Penetration Testing Provides Blueprint for Cybersecurity Safeguards
What Data Could You Lose and How Would it Impact Your Business?
As cybersecurity threats continue to grow, most organizations should consider including penetration testing in their regular IT security protocols. Penetration testing goes hand in hand with vulnerability scanning, but they differ in key ways and are most effective when used together to provide a detailed picture of an organization’s cybersecurity risk profile.
Though they should be part of every organization’s cybersecurity management plan, vulnerability scanning and penetration testing are not widely practiced today except in regulated industries where such measures are required.
Vulnerability scans examine your IT network – including hardware and software – and identify any areas that are vulnerable to attack. But the reports often are long and highly technical, so the prospect of shoring up the system can seem overwhelming.
Penetration testing reveals how a cyberattacker could actually get into your system through one of those vulnerabilities. This can help prioritize which vulnerable areas of your system should be addressed first. The penetration test gives you a real-world picture of what a cyberattacker could do, what data they could get hold of and how you would be impacted by that.
Think of it like protecting your house. A vulnerability scan may show that all your doors and windows have weak or missing locks, and your basement bulkhead doesn’t lock at all. A penetration test would simulate an actual break-in, potentially showing that the first-floor windows are the most likely point of entry for a criminal. The results of the penetration test would reveal that installing new window locks on the first floor would be the most effective immediate measure to secure your home and strengthening the security on your doors and basement bulkhead might be next.
What Penetration Testing Shows
Penetration tests can be designed in different ways and should be constructed to take the unique features of your network into account. If the test is well designed, a penetration test report will clearly explain how the tester obtained entry to your server and how they were able to take over your computers. The penetration test report gives context and explanation to the vulnerabilities that have been identified.
With a blueprint that shows how to remediate the risk and prevent an attacker from getting to the servers, most business owners are able to move forward with confidence and a reasonable, actionable budget for ongoing security measures.
Sometimes security measures must be geared to current high-profile threats that have cropped up in the marketplace. But that depends on the type of business, the data that may be at vulnerable and the risk appetite of the business owner. If news headlines about a current threat cause anxiety, but are unlikely to affect your business, spending the money to guard against may be something you can put off for a while. All IT security upgrades come with a price tag, and priority should be given to the vulnerabilities and threats that are most likely to affect your organization.
Increasingly more businesses are purchasing cybersecurity insurance and are often required to make certain upgrades to their systems as a condition of coverage. So, in addition to the premium you pay for the insurance you may have costs for the required upgrades. In the event you need to make a claim, you will likely be required to prove you had the safeguards in place. You can’t just check a box.
As cyber threats continue to grow, premiums for cyber insurance are rising. But regular vulnerability scans and penetration testing, as well as a risk mitigation plan, can help keep the premiums in check.
Frequency of Testing
National standards on vulnerability scanning and penetration testing are defined by several organizations such as the nonprofit Center for Internet Security (CIS) and the Cybersecurity & Infrastructure Security Agency (CISA), an agency within the U.S. Department of Homeland Security. However, none of these standards are required or enforced, and organizations should determine frequency based on several factors:
- Industry – Does your business operate in an industry that collects substantial personal data from customers, such as healthcare or financial services? Or do you have hundreds or thousands of employees whose personal information is contained in human resources files?
- Volume of data – Does your organization process high volumes of data every day, and do you practice good data protection measures such as daily backups?
- Risk – Is your industry a frequent target of cyberattacks?
Generally, a mid-sized company should do vulnerability scanning at least once per quarter, and a penetration test every year. That’s a starting point that will provide a roadmap to security upgrades that can be done each quarter to continuously improve the system’s safeguards. Each quarterly scan will verify the effectiveness of the improvements made since the last quarter.
Once an organization has established an appropriate schedule of vulnerability scanning and penetration testing, the next phase is constant 24/7 system monitoring, which can be automated.
The time is past for considering cybersecurity to be a one-time expense. The threats are there every day and they are growing. Moreover, large corporations are not the only targets – 43% of cyberattacks target small and medium-sized businesses, and on average organizations with fewer than 500 employees lost $3 million per data breach in 2021.
In today’s environment, no one can afford the attitude of “It won’t happen to me.”
To start a discussion of how you can work vulnerability scans and penetration testing into your cybersecurity protocols, contact your Adams Brown advisor.