Keith Poyser, Vice President for EMEA at Horizon3.ai, is calling attention to the critical need for penetration testing within businesses to assess their resilience against cyber threats. He asserts, “Understanding the true strength of your IT network against cyberattacks is only possible through rigorous testing. Penetration testing is vital for revealing whether hackers can exploit vulnerabilities and whether an organisation’s defenses are genuinely effective.”
Poyser references the latest Cyber Security Breaches Survey from the Government, which indicates that half of all businesses have experienced a cyber breach or attack in the past year. This statistic rises significantly for medium-sized companies (70%) and large enterprises (74%). Although over 70% of organisations have implemented essential security measures—including anti-malware software, endpoint detection and response (EDR), data loss prevention (DLP), password policies, backups, and firewalls—Poyser warns that many underestimate how easily cybercriminals can circumvent these protections. They often exploit weaknesses through social engineering tactics, unpatched software, configuration errors, inadequate credential security, and insider threats.
He adds, “Many organisations depend on a plethora of cybersecurity tools, mistakenly believing that this guarantees comprehensive protection against both external and internal threats. This approach is akin to flying blind, trusting that every system will function seamlessly without routine testing. Moreover, human-led assessments typically provide a limited view, addressing only a small portion of the infrastructure. Although these assessments may be effective under controlled conditions, it is naive to think that a purely defensive strategy can withstand the evolving challenges of modern cyber threats.” Poyser urges organisations to adopt a proactive, automated penetration testing approach, enabling them to enhance their cybersecurity posture, maximise their return on existing investments, and reassure stakeholders about their security status, thus fulfilling compliance and regulatory obligations.
Recognising the Human Element in Cybersecurity
The Government’s Cyber Security Breaches Survey also reveals that a staggering 95% of successful cyberattacks can be attributed to human error—such as clicking on phishing links or using weak passwords. While addressing technical vulnerabilities is essential, ignoring the human aspect can leave organisations dangerously exposed. Poyser elaborates, “Cybercriminals often gather publicly available information about companies and their employees, even former staff, to identify potential security weaknesses.”
He also points out that “configuration errors arising from a lack of awareness or oversight” in defence systems are common pitfalls. With multiple security applications operating at the same time, organisations often struggle to keep track of their configurations. The burden of ongoing software updates can overwhelm IT teams, not only in terms of technical know-how but also due to workload pressures. Each update requires a comprehensive re-evaluation of the entire configuration, as interactions among various systems can introduce new vulnerabilities even with minor changes.”
To mitigate these challenges, Poyser suggests that organisations consider autonomous penetration testing platforms, which can offer a safer and more cost-effective solution compared to traditional expert teams. Although having skilled professionals is vital, it is imperative to enhance automation in penetration testing to effectively address the fast-changing threat environment.
The Importance of Comprehensive Testing
This perspective aligns with Poyser’s initiatives at Horizon3.ai, which offers NodeZero, a cloud-based penetration testing platform. This innovative solution enables businesses to conduct simulated cyberattacks on their internal, external, cloud, and hybrid infrastructures, allowing for a thorough evaluation of their cybersecurity resilience.
The frequency and comprehensiveness of penetration testing are fundamental to a solid cybersecurity strategy. Poyser emphasises, “It’s vital to examine not only the external boundaries of IT networks but also the internal security frameworks. With remote work, the Internet of Things (IoT), and mobile access becoming commonplace, an increasing number of devices are connecting to corporate networks from various locations, expanding the potential attack surface. Modern security strategies must operate under the assumption that attackers will breach initial defences and gain access to internal network segments to launch further attacks.”
Even traditionally secure areas, such as the ‘demilitarised zone’ (DMZ), are no longer guaranteed safe. Poyser explains, “Contemporary penetration tests should encompass the entire organisational network, including internal, external, and cloud vulnerabilities. It’s not only about identifying existing weaknesses but also evaluating their potential consequences. For instance, if a breach in the DMZ compromises the entire network, a thorough penetration test will highlight this risk, enabling targeted remediation. Ongoing automated assessments facilitate the continuous identification, resolution, and validation of vulnerabilities.”
Rethinking Cybersecurity: A Holistic Approach
While achieving complete security is unrealistic, the rapid pace of cyberattacks driven by machine learning and automation indicates that traditional methods alone will not suffice. Simply enhancing defence mechanisms is inadequate; organisations must engage in routine evaluations of their security through ongoing automated penetration tests. By continuously assessing and refining their defences, businesses can remain ahead of potential threats and ensure their systems remain secure, ultimately reducing risks and costs.
Keith Poyser encourages organisations to “regularly conduct penetration tests to reinforce and monitor their cyber resilience.” He concludes, “I strongly recommend that every board member, managing director, and IT manager across all sectors subject their organisations to this vital evaluation, particularly given the current threat landscape.”
