Do I Need a Pen Test? How To Know If Pen Testing Is The Right Move
By Jeremy Louise | January 14th, 2019
What is Penetration Testing?
Penetration testing, also commonly referred to as ethical hacking or “pen testing” for short, is a process in which a business thoroughly tests its computer system, its network or its applications in an effort to uncover any and all security vulnerabilities that could potentially be exploited by someone with malicious intentions. This type of testing can either be automated and performed by specially designed computer software, or it can be performed manually by IT professionals depending on the needs of the situation.
At TSI, pen testing is a topic that comes up very often with our clients in the context of security and compliance regulations. With this article, we want to help answer one of the most common questions we receive: whether or not you actually need a pen test.
Pen testing itself is very expensive and, unfortunately, there is a lot of misinformation about the topic that leads to people making poor decisions at critical moments. The average global cost of a data breach rose 6.4% in 2018 from just one year prior, and now comes in at $3.86 million. That’s the average amount of monetary damage that a single incident can cause when downtime, the loss of data, lost productivity and damage to one’s reputation is concerned.
Most of the time, the decision of whether or not to conduct a pen test is one that will be made for you. It’s a hard and firm requirement of many regulatory agencies as it’s the true cornerstone of verifying your business’ security posture. There are, however, situations where penetration testing is not a requirement but a strong recommendation. In those cases, there are a lot of things that need to be done before a pen test is conducted that one needs to be aware of moving forward.
When is a Pen Test a Good Idea?
A penetration test is only a good idea after you’ve taken steps to implement every other security tool and solution that is required of you. Remember that penetration testers are meant to find exploitable vulnerabilities within your network after it’s already as secure as it can be.
Invest in an appropriate antivirus solution. Work with a partner on proactive network scanning and monitoring. Make sure that all of your software is totally up to date and that you’re working from the latest version of your operating system of choice. Educate and train your users on security best practices. Once these types of steps are taken care of, then you can start worrying about penetration testing.
Once you’ve fortified your infrastructure, a penetration tester will go in and determine if there are any remaining loopholes or vulnerabilities that can be exploited. They will then present you with a list of steps you can take to address those gaps for the most holistic security response possible.
If you penetration test before your security solution is ready for it, you will certainly uncover vulnerabilities. However, this isn’t information you can put to good use because many of those vulnerabilities likely would have been addressed via the rest of your deployment.
When is Pen Testing Not a Good Idea?
Penetration testing is not a “silver bullet.” It is not the be all, end all solution to your security problems. If you have done nothing with your business’ security up to this point, or if you haven’t implemented the common solutions you need to stay safe on a daily basis, penetration testing is more than a bad idea. It’s a waste of time and money.
If you spend the money on penetration testing only to have that professional come back and say “we were able to exploit your network because your software wasn’t up to date,” you’re not learning anything you don’t already know. This is a confirmation that you failed to take a step you should have and at that point, penetration testing is only underlining what is essentially common sense.
Identify what obvious vulnerabilities exist with assistance from a cyber security expert and/or a security assessment, then invest in penetration testing to confirm whether your strategy is as effective as you think it is. If you don’t have a strategy to speak of, the best penetration testing professional in the world isn’t going to be able to help you.
In the End
The most important thing for all business professionals to understand is that pen testing, as is true with IT security in general, is not a one time engagement. Penetration testing isn’t something you do once a year and revisit. IT threats are constantly evolving and your security must evolve with it. This requires daily vigilance and dedication to truly and absolutely safeguard your information technology infrastructure.
It is a mistake to look at IT in terms of “a one time server upgrade” or similar periodic bouts of maintenance. In many ways, the perfect metaphor for this is one’s own health. With your physical condition, you’re only ever as good as your last workout. If you work out once and never again, you’re only becoming weaker every day.
If you actually want to maintain your health, you have to consider diet, hygiene, rest and exercise and you need to practice these things day in and day out. To that end, penetration testing is very similar to going to a doctor’s office and getting a physical. The fact that you’ve been working out and eating healthy for the last seven days won’t stave off the negative health implications of the poor diet and inactive lifestyle you enjoyed for the six months leading up to it.
If you want to be healthy, you have to work for it. If you want to make sure that your business is protected and that everything you’ve already worked so hard to build is safe, you need to do the same.
In the End
If you’d like to discuss penetration testing or cyber security with an expert, and find out the right move for your business, then feel free to contact us at TSI Support.