People often say to us, “No one would want to steal my information,” and then we have to explain why they’re wrong. Every organisation has something worth stealing, whether it’s personal information, payment card data, medical records or intellectual property. Cyber criminals know this and usually cast a broad net with their attacks, looking to exploit any weakness.
Small and medium-sized enterprises (SMEs) are especially vulnerable to cyber attacks. According to the Cyber Security Breaches Survey 2017, 46% of all small businesses in the UK identified at least one cyber security breach or attack in the previous 12 months. This is partly because many SMEs don’t consider themselves targets and so don’t do enough to protect themselves, but even those that are aware of the risks often don’t have sufficient resources to defend themselves.
That’s where penetration testing comes in. It’s essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
Penetration testing is an invaluable tool for most organisations. Here are four reasons why.
1. It’s an essential component of cyber security
Cyber criminals, your competitors, state-sponsored attackers, your own staff, online vandals and hacktivists are all potential threats. Penetration tests replicate all these threats, and for many companies it will be the first time they’ve considered some of them.
ISO 27001 can help you evaluate and mitigate those risks. It is the international standard that describes best practice for an information security management system (ISMS), and states: “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.”
2. Tests are conducted to meet the demands of your organisation
As the mystery of penetration fades and companies better understand how tests work and why they’re important, customers will get better at identifying quality testers. These are the ones that tailor their tests to meet the maturity and expectations of the organisation they’re testing, and conduct tests to replicate the threats that the organisation is likely to face.
As Ian Kilpatrick, Group Information Security Officer at Collinson Group, said, IT Governance’s tests offer “something […] that is actually useful to companies [and] helps mitigate your real risks; the type of risks that real companies have and that do not have infinite budgets.
“We see people offering pen tests at vastly different prices – both cheaper than IT Governance and more expensive. IT Governance combines the delivery of real insights with cost-effective service rather than just repackaging the results of using a vulnerability scanner.”
3. It helps you prioritise risks
Kilpatrick touched on the danger of relying on scanner data. It’s great for telling you what vulnerabilities lie in your network, but without any prioritisation, how does your team know which of these vulnerabilities to patch first?
With detailed penetration test reports, you can see which vulnerabilities are the most dangerous and address them first.
4. It saves you money
Because so few organisations have thorough cyber security measures in place, a penetration test will be the one of the first significant steps they take to becoming secure. Performing a test might seem undesirable or unnecessary (“No one would target me!”) by people who view it as an expensive way to learn how to spend more money on cyber security. However, the investment into regular penetration tests is a much better prospect than the alternative. A joint report by Kaspersky Lab and B2B International found that data breaches cost SMEs £65,000 on average.
The cost of penetration testing is comparatively small, and by taking a proactive approach to cyber security, you can conduct remediation activities as part of your day-to-day operation.
A level 1 penetration test provides adequate protection for organisations that want to identify exploitable weaknesses, such as those in the OWASP Top Ten. These tests replicate the kinds of low-budget attack that an opportunistic hacker would attempt, and are ideal for SMEs or those with no prior experience of security testing.