More and more business owners are starting to realise the importance of penetration testing in cyber risk management. But there are still many that don’t. With cybercriminals increasingly sophisticated, it has become essential for organisations to adopt a proactive approach to security by regularly assessing networks, systems and applications for hidden threats and vulnerabilities.
According to 2018 Computing Security Award winner Redscan, regular pen testing helps improve your cyber security by:
- Fixing vulnerabilities before they are exploited by cybercriminals
- Providing independent assurance of security controls
- Improving awareness and understanding of cyber security risks
- Supporting PCI DSS, ISO 27001 and GDPR compliance
- Demonstrating a continuous commitment to security
- Supplying the insight needed to prioritise future investments
Here we take a look at five scenarios where it is highly beneficial to have penetration testing carried out.
When there has been significant changes to IT infrastructure
As businesses grow and evolve, their IT requirements change. New infrastructure has to be regularly implemented and deployed for organisations to remain competitive. At such times, cyber security is not always a priority. It is a period, however, when new network and systems can be most vulnerable to attacks.
It is recommended that pen testing be carried out following charges to infrastructure to help establish whether deployments have introduced any unexpected security risks. For example, companies switching to cloud services often misconfigure their environments to expose sensitive data.
When launching new products and services
New software and hardware products should always receive robust security assessments to identify vulnerabilities. In a rush to get to the market first, however, manufacturers can sometimes be tempted to compromise on cyber security as a part of the release process.
Not everything can be picked up in conventional QA product testing which is where specialist pen testing can be so useful. Pen tests can uncover a wide range of unseen vulnerabilities such as, in the case of web applications, injection flaws (such as SQL injection) and session management errors. There may also be issues relating to data encryption and user authentication which, without thorough testing, could go unnoticed.
When undergoing a business acquisition or merger
Cyber security is a major factor that affects the merger and acquisitions process, but this can sometimes be forgotten by organisations or not given sufficient attention. Yahoo’s acquisition by Verizon was seriously affected by cyber security issues, with a price for the purchase, initially agreed at $4.83 billion, reduced to $4.48 billion as a result of two cyber security incidents – effectively a reduction in value of $350 million.
There are other reasons that businesses looking to undertake a merger and acquisitions need to consider cyber security. One of the merging businesses, for example, could have existing cyber security issues that need to be addressed, or it may be the case that integrating the systems of two businesses creates new security risks. Staff may need to have their access reviewed, and training may be required to ensure that everyone has a good understanding of common cyber security issues.
When developing custom applications
Businesses rely on custom software and applications to address a wide range of challenges but if not regularly tested for vulnerabilities they can represent a large security risk. Custom applications could include industrial control systems designed to perform critical, highly specific tasks.
It is important for any business that is developing and/or using custom applications to conduct penetration testing that helps to identify and help address unknown security exposures. Throughout the development of the application it should be a priority to perform thorough penetration testing.
When preparing for compliance
Data security has never been more important, and it is now taken very seriously by regulatory bodies. Businesses now needs to comply with a wide range of regulations, such as PCI DSS and the GDPR. GDPR compliance, for example, mandates that appropriate technical and organisational measures are in place to ensure the security of personal data relating to that of customers, employees and partners.
Regular penetration testing forms an important part of the controls organisations need to keep their IT systems and data secure.