The State of Penetration Testing in Canada

More Canadian organizations recognize the value of penetration testing and as a result are prioritizing it within their organizations. More than half (56 percent) of Canadian organizations invest in penetration testing, which represents a 40 percent year-over-year increase compared to 2022. Cyberattacks are increasing in both frequency and sophistication, so organizations need to exercise greater caution to ensure necessary steps are taken to safeguard their networks.

When asked about the most common types of penetration testing conducted by their organizations, 58 percent said partial-knowledge testing, 48 percent said full-knowledge testing and 41 percent said zero-knowledge testing. Interestingly, the number of IT professionals who said they were unsure (18 percent) decreased by nearly half (43 percent) compared to 2022. This is a potential positive indication of increased awareness and knowledge of an organization’s penetration testing capabilities.

Despite an overall increase in the implementation of penetration testing, Canadian organizations continue to see a rise in security breaches each year. The most common types of security breaches experienced in the past year include: ransomware attacks (34 percent), business email compromises (34 percent) and phishing attacks (33 percent). These pervasive issues aren’t going away anytime soon. Awareness and resources are key to combatting cyberthreats, as nearly one in 10 (8 percent) Canadian IT professionals who reported a security breach over the past year said they were unsure about how many security breaches their organization experienced.

Security breaches can come from within and outside of an organization. The survey found well over half (61 percent) of Canadian organizations that experienced a security breach in the past year cited an internal breach, representing a 177 percent year-over-year increase compared to 2022. 

As important as it is to maintain a strong external security posture, educating employees on security best practices and conducting awareness training is equally crucial. Employees must understand the importance of security measures and protocols and be empowered to recognize and appropriately respond to potential threats.

There is incredible value that comes with having a security team made up of internal employees and third-party testers. Organizations must be wary of internal IT teams that become too comfortable with everyday security, which risks complacency and the tendency to take the path of least resistance when it comes to security – doing what they are most comfortable with from inside the organization. Enlisting the help and expertise of third-party testers reduces bias when conducting security assessments and introduces new perspectives and opportunities to view security networks from the point of view of an attacker.

Financial loss (36 percent) was also a commonly reported outcome. All cited damages and losses resulting from security breaches have increased significantly in prevelance year-over-year. Among organizations who experienced a security breach in the past year:

• Half (50 per cent) report a loss of data, a 35 percent increase from 2022 (37 percent). 
• Half (50 percent) reported a loss of reputation, a 108 percent increase from 2022 (24 percent).  
• More than one-third (36 percent) reported financial loss, a 44 percent increase from 2022 (25 percent).  

These losses are difficult to quantify, since it involves the expenses of time spent trying to identify and remediate problems and addressing damage resulting from compromised hardware and software. Other challenges include quantifying time, energy and resources spent on repairing brand reputation, recovering from financial loss and rebuilding internal and external company trust. Working with a trusted third-party IT partner can help proactively mitigate these losses by performing the most up-to-date and comprehensive penetration testing and security assessments. This is key to staying a step ahead of cybercriminals.

According to the survey, nearly two-thirds (63 percent) of organizations have an external IT security services partner, a 21 percent increase compared to 2022. External help provides tremendous value by allowing organizations to focus on the business itself, while the experts focus on protecting it.