More Canadian organizations than ever are using penetration testing to improve their security posture.
According to a recent survey by IT solutions provider CDW Canada, 56 per cent of responding firms said they have performed a penetration test in the last 12 months. That’s a 40 percent increase compared to the response in 2022, the company said.
The survey also found that 44 per cent of respondents whose firms do penetration tests said they use both internal employees and third-party testers to do this work and/or comprehensive security assessments.
The findings are part of a survey of 500 IT professionals at organizations with at least 20 employees, conducted in March for CDW Canada, which offers penetration testing services.
The survey was validation that adoption, and the sense of the value of penetration testing among Canadian organizations is increasing, Julius Azarcon, CDW Canada’s vice-president of professional and managed services, said in an interview.
“We believe that penetration testing is an important aspect of any organization’s preventative cybersecurity measures,” he said.
Related content: Only do penetration tests if your security program is up to it
Despite an overall increase in the implementation of penetration testing, Canadian organizations continue to see a rise in security breaches each year, a report based on the survey results said. The most common types of security breaches experienced in the past year were ransomware attacks (34 per cent), business email compromises (34 per cent), and phishing attacks (33 per cent).
A penetration test should be done either once a year, or whenever there are significant changes to an organization’s technology environment and infrastructure, Azarcon said.
There is a wide range of penetration tests, from focused, ‘We only want to test one security control,’ to no-holds-barred attacks where tricking employees with phishing messages is fair game.
Related content: 8 penetration test tips
Arguably the toughest tests in Canada have been mandated by the country’s financial regulator, which last month approved a testing framework that the biggest banks and insurers have to meet once every three years. Rather than trust an institution’s internal IT staff to do a test, an external cybersecurity firm has to be hired to design the test. This firm may do the attack, or an outside firm will perform it. The institution is expected to do its own penetration tests as well.