People often say to us, “No one would want to steal my information,” and then we have to explain why they’re wrong.
Every organisation has something worth stealing, whether it’s personal information, payment card data, medical records or intellectual property. Cyber criminals know this and usually cast a broad net with their attacks, looking to exploit any weakness.
SMEs are especially vulnerable to cyber attacks, in part because many don’t consider themselves targets and so don’t do enough to protect themselves. But even those that are aware of the risks often don’t have sufficient resources to defend themselves.
That’s where penetration testing comes in. It’s essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
Penetration testing is an invaluable tool for most organisations. Here are four reasons why.
1. It’s an essential component of cyber security
Cyber criminals, your competitors, state-sponsored attackers, your own staff, online vandals and hacktivists are all potential threats.
Penetration tests replicate these attacks. For many companies it will be the first time they’ve considered some of them.
As ISO 27001, the international standard that describes best practice for an information security management system, states:
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.
Free download: Penetration Testing and ISO 27001
Download this free guide to understand how penetration testing can help you meet the requirements of ISO 27001, the international standard that describes best practice for information security management.
2. Tests are conducted to meet the demands of your organisation
As the mystery of penetration testing fades and companies better understand how it works and why it’s important, customers will get better at identifying quality testers.
These are the ones who tailor their tests to meet the maturity and expectations of the organisation, and conduct tests to replicate the threats that the organisation is likely to face.
As Ian Kilpatrick, group information security officer at Collinson Group, said, our level 1 penetration tests offer “something […] that is actually useful to companies [and] helps mitigate your real risks; the type of risks that real companies have and that do not have infinite budgets.
“We see people offering pen tests at vastly different prices – both cheaper than IT Governance and more expensive. IT Governance combines the delivery of real insights with cost-effective service rather than just repackaging the results of using a vulnerability scanner.”
3. It helps you prioritise risks
Kilpatrick’s comments touch on the danger of relying on scanner data. It’s great for telling you what vulnerabilities lie in your network, but without any prioritisation, how does your team know which of these vulnerabilities to patch first?
With detailed penetration test reports, you can see which vulnerabilities are the most dangerous and address them accordingly.
4. Penetration testing saves you money
Because so few organisations have thorough cyber security measures in place, a penetration test will be one of the first significant steps they take to becoming secure.
Conducting a test might seem undesirable or unnecessary (“No one would target me!”), with many people mistakenly viewing it as an expensive way to learn how to spend more money on cyber security.
However, the investment in regular penetration tests is a much better prospect than the alternative. Ponemon Institute’s 2019 Cost of a Data Breach Report found that organisations spend €3.47 million on average responding to and recovering from cyber attacks.
By comparison, the cost of penetration testing is a drop in the ocean – and by taking a proactive approach to cyber security, you can conduct remediation activities as part of your day-to-day operations.
Get started with penetration testing
We also offer penetration testing services to assess your organisation’s susceptibility to phishing scams and your compliance with the PCI DSS (Payment Card Industry Data Security Standard).
We’re currently offering 15% off penetration tests throughout July, so there has never been a better time to invest in securing your organisation.
A version of this blog was originally published on 19 February 2018.