What is Penetration Testing and Why is it Important
Penetration testing (otherwise known as pentesting, or the more general security testing) is the process of testing your applications for vulnerabilities, and answering a simple question: “What could a hacker do to harm my application, or organization, out in the real world?”
- An effective penetration test will usually involve a skilled hacker, or team of hackers. You purposefully ensure that the hacker(s) don’t have access to any source code and ask them to try to gain access to your systems. Penetration tests can be carried out on IP address ranges, individual applications, or even as little information as a company name. The level of access you give an attacker depends on what you are trying to test. To give a few examples of penetration tests you could run:
- You could give a team of penetration testers a company’s office address and tell them to try and gain access to their systems. The team could employ a huge range of differing techniques to try and break into the organization, ranging from social engineering (e.g. asking a receptionist if they can look in a computer room to run safety checks, and installing USB keyloggers) through to complex application specific attacks.
- A penetration tester could be given access to a version of a web application you haven’t deployed yet and told to try and gain access or cause damage by any means possible. The penetration tester will then employ a variety of different attacks against various parts of the application in an attempt to break in.
One thing which is common amongst all penetration tests, is that they should have findings. There is no perfect system, and all organizations can take additional steps to improve their security. The purpose of a penetration test is to identify key weaknesses in your systems and applications, to determine how to best allocate resource to improve the security of your application, or organization as a whole.
Let’s look at a few benefits of Cybersecurity testing:
- Improved Cybersecurity Increases Customer Retention
When it comes to customer service and relations, trust is everything. Your customers demand failsafe security whether they are making an online purchase, logging on to their account or simply signing up for your newsletter. They need to know that their personal data and identity is secure. A recent study revealed that organizations that adopted an identity-centric approach to security experienced the following results:
- A 39-percent increase in customer satisfaction
- A 38-percent increase in revenue
- An 87-percent increase in talent retention and acquisition
- Proactively Testing Cybersecurity Keeps the Government Off Your Back
Most organizations, regardless of industry or size, are likely to face compliance obligations at some point in their business year. Statutory, contractual, regulatory and legal compliance are just some of the compliance obligations faced by businesses today.
While testing your cybersecurity controls won’t necessarily reduce the level of scrutiny placed on you by government and compliance bodies, it could help to ease the pressure when they start digging around in the dirt. Proactive compliance can help you to proactively prepare for audits and compliance checks instead of scrambling for answers or, even worse, facing non-compliance penalties.
- Testing Cybersecurity Can Unveil Dangerous Vulnerabilities
A thorough risk assessment of your entire IT infrastructure could uncover vulnerabilities and weaknesses before they become a dangerous threat. It is important to consider all security endpoints, including internal threats to your data security. Research conducted by the U.S. Computer Emergency Response Team (Cert) revealed that close to 40 percent of data security threats came from within the organization.
Developing and documenting a response and recovery plan will also help you to protect against data threats and recover quickly should your organization become a target.
- Testing Cybersecurity Can Prevent a PR Nightmare
They say that all publicity is good publicity but tell that to the company that just had millions of customer accounts stolen. It happened to Yahoo earlier this year in a data breach that cost them 500 million accounts, and which has also cost them their reputation, a mass exodus of users and tougher scrutiny from industry regulators.
A PR disaster caused by a data breach could potentially decimate the reputation of your business, but it’s something that regular and thorough testing of your information security systems could prevent. All organizations, large or small, should be placing a focus on cyber security testing to protect the integrity and security of their own data and that of their customers and associates.
- Testing Cybersecurity Can Save You Millions
So, what is the true cost of a data security breach? Data breaches large and small continue to flood the news, although measuring the true cost is still a challenge. According to the Ponemon 2015 Cost of Data Breach Study, the cost of data breaches due to criminal or malicious attack rose from $159 to $174 per record in 2015. That’s not so bad if you only lose one or two records, but consider the cost of hundreds, thousands or millions of records and those figures really start to hold some weight.
The Ponemon study also revealed that corporations that involved their board members in their risk and vulnerability processes experienced a reduction in the cost of each record by $5.50. When board members are involved with security processes, they are more likely to understand the importance of spending money to protect data. Board members are also likely to act faster during or after a data breach, which can often result in less money being spent during recovery.
Given the importance of cybersecurity testing, many organizations fail to address the issue consistently or completely. This isn’t usually negligence in itself, but is instead often due to the sheer scope of the work involved.
When your network has been established for years, appears to be working without many hiccups and you don’t want to cause outages or significant downtime, just where do you start? It’s a good question. Many organizations begin cyber security testing, but then fail to complete the task after doing a little external penetration testing and securing their web applications. For true risk compliance, everything must be considered.