Tesco Plc recently disclosed in its 2022 Annual Report that it had conducted a cyber stress test to simulate the potential affect that a damaging cyber incident would have on its business and specifically, on the financial impact of having its customer data compromised.

An article written by Verdict concludes that the fact that Tesco has so publicly disclosed the results of their cybersecurity stress tests, will coerce the CEOs of other public companies to do the same.

What are cyber stress tests?

Cyber stress tests  are different and in addition to other standard offensive security tests, like penetration tests or Red Team tests.  In this instance, cyber threat scenarios are simulated in live production environments to test the effectiveness of cyber defences – specifically, the ability of security controls to block and protect the business from malware and cyber threat scenarios, like Ransomware; but also the incident response team’s ability to detect threats.

Research shows that cyber defenders are often flying blind

A recent study by CardinalOps indicated that up to 80% of MITRE ATT&CK techniques went undetected by some of the most widely deployed security event logging or SIEM solutions, leaving security teams effectively blind in the face of a growing cyber threat from Russia and other threat actors.

This is largely because tuning and configuring SIEM platforms is highly specialised and complex and many information security teams, but also outsourced Managed Security Service Providers (MSSPs) lack the skills and resources to stay on top of the constant tuning and configuration that his required to stay on top of the latest threats.

Cyber stress tests using breach & attack simulations

This is precisely why we built the Validato platform.

Validato simulates offensive threat scenarios, like Ransomware or other MITRE ATT&CK techniques, to constantly and safely test the effectiveness of security controls in live production environments and to allow Security Operations and Incident Response teams to be able to stress test their ability to detect threats without causing business disruption.

What’s more, Validato will provide IT and security teams with clear an unbiased data with ready-to-deploy configuration settings data so that changes to security controls and SIEM solutions can be made effortlessly and immediately.

At Validato, we therefore wholeheartedly embrace the concept of cyber stress tests, but not once a year.  These should be conducted on a much more frequent basis, allowing attack simulations to be tested before and after tuning and configurations have been made to make sure that if the threat were to occur for real, the business will have some confidence that their cyber defences would be able to stand up to them.

If you are interested in testing Validato for free in your environment, we offer a ‘Free for three’ (week) no commitment trial.   You can request access to this here.