“No one would want to steal my information.” People often say this to us, but they’re wrong. Every organisation has something worth stealing, whether it’s personal information, payment card data, medical records or intellectual property. Cyber criminals know this and usually cast a broad net with their attacks, looking to exploit any weakness.
Small and medium-sized enterprises (SMEs) are especially vulnerable to cyber attacks. This is partly because many SMEs don’t consider themselves targets and so don’t do enough to protect themselves, but even those that are aware of the risks often don’t have sufficient resources to defend themselves.
That’s where penetration testing comes in. It’s essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
Penetration testing is an invaluable tool for most organisations. Here are four reasons why.
1. It’s an essential component of cyber security
Cyber criminals, your competitors, state-sponsored attackers, your own staff, online vandals and hacktivists are all potential threats. Penetration tests replicate these attacks. For many companies it will be the first time they’ve considered some of them.
As ISO 27001, the international standard that describes best practice for an information security management system (ISMS), states: “Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation’s exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk.”
2. Tests are conducted to meet the demands of your organisation
As the mystery of penetration testing fades and companies better understand how it works and why it’s important, customers will get better at identifying quality testers. These are the ones who tailor their tests to meet the maturity and expectations of the organisation, and conduct tests to replicate the threats that the organisation is likely to face.
As Ian Kilpatrick, group information security officer at Collinson Group, said, our level 1 penetration tests offer “something […] that is actually useful to companies [and] helps mitigate your real risks; the type of risks that real companies have and that do not have infinite budgets.
“We see people offering pen tests at vastly different prices – both cheaper than IT Governance and more expensive. IT Governance combines the delivery of real insights with cost-effective service rather than just repackaging the results of using a vulnerability scanner.”
3. It helps you prioritise risks
Kilpatrick touched on the danger of relying on scanner data. It’s great for telling you what vulnerabilities lie in your network, but without any prioritisation, how does your team know which of these vulnerabilities to patch first?
With detailed penetration test reports, you can see which vulnerabilities are the most dangerous and address them accordingly.
4. It saves you money
Because so few organisations have thorough cyber security measures in place, a penetration test will be one of the first significant steps they take to becoming secure. Conducting a test might seem undesirable or unnecessary (“No one would target me!”), with many people mistakenly viewing it as an expensive way to learn how to spend more money on cyber security.
However, the investment in regular penetration tests is a much better prospect than the alternative. A joint report by Kaspersky Lab and B2B International found that data breaches cost SMEs €73,000 on average.
The cost of penetration testing is comparatively small, and by taking a proactive approach to cyber security, you can conduct remediation activities as part of your day-to-day operation.
A level 1 penetration test provides adequate protection for organisations that want to identify exploitable weaknesses, such as those in the OWASP Top 10. These tests replicate the kinds of low-budget attack that an opportunistic criminal hacker would attempt, and are ideal for SMEs or those with no security testing experience.