Businesses across the UK have criticised the security testing industry for being too expensive, with a new report highlighting that firms are spending more than £6.6 billion each year on protecting their critical assets from cyber attacks.
Research from AVORD – the security testing platform – ‘puts the spotlight firmly on the security testing market, which is dominated by consultancies that provide services to businesses, sometimes at twice the daily rate of an independent tester,’ according to the announcement.
And with 77% of UK businesses claiming the cost of testing is too expensive, there is a clear demand for change.
See also: Why penetration testing is a vital part of any effective security strategy – Cyber security strategies that focus solely on prevention will no longer cut it in the era of daily, continually changing attacks on infrastructure.
The need to use external consultants is driven by the fact only one in five (21%) UK businesses have sufficient, in-house, employee skills and knowledge to carry out security testing – most of which are major organisations with more than 750 employees, according to the research.
When focusing on SMEs, the figure falls to just 1%, with businesses almost exclusively (95%) outsourcing the testing of security controls for its critical assets.
The challenges of security testing
Three in four businesses are currently initiating security testing to comply with organisational operating practices and standards, such as ISO27001, ITIL, ISF’s Standard of Good Practice for Information Security and public sector guidelines. However, most firms taking part in the study said that determining the risks associated with a sensitive data breach (72%) and cost (72%) were major challenges when it comes conducting tests.
The complexities and lack of security testing knowledge were also cited as key issues, with seven in 10 revealing ‘identifying when in the development process to test’ and ‘what kind of testing was required’ as further challenges. As a result, more than three quarters of businesses (82%) are now outsourcing security testing on their critical assets at considerable expense.
Related: A guide to overcoming the skills crisis in the cyber security industry – What can organisations do to help address the growing cyber security skills gap that is compromising most industries.
A surge in cybercrime
Worryingly, 33% of UK businesses have battled an online security breach in the past 12 months, which have directly hit their bottom lines, lost them customers and damaged their brand reputations — the research says. Of those hit by a cyber attack, 95% reported that the breach occurred partly or totally as a result of issues with the security testing process.
Over the past five years the majority of companies have seen a major increase in the number of data breaches: a quarter reported an increase of between 10% and 20%, one in 10 reported an increase of between 30% and 40% more, while more than a half reported up to 10% more data breaches.
See also: The front-line defensive measure: penetration testing – Growth in leaked exploit attacks means penetration testing should be a front-line defensive measure, warns Sec-1.
A new era in security testing?
AVORD, a new security platform launched this month, promises to slash the price of security testing and make it simpler and more accessible — how?
Its a free online platform that will bring 1000s of highly qualified security testers together with businesses. The brainchild of two career security professionals, who have seen the market monopolised by major consultancies, it aims to help reduce security testing costs by 30-40%.
The security testing platform ‘cuts out the expensive middle men, ensuring that businesses of all sizes can protect their businesses against future threats,’ according to the announcement.
It’s free to use and provides automated scheduling and tracking of security tests, while delivering an instant view of all tests across an estate through a fully interactive risk and reporting dashboard.
The new platform will also allow security testers to sign up for free, enabling them to stay independent and charge their normal day rates. They will have a place where they can receive contract offers from clients around the world who have specific requirements that match their skillset.
Brian Harrison, founder and CEO of AVORD, commented:
Quite simply, security testing has become too expensive for many UK businesses. Companies are struggling to cope with the ever-increasing threats impacting on their attempts to secure systems at current costs. Unless something changes, businesses will be forced to cut corners and this will inevitably mean there are more data breaches and system outages. AVORD has been designed to disrupt the current security testing model by cutting out the costly ‘middle-man’ consultancies and allows businesses to directly manage and engage security testers. This means that whereas industry currently pays up to £1,100 per day for cyber security testing, that cost will be reduced to approximately £600, collectively saving UK businesses around £3 billion annually.