When to Pen test

When do you need a penetration test?

May 24th, 2021 Posted in Penetration Testing

The news cycle is constantly awash with data breaches. From exercise bike providers to oil pipelines, it seems that businesses of all sizes, in all sectors, are at risk. While data breaches vary in their cause and severity, many have one thing in common: they could have been avoided with rigorous penetration testing and follow-up remediation.

Penetration testing is a point-in-time assessment of your organisation’s security posture. There are different types of penetration tests, aimed at uncovering vulnerabilities in different parts of IT infrastructure, systems and applications. These include internal and external network assessments, web application testing and mobile application testing.

For a deep dive into what penetration testing is, read our guide here.

Penetration testing is an invaluable tool in the fight against cyber criminals, but the benefits go further. Regular testing provides ongoing assurance to your security and IT teams, and to your senior management, that security risks are being managed. They also provide assurance to third parties in your supply chain.

In our increasingly connected world, businesses set up new suppliers quickly and share data with them, which they often share with their suppliers and beyond. This means you quickly build an extended digital supply chain (you can read our extensive guide to securing your business supply chain here). Each one of these third parties presents an attacker with a way into your systems or data. As such, you should not only penetration test your own organisation, but should also ensure your suppliers are systematically testing their own systems.

Moreover, industry standards like Cyber Essentials and the IT Health Check Scheme also require penetration tests for compliance and accreditation respectively. The GDPR doesn’t specifically mandate them, but it does state that organisations need: “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.” In plain English, this means activities including vulnerability scanning and penetration testing.

While most companies understand the value of penetration testing, timing is critical. If performed too frequently, penetration tests can be a costly expense and the results may overwhelm a small IT team. On the other hand, if not done often enough, your business could be left exposed to a cyber attack. Two of our senior security experts recently wrote an article in Media Insider explaining the benefits of pen testing and what to look for in a good pen testing partner.

So, when do you need a penetration test?

When to get a penetration test

In the same way that every organisation is unique, so too are their penetration testing requirements. However, there a few overarching principles for guiding when a test is needed.

  1. An annual health check-up

At a minimum, penetration tests should be conducted on an annual basis. They effectively act as a technical audit of your IT systems and applications, helping you to ensure that relevant security patches have been applied, any new software has been integrated safely, systems are configured properly, your operating systems aren’t vulnerable to attack and your employees are following security protocols.

In cases where your IT team consists of only one or a few personnel, we advocate staggering the phases of an annual penetration test, to ensure that all vulnerabilities can be dealt with, without overloading your team members.

  1. The deployment of new software and services

Every time your organisation introduces a new application, website or service, it should be checked with a penetration test. This is pivotal to secure development and ensuring that your security posture has not been negatively impacted by the introduction of new vulnerabilities.

This is especially critical if you are exposing your application or service to the internet. In this case, you are opening up the application to the world and it will constantly be pinged, scanned and attacked by all kinds of malicious third parties. If your application contains personal data or sensitive information, then the potential impact of a breach is high, and testing is an absolute must.

  1. Any other changes to the workplace environment

The COVID-19 pandemic is a prime example of how changes to the workplace environment make organisations more vulnerable to cyber attacks. Interpol saw a huge increase in attacks over the last year, as cyber criminals attempted to take advantage of the shift to remote and hybrid work.

Changes like these – be it in the physical or digital realm – require rigorous penetration testing to prevent malicious intrusions. As some offices begin to open later this year, physical testing – which simulates a malicious actor trying to compromise a business’ premise – will be extremely important.

  1. If you’re a newbie

If you’ve never conducted a penetration test before, then the time to act is now. Often, small businesses that aren’t highly reliant on technology may think they are at low risk of a data breach. But, with the proliferation of data, every company can be considered a tech company – even if they’re a shop on the high street. Because of the reputational and financial risks of a successful breach, penetration testing is an urgency for any and all organisations that are yet to conduct one.

As the digital and physical business worlds continue to merge, penetration testing is an excellent way for businesses to reduce the risks of a data breach, ensure compliance and assure their supplier network that they are being proactive about safeguarding sensitive information. By knowing when to conduct penetration tests, and working with a trusted, accredited tester, your company will improve internal security confidence – and that of your customers and partners.

Need help?

If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions, remediations and vulnerability management from our findings. Contact us for a friendly chat.

Thomas O Donnell 250 x 250

Written by Thomas O'Donnell

Thomas is one of our penetration testers, specialising in IT infrastructure and web application testing. He started his career as a creative media and software developer before moving into security consulting, centred around Cyber Essentials certification services. His qualifications include CREST Practitioner Security Analyst (CPSA) and he is working towards gaining his CREST Registered Tester (CRT) qualification.