May 11, 2019
One successful cyber attack could see you lose business, assets and customer trust in one fell swoop. With so much at stake, it’s no wonder cyber security is a top priority for all modern businesses.
Unfortunately, maintaining security levels in an ever-changing threat landscape is an ongoing challenge. Hackers are constantly finding new and innovative ways to access systems and compromise data.
That’s why regular Penetration Tests are essential.
The insights gleaned from these cyber assessments enable you to shore up your security strategy and plug any holes in your system.
What is Penetration Testing?
For once, we have technical jargon that needs little explanation. A Penetration Test (or pen test) is just that – a test to see whether your system can be penetrated by attackers. In this case, ethical hackers (white hats) try to breach your security by any means necessary.
This could include in-person attempts – for instance, following someone through a secure door (tailgating) – and social engineering as well as remote network attacks.
Penetration testing is different to (but may include) a vulnerability scan, which is another way of testing a system for weaknesses. Vulnerability scans are usually carried out by software, whereas pen testing is orchestrated by a person or team of people. This is what makes pen-testing more expensive than a vulnerability scan, but also more comprehensive.
Why and when is a Penetration Test needed?
Penetration testing is one of the best ways to discover how well your cyber security strategy is working. As such, it is an essential element of an initial assessment – for example, if you are applying for Cyber Essentials certification.
But you can also think of it as a way to check up on your security on a regular basis. You can read more about the process in our new eBook, The Ultimate Handbook to Penetration Testing.
For now, let’s talk more about when and why you might use pen-testing in your organisation.
To prove your existing security
If you’re wondering how good your existing security setup is, a penetration test is the best way to find out. Perhaps you’ve heard news of a new virus doing the rounds, or one of your competitors has been grounded by a breach. Now is the time to check how easily the same could happen to you.
White hat hackers have all the same skills – often more – than the evil variety. Having them carry out a real-world test of your network and your wider security practices lets you know where your weaknesses are and what you need to improve upon.
Test your infrastructure
If you have added new technologies, products or services to your existing infrastructure, or perhaps your organisation has expanded, you need to be able to see how those changes have affected your security. A pen test will help you see holes that need plugging or misaligned security protocols that leave you exposed.
Risk assessment
Any cyber security program should be subject to continuous assessment, but that’s especially the case if you are responsible for sensitive data. A pen test will show whether you are protecting the confidentiality, integrity and availability of data – as you should be if you are following the recommended CIA framework.
Compliance and regulatory requirements
For those organisations that need to prove compliance with regulations such as PCI DSS or ISO 27001, penetration testing is a standard requirement.
Build a road-map of improvements
Most penetration tests will identify vulnerabilities that need to be addressed. Once the test report has been returned, your organisation knows where it needs to improve. There may be some things you can fix right away, while others may take more time – but with the information in hand you can begin to build a plan for where your security needs to be to reduce your levels of risk.
New business acquisition
Acquiring a new business also means acquiring a new IT network and assuming new risk. Any problems with that business’ security just became your responsibility. A pen test will quickly identify any critical problems that require attention. Further security assessments are also advised before you consider merging systems or transferring data.
Justify a cyber security budget increase
If you know of flaws in your system that require remediation but you’re struggling to convince the Powers That Be of the need for more budget, a pen-test will give you black and white evidence to support your request. It will also help focus spending on the most important issues while opening the door to discussion on less time-critical matters.
How often should you pen test?
The million-dollar question. As we’ve said, pen-testing is not a one-time task. Nor is it a one-size-fits-all process. Some organisations are exposed to greater risks, whether due to the nature of their work or the scale of their online presence. These businesses would likely pentest on a regular basis, perhaps annually or maybe more regularly if they are going through infrastructure changes. Meanwhile, companies with a small online presence may represent a less attractive target for hackers and so might decide to pentest less frequently.
Business size, industry, budget and regulatory requirements all play a role in how often an organisation decides to conduct a penetration test. The important thing is that you consider it an essential part of your vulnerability management – because how can you manage what you don’t fully understand?
Ethical hacking via a pentest gives you the opportunity to gain a more complete insight into how an attacker might approach your organisation, where your weaknesses are and what you need to do to improve your security.
Taking the next step
Penetration testing is a great way to identify the risks and vulnerabilities within your organisation and objectively assess the current state of your cyber security controls.
Simulating the behaviour of a real cyber criminal, a penetration test will uncover the critical security issues of your systems, how these vulnerabilities were exploited – as well as steps required to fix them (before they are exploited for real).
Further reading
- Questions to ask your pen test provider
- On-demand webinar: How to develop security vulnerability management programmes
- Pen-tester tales: Password are a security weak spot
- The difference between a Vulnerability Scan and a Penetration test
- A buyers guide to penetration testing services
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.