report offers a detailed picture of where companies tend to drop the ball on cybersecurity, and which specific shortcomings are most prevalent at various types of organizations.

For compliance and internal audit leaders worried about cybersecurity, the Coalfire report offers plenty of food for thought about where your own company might be weak and what you’ll need to do to bring your policies, procedures, and other controls up to par. 

Let’s start with the big picture. Figures 1 and 2, below, show the most common security risks in cloud-based systems (which most companies use these days) and the most common vulnerabilities in corporate IT systems overall. 

These findings matter to different groups for different reasons. 

The first group are SOX compliance professionals. They are struggling these days to manage GRC automation, and are in something of a race with the rest of the enterprise. SOX compliance teams keep trying to automate their GRC systems or otherwise rationalize internal controls, but the rest of the enterprise keeps bounding ahead to implement new technologies — like, say, cloud-based systems. Migrating to the cloud is one of the most common reasons a company increases the number of its key controls, while SOX teams are trying to decrease the number of key controls. 

So Figure 1 from above is useful for SOX compliance professionals because it shows the most vulnerabilities companies have while migrating to the cloud. That can help the SOX team understand where your threats to internal control over financial reporting might be. 

For example, when we see 79 percent of companies suffering security misconfigurations, and 22 percent have authentication issues — that should be a honking klaxon of concern for SOX compliance officers. If your cloud security isn’t configured correctly, the unauthorized users can gain access to your systems and data. Whether that’s a cybersecurity problem or a SOX compliance program is kinda beside the point, because it’s all poor access control that your company will need to fix somehow. So talk with your cybersecurity team to understand how they are or aren’t taming that misconfiguration risk.

Security and Compliance Risks

The other groups that can make use of the Coalfire report are internal audit teams (that is, those teams not bogged down in SOX) or regulatory compliance folks worried about privacy and data security. They should pay attention to Figure 2 from above, with its findings on risks in commercial organizations overall.

I look at Figure 2, with 25 percent of companies suffering problems on outdated software and patching, and wonder — the internal audit people at those companies must be pulling out their hair, right? Because those are failures of IT general controls, and we’ve been talking about them for years. If a company is suffering either of those two vulnerabilities, audit teams should put those concerns at the top of the priority list to get those weaknesses fixed.

Along similar lines, privacy and compliance officers should see the 23 percent limping along with encryption vulnerabilities and wonder, are we one of those companies? Because if you are, you have a ticking time bomb of compliance risk from, well, some regulation out there. Probably GDPR or PCI DSS, plus any number of other state, federal, or international privacy laws. Most likely, you have compliance risks from a bunch of regulations, which could all be reduced by implementing proper encryption.

On those grounds alone, the Coalfire report is worth a read because it helps compliance and internal audit professionals become more fluent in the deficient cybersecurity practices that are out there (especially in the cloud), and that will help you speak more productively with your IT security teams as you design policies, procedures, and controls to keep all these risks in check.

Size Matters, and More

Coalfire also found that the vulnerabilities facing large and small companies are quite different. Take a look at Figure 3, below.

Again, none of this is a surprise when you sit down and think about it. Large companies have complex systems with many, many nodes that connect to the internet, so it stands to reason that misconfigurations and injections (where hackers fire bits of code onto a website to break it) are common problems. Small companies do not have complex systems, but they do struggle with automated security management, so it stands to reason that patching and outdated software are problems there. (Ditto for training, since small companies rarely have enough resources to do it well.)

The report also found differences among various industries. For example, in healthcare and retail, the most common risks were about encryption. That makes sense, when you consider the highly personal and valuable data those sectors possess. On the other hand, the most common risk for financial services and tech firms revolved around security misconfiguration, which also makes sense when you consider how complicated those sectors’ IT systems can be.

Long story short, the Coalfire report is a good resource to understand the cybersecurity risks your company is likely to face, based on its size, industry, dependence on the cloud or mobile apps, and more. The foremost audience for this report is obviously the IT security crowd, but internal audit, privacy, and compliance teams can keep pace with the findings too. 

Then you can have more productive conversations with the IT security crowd about how to keep your enterprise safe, secure, and compliant — and lord knows, every company needs to do better at that these days.