Penetration testing is a professional service that evaluates the security of your organization, supporting applications and infrastructure from an attacker’s perspective. There are various threats affecting the security of your business, and exploring each of them helps us to understand any exposure; this is where a penetration test comes in. A penetration test is best if performed by a qualified resource that is proficient in communicating the significance of each finding in terms that business can understand. Discovered findings are measured in risk, business impact and help to prioritize remediation and the allocation of resources to increase security overall.
How does my business benefit from a pentest and why do I need one?
A penetration test helps reduce exposure to financial loss, resulting from a breach. Having a window into the mind of an attacker, a penetration test helps to uncover targets of opportunity, the path of least resistance, and technical vulnerabilities that, if exploited, may result in significant financial loss. For instance, the average cost of a data breach last year was $4M USD. Many organizations look to insurance to transfer risk, but recent news has indicated there are many exclusions and limitations to this strategy. To start, cyber insurance in Canada has very low coverages forcing many organizations to seek high coverages with out of Country insurance providers. Unfortunately, having a policy also does not mean that your damages will be covered. Recently cyber claims against WannaCry malware were denied because they were characterized as an act of war.
Penetration testing provides the most value when coupled with a particular business change. During mergers and acquisitions, IT teams are scrambling to unify their operations and ensure each side is not exposing the other to cyber and financial risk. A penetration test is an excellent fit and helps measure risk, prioritize remediation before the networks are integrated in order to maintain the integrity of each.
Which compliance standards mandate penetration testing?
Various regulatory requirements understand the importance of penetration testing services and mandate annual testing. PCI and SOC 2 are two standards that often require penetration testing to be certified. In PCI, requirements 11.3 outlines the requirements for annual penetration testing of the cardholder data environment (CDE).
PCI DSS 11.3.1 Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
PCI DSS 11.3.2 Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment).
PIPEDA and GDPR are two privacy-related laws in Canada and the UK, respectively. While they do not mandate penetration testing, their fines are extremely high and mandate timely breach notifications. Penetration testing is a great fit to balance privacy legislation because it explores your business from the perspective of an attacker looking to obtain unauthorized access to privacy and personal health information (PHI).
How does penetration testing improve security in my company?
Penetration testing helps prioritize investments in your IT Security program. As IT Security evolves within the business, there are several areas that require controls and allocating resources is typically done through a risk assessment process. The effectiveness of this process is based on the risk management framework you’ve adopted and does not take into consideration any blind spots you may have. Further, investing in technologies is pointless unless you have an operational process to implement and maintain each of them. Penetration testing is practical and helps understand the impact of each missing or ineffective control within your business.
An objective-based penetration test is a full-blown simulation to assess cybersecurity within your organization through considerations of countless attack scenarios including phishing, tailgating, device drops, etc. These engagements are best run blind, where the target operations teams are unaware there is a penetration test to test their reaction; similar to a fire drill. In countless engagements, we have been miscategorized as foreign nation attackers with limited justification; in others, they discover it’s a penetration test and block the attack. Having this knowledge enables organizations to better prepare for an attack and adapt their strategies in order to reduce risk.
How does penetration testing improve customer confidence?
Customers expect more from organizations that hold their most sensitive information. In the event of a breach, customer confidence is lost which results in millions of damages. In some cases, customers mandate their vendors perform and share the results of their penetration tests to validate that they are taking the same steps to protect their information.
In the Software-as-a-Service industry, penetration testing attempts to obtain unauthorized access to other customers information. Most SaaS applications are multi-tenanted, which means that your information is stored alongside other customers information. On the same database, application servers, or content delivery network. Isolation of this content can be completed, but there is often a way to call functionality directly and bypass these restrictions.
Most important, is customer confidence in your brand. In a previous article on this topic, we had outlined that research suggests that if your organization is impacted by a data breach, 65% of your customers will think about moving their business, and 31% actually will. Immediate financial risk is obvious, but the erosion of customer confidence will take time to realize.
In summary, Penetration testing is a great tool to help with an assortment of business and technology related challenges. It is an extremely valuable investment at every stage of business growth, all sizes of business and helps prioritize IT spend in order to maintain customer confidence in your brand. While it is often mandated to ensure the protection of specific information (e.g., credit cards), it is done so because of how effective it is. Your customers privacy and confidence in your business are both essential for growth. Contact us to learn more about how we can help.