Increasing cyberattacks prompt need for fast, frequent penetration testing, expert tells businesses

Many businesses and government agencies now recognize that it is not enough to just look out for weaknesses in their computer systems, according to an industry player, saying these organizations now see the importance of adopting more active and thorough methods to prevent cyberattacks.

Organizations need to quickly and regularly fix security issues in their systems and use automated checks to ensure those fixes work, especially since online threats are constantly increasing, Michael Tan, Asia Pacific vice president for sales at global cybersecurity software company Pentera, said in an interview with BusinessWorld on Thursday.

“We need to come from the attackers’ point of view,” he said on urging constant validation measures beyond breach and attack simulations (BAS) and samples, which he added are “not solely feasible anymore” given rapid technologies. 

The Philippines was the second most attacked country by web threats last year, with 39,387,052 internet-borne threats detected, according to data from Kaspersky. The country placed fourth in 2021.

It also saw 2,409,085 brute force or trial and error attacks among remote workers, 52,914 financial phishing cases among businesses, 24,737 crypto-phishing cases, 15,732 mobile malware cases, and 50 mobile banking Trojan cases last year. 

Mr. Tan noted companies with interoperating security solutions inevitably create non-patchable gaps that cybercriminals can see and attack.

Pentera’s 2023 survey report on the state of pentesting, or penetration testing, said 88% of organizations still report cyberattacks amid large investments, where an average of 44 security solutions are in place for a single enterprise. 

It also noted the increasing importance of cyber insurance as the top reason for pentesting at 36%. 

However, the biggest barrier to pentesting is its risk to business continuity, amid 82% of companies already pentesting in some form, Pentera said. 

While pentesting is moving beyond regulatory compliances, Pentera has seen a unique opportunity to introduce one-day point-of-view testing in enterprises’ live production environments, which Mr. Tan noted as a one-day challenge for the company. 

“If a solution will create downtime, it’s out of the way,” he said on employing continuous on-premise software solutions, alongside application programming interfaces integration in its cloud services. “Last year, this was impossible.” 

Mr. Tan mentioned that most of the vulnerabilities Pentera has seen included misconfigurations, password weaknesses, and policy settings. “Mitigation is more than just patching [these],” he said. 

Following its entry to the Philippine market in January, Pentera has partnered with Netpoleon, an APAC-based security provider, to distribute Pentera’s solutions and aggressively expand its customer base in the region, Mr. Tan said. 

“We are coming out with regular online training with partners and new functionalities and features every few weeks,” he said on keeping up with rapid technologies. 

The company is targeting to service the financial sector and other distributed industries with small security teams and outdated or legacy systems, such as automotive and manufacturing plants, he added. 

However, Mr. Tan noted the importance of initially addressing cyber hygiene among enterprise employees before stacking security solutions. 

“Security technology is moving so fast,” he said. “You might make it more complicated.” 

“The government needs to have more initiative to create security awareness,” he added, citing that the weakest link in the growing cybersecurity landscape is always the people.

“More work and awareness need to be done.” — Miguel Hanz L. Antivola