Article
5 min

The State of Penetration Testing in Canada

CDW Canada recently commissioned its second annual penetration test survey to examine the sentiment of 500 Canadian IT professionals regarding the cybersecurity posture of their organizations.

Cybersecurity privacy protection concept. information security and encryption, secure access to user's personal information, secure Internet access, cybersecurity.

Penetration testing is defined as the performance of “ethical hacking” and involves executing a simulated attack against an organization’s network, data and personnel. Penetration testing helps organizations identify and evaluate exploitable vulnerabilities within their systems and prioritize actionable steps to help defend against evolving threats. As the cyberthreat landscape continues to expand and become more sophisticated, penetration testing is one of the most effective methods to identify risks, mitigate security breaches and help maintain business continuity.

CDW Canada recently commissioned its second annual penetration test survey to examine the sentiment of 500 Canadian IT professionals at companies/organizations with at least 20 employees regarding the cybersecurity posture of their organizations. The survey looked at organizations of all sectors and sizes across Canada and analyzed the various ways they have been implementing penetration testing, how they have been responding to security breaches and challenges, as well as their views on the value of an external IT security services partner.

/

72 percent of organizations perform penetrating testing and/or comprehensive security assessments, representing a 20 percent year-over-year increase from 2022 (60 percent).

Penetration testing adoption is on the rise

More Canadian organizations recognize the value of penetration testing and as a result are prioritizing it within their organizations. More than half (56 percent) of Canadian organizations invest in penetration testing, which represents a 40 percent year-over-year increase compared to 2022. Cyberattacks are increasing in both frequency and sophistication, so organizations need to exercise greater caution to ensure necessary steps are taken to safeguard their networks.

When asked about the most common types of penetration testing conducted by their organizations, 58 percent said partial-knowledge testing, 48 percent said full-knowledge testing and 41 percent said zero-knowledge testing. Interestingly, the number of IT professionals who said they were unsure (18 percent) decreased by nearly half (43 percent) compared to 2022. This is a potential positive indication of increased awareness and knowledge of an organization’s penetration testing capabilities.

/

56 percent of Canadian IT professionals reported that their organization experienced 6-9 security breaches in the past year.

Increased frequency and sophistication of security breaches

Despite an overall increase in the implementation of penetration testing, Canadian organizations continue to see a rise in security breaches each year. The most common types of security breaches experienced in the past year include: ransomware attacks (34 percent), business email compromises (34 percent) and phishing attacks (33 percent). These pervasive issues aren’t going away anytime soon. Awareness and resources are key to combatting cyberthreats, as nearly one in 10 (8 percent) Canadian IT professionals who reported a security breach over the past year said they were unsure about how many security breaches their organization experienced.

/

80 percent of those that experienced a security breach in the past year said the source was external.

External vs. internal security breaches

Security breaches can come from within and outside of an organization. The survey found well over half (61 percent) of Canadian organizations that experienced a security breach in the past year cited an internal breach, representing a 177 percent year-over-year increase compared to 2022. 

As important as it is to maintain a strong external security posture, educating employees on security best practices and conducting awareness training is equally crucial. Employees must understand the importance of security measures and protocols and be empowered to recognize and appropriately respond to potential threats.

/

44 percent of organizations that perform penetration testing use both internal employees and third-party testers to conduct penetration testing and/or comprehensive security assessments, representing a 42 percent year-over-year increase from 2022 (31 percent).

The importance of third-party testing

There is incredible value that comes with having a security team made up of internal employees and third-party testers. Organizations must be wary of internal IT teams that become too comfortable with everyday security, which risks complacency and the tendency to take the path of least resistance when it comes to security – doing what they are most comfortable with from inside the organization. Enlisting the help and expertise of third-party testers reduces bias when conducting security assessments and introduces new perspectives and opportunities to view security networks from the point of view of an attacker.

/

54 percent of Canadian organizations who experienced a security breach in the past year cited loss of productivity, while 50 percent cited data and loss of reputation as a result.

Penetration testing to avoid business losses

Financial loss (36 percent) was also a commonly reported outcome. All cited damages and losses resulting from security breaches have increased significantly in prevelance year-over-year. Among organizations who experienced a security breach in the past year:

  • Half (50 per cent) report a loss of data, a 35 percent increase from 2022 (37 percent). 
  • Half (50 percent) reported a loss of reputation, a 108 percent increase from 2022 (24 percent).  
  • More than one-third (36 percent) reported financial loss, a 44 percent increase from 2022 (25 percent).  

These losses are difficult to quantify, since it involves the expenses of time spent trying to identify and remediate problems and addressing damage resulting from compromised hardware and software. Other challenges include quantifying time, energy and resources spent on repairing brand reputation, recovering from financial loss and rebuilding internal and external company trust. Working with a trusted third-party IT partner can help proactively mitigate these losses by performing the most up-to-date and comprehensive penetration testing and security assessments. This is key to staying a step ahead of cybercriminals.

According to the survey, nearly two-thirds (63 percent) of organizations have an external IT security services partner, a 21 percent increase compared to 2022. External help provides tremendous value by allowing organizations to focus on the business itself, while the experts focus on protecting it.

About this study

These are the findings of a survey conducted by CDW Canada from March 14-17, 2023 among a sample of n=500 IT professionals at companies and organizations in Canada with at least 20 employees. For comparison purposes
only, a sample of this size would yield a margin of error of +/- 4.4 percentage points at a 95% confidence level. The survey was offered in both English and French.