The news cycle is constantly awash with data breaches. From exercise bike providers to oil pipelines, it seems that businesses of all sizes, in all sectors, are at risk. While data breaches vary in their cause and severity, many have one thing in common: they could have been avoided with rigorous penetration testing and follow-up remediation.
Penetration testing is a point in time assessment of your organisation’s security posture. There are different types of penetration tests, aimed at uncovering vulnerabilities in different parts of IT infrastructure, systems and applications. These include internal and external network assessments, web application testing and mobile application testing.
For a deep dive into what penetration testing is, read our guide here.
Penetration testing is an invaluable tool in the fight against cyber criminals, but the benefits go further. Regular testing provides ongoing assurance to your security and IT teams, and to your senior management, that security risks are being managed. They also provide assurance to third parties in your supply chain.
In our increasingly connected world, businesses set up new suppliers quickly and share data with them, which they often share with their suppliers and beyond. This means you quickly build an extended digital supply chain. Each one of these third parties presents an attacker with a way into your systems or data. As such, you should not only penetration test your own organisation, but should also ensure your suppliers are systematically testing their own systems.
Moreover, industry standards like Cyber Essentials and the IT Health Check Scheme also require penetration tests for compliance and accreditation respectively. The GDPR doesn’t specifically mandate them, but it does state that organisations need: “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.” In plain English, this means activities including vulnerability scanning and penetration testing.
While most companies understand the value of penetration testing, timing is critical. If performed too frequently, penetration tests can be a costly expense and the results may overwhelm a small IT team. On the other hand, if not done often enough, your business could be left exposed to a cyber attack.
So, when do you need a penetration test?
When to get a penetration test
In the same way that every organisation is unique, so too are their penetration testing requirements. However, there a few overarching principles for guiding when a test is needed.
An annual health check-up
At a minimum, penetration tests should be conducted on an annual basis. They effectively act as a technical audit of your IT systems and applications, helping you to ensure that relevant security patches have been applied, any new software has been integrated safely, systems are configured properly, your operating systems aren’t vulnerable to attack and your employees are following security protocols.
In cases where your IT team consists of only one or a few personnel, we advocate staggering the phases of an annual penetration test, to ensure that all vulnerabilities can be dealt with, without overloading your team members.
The deployment of new software and services
Every time your organisation introduces a new application, website or service, it should be checked with a penetration test. This is pivotal to secure development and ensuring that your security posture has not been negatively impacted by the introduction of new vulnerabilities.
This is especially critical if you are exposing your application or service to the internet. In this case, you are opening up the application to the world and it will constantly be pinged, scanned and attacked by all kinds of malicious third parties. If your application contains personal data or sensitive information, then the potential impact of a breach is high, and testing is an absolute must.
Any other changes to the workplace environment
The COVID-19 pandemic is a prime example of how changes to the workplace environment make organisations more vulnerable to cyber attacks. Interpol saw a huge increase in attacks over the last year, as cyber criminals attempted to take advantage of the shift to remote and hybrid work.
Changes like these – be it in the physical or digital realm – require rigorous penetration testing to prevent malicious intrusions. As some offices begin to open later this year, physical testing – which simulates a malicious actor trying to compromise a business’ premise – will be extremely important.
If you’re a newbie
If you’ve never conducted a penetration test before, then the time to act is now. Often, small businesses that aren’t highly reliant on technology may think they are at low-risk of a data breach. But, with the proliferation of data, every company can be considered a tech company – even if they’re a shop on the high street. Because of the reputational and financial risks of a successful breach, penetration testing is an urgency for any and all organisations who are yet to conduct one.
As the digital and physical business worlds continue to merge, penetration testing is an excellent way for businesses to reduce the risks of a data breach, ensure compliance and assure their supplier network that they are being proactive about safeguarding sensitive information. By knowing when to conduct penetration tests, and working with a trusted, accredit tester, your company will improve internal security confidence – and that of your customers and partners.
If your organisation needs help running a penetration test on an application or infrastructure, we’re here to help. We can assess your environment and run a full penetration test. We can also advise you on any follow-up actions, remediations and vulnerability management from our findings. Contact us for a friendly chat.