Every time a geopolitical crisis flares up and cyberwarfare comes into play, there is one consistent victim that takes most of the collateral damage. Cyberattacks on small and medium-sized organizations rarely make headlines, yet those organizations are the vast majority of victims of so-called “state-sponsored threat actors”.
The term itself is very confusing. Except for North Korea, where most of the hacking activities are centralized in a true communist nature, those actors are criminal gangs that are loosely affiliated with the state and, just as privateers of the old days, are given a license to hunt for ships, as long as they do not sail under a friendly flag. Those cybercriminals are rarely motivated by political ideology and are looking to profit from their activities. They will focus their attention on the least defended organizations that do have the means and motivation to pay.
The “state sponsors” motivation is also clear: while they seek to make some noise with headlines of attacks against prominent organizations, the more sinister and real danger lies in economic disruption, as the smaller organizations targeted are part of business and government supply chains.
Cybercriminals, whether state-affiliated or not, look at mid-size organizations as low-hanging fruit, easy to profit from, while keeping a low profile. After all, those organizations are much more likely to pay ransom as they are desperate for business continuity. The problem is intensified by the fact that those businesses are essentially priced out of the modern security market.
Cybersecurity IS very expensive. From expertise to tools and managed services subscriptions, the money you pay to stay secure is a significant proportion of your budget. Cyber insurance is the most expensive part of a business insurance bill. Regulatory compliance, whether PCI DSS, SOC2, or CMMC, while necessary, eats up the majority of the security budget. What’s left is rarely enough to identify the real security problems that lead to breaches and fix those.
Security testing is the cornerstone of cybersecurity, yet due to a perfect storm of factors, high-quality, continuous testing has remained out of reach for most organizations. Here is why:
1. Penetration testing is an important activity from both a compliance and a risk management perspective. It was generally expected that penetration testing would become a commodity service, with prices decreasing. Instead, the market split in half. On the one hand, we have bargain-priced penetration testing that has no value due to low result accuracy, misprioritization of findings, and poor remediation advice. In fact, I would argue that bad penetration testing will cost you more money than no testing at all due to the effort and money spent chasing overstated risks. On the other hand, the price of high-quality penetration testing remained out of reach for many organizations, even on an annual basis.
2. IT environments became very dynamic with AI and cloud in the mix. An annual penetration test becomes outdated the day it has been performed. While it’s still a good safety net and a compliance requirement, its value in managing ongoing operational and technology risks has significantly diminished. This is why enterprises are building robust security testing programs with experts and tools.
3. The approach of building their own security testing programs is out of question, even for small enterprises. Based on the recent Gartner and SANS survey, such programs require at a minimum 7 expensive tools, and several experts to run them. MSSPs shy away from offering such managed programs because the price often overshadows their core offerings, defaulting to simple vulnerability scanning, which offers little value due to high inaccuracy.
The other, less apparent issue with modern security testing is that the fix advice provided by the testing team or tools is geared towards security professionals rather than IT generalists or software developers. To bridge the gap, larger organizations employ security advisors who translate and communicate the steps to fix the security issue to other IT teams.
All of the above highlights the affordability crisis in cybersecurity that weighs heavily on the economy. However, not everything is gloomy. Parabellyx dedicated its LUMA Security platform to solve the affordability and usability of security testing for mid-size organizations and SMB. We used advances in AI to reduce the cost of testing and a human-validation approach to ensure high-accuracy results and provide fix guidance. We are working with MSSPs to ensure that their customer get the combined proactive and reactive protection they need.
Parabellyx is revolutionizing security testing by making it affordable and accessible to all organizations, regardless of size, preventing them from becoming low-hanging targets for cybercriminals and state-sponsored actors. We are here for you.