Time is of the Essence: Why Frequent Pen Testing is Critical for APAC Security

In the past 24 months, a staggering 51% of enterprises have reported breaches, according to “The State of Pentesting 2024 Survey Report” by Pentera. This highlights a severe vulnerability across their entire attack surface – whether it be cloud, web-facing, or on-premises environments. This wave of successful cyber attacks has left CISOs grappling with unexpected downtime, data exposure, and financial damages, with only a scant 7% of enterprises managing to escape significant repercussions.

Compounding this challenge, 53% of enterprises are facing either decreasing or stagnant IT security budgets for 2024, a sharp contrast to the previous year’s optimistic projections, where 92% anticipated budget increases. This financial squeeze means that CISOs are under increasing pressure to do more with less, maximising operational efficiency and squeezing every bit of value from their existing security infrastructure.

Moving Beyond Periodic Pen Tests

As high-profile breaches continue to make headlines, there is growing scrutiny from boards of directors and executive management. Over half of CISOs now regularly share pen testing results with their leadership teams and boards, underscoring the critical importance of understanding organisational resilience against cyber attacks. However, the traditional approach to pen testing – while essential – has its limitations. Enterprises globally are spending an average of USD $164,400 annually on manual pen tests, which account for 12.9% of their total IT security budgets. Yet, with 60% of organisations conducting these tests no more than twice a year, such investments only provide a periodic snapshot of their security posture.

This intermittent assessment is particularly troubling given the dynamic nature of IT environments. While 73% of enterprises report changes to their IT environments at least quarterly, only 40% perform pen tests with the same frequency. This significant gap leaves organisations exposed to risks for extended periods. Moreover, security teams are inundated with a minimum of 500 security events for remediation each week, making the goal of becoming “patch perfect” unrealistic. Consequently, prioritisation becomes paramount; security teams must focus on addressing the most critical vulnerabilities before hackers can exploit them.

Jason Mar-Tang, AVP and Field CISO at Pentera, emphasises the gravity of this situation, “Changes to an organisation’s deployments can fundamentally alter your risk exposure on a weekly or even daily basis. Without consistent testing, you can’t be certain your security is adapting to cover the changes.”

Each organisation’s specific security risks depend on its environment. Cloud-based organisations are more vulnerable to cloud-native attacks, while traditional industries like manufacturing face different risks. Regardless of the environment, the common denominator is the need for consistent testing. Without it, security measures cannot adapt to cover new vulnerabilities arising from changes.

Disconnect Between Security Spending and Breach Rates

Despite significant investments in cybersecurity, many APAC organisations still experience breaches. According to Jason, APAC enterprises spend an average of USD $1.4 million on IT security and utilise an average of 54 security solutions, yet 50% reported a breach in the past 24 months. “Having the security technology isn’t enough; you need to be smart about your security program and make sure it’s actually working,” Jason asserts.

The data shows that while organisations invest in security tools, they often neglect to test their effectiveness. Only 61% of organisations pen test twice a year at most, meaning many go six months between quality control checks. This infrequency can lead to undetected vulnerabilities and ineffective security measures when under attack.

In an ever-evolving threat landscape, security teams must prioritise their efforts effectively. Jason advocates for adopting the hacker’s perspective through continuous testing. Effective security testing, such as pen tests or red-team exercises, reveals how well defences hold up against real attacks and identifies where improvements are needed. This proactive validation is crucial for remediating exploitable security gaps before attackers can exploit them.

“When you test your security against the real Tactics, Techniques, and Procedures (TTPs) that threat actors are using, you don’t need to guess if your security controls stop it; the test will validate if your security works,” he explains.

This approach is central to the Continuous Threat Exposure Management (CTEM) framework, which focuses on continuously assessing and prioritising exploitable risks. By concentrating on root cause vulnerabilities within the intrusion kill chain, security teams can address attack paths early, enhancing overall security posture.

Addressing Concerns and Hesitations Towards Pen Testing

Despite the clear benefits, some organisations hesitate to adopt pen testing due to concerns about business continuity and pen tester availability. Many fear that pen testing might cause network downtime or disrupt operations. Jason advises finding pen testers with the right expertise for the specific environment—whether on-prem, cloud, or hybrid – to minimise risks.

“Security teams are tasked with ensuring that IT risk is minimised and that business operations are uninterrupted,” Jason explains. “To overcome the challenge, I would recommend that you research and find pen testers who have a high level of skill in working with the type of environments you have within your organisation.”

To address availability concerns, he recommends adopting automated pen testing solutions. Automation allows for consistent validation of defences against real attacks without the wait for third-party pen testers. This ensures that security teams can continuously test and improve their security posture.