The needs of every organisation or business are different, and most companies are aware that penetration testing should take place regularly. However, companies can find it challenging to determine precisely what regularly means to them and how to determine when a pen test should take place.

If the amount of time between penetration tests is too long, then the opportunities and likelihood of a successful cyberattack increase. If a business only instigates a pen test as often as the maximum amount of time stipulated in law or regulations, then cybersecurity risks increase exponentially. The worst-case scenario is to conduct a pen test only once a cybercriminal has made an attack.

What is a penetration test?

A penetration test simulates a network attack to search for vulnerabilities, including new ones, and remove them. A pen test looks at all aspects of the IT security management system to locate vulnerabilities, exploit them, and document results.

An external penetration test assesses network defences, while an internal penetration test demonstrates what a cybercriminal could do once inside your network. This gives a company a unique insight into their security risks.

How to determine when your business needs a penetration test

Determining when your company needs a penetration test comes down to three aspects; riskcompliance, and change.

Risk: The likelihood, impact, and tolerance to cyber risk is the first consideration. The chances are higher for companies that are high-value or high-profile. Value is high when a company holds a lot of data and information that can be leveraged by a cybercriminal for financial gain. The profile is high when a company often appears in the media or when an organisation is in the media for poor political, environmental, or human rights actions. Risks are higher for all companies when they use open-source software that is vulnerable to automated attacks.

Compliance: Many businesses are regulated and have industry-specific compliances they must follow to operate legally. ISO 27001 ISMS (information security management system) states that penetration testing should occur at least annually and when IT projects are implemented. A pen test is a component of the risk assessment process, highlighting weaknesses to internal devices, web apps, and internet-facing IP addresses. A pen test is part of the continual improvement process, verifying that controls still work, identifying new weaknesses, and fixing them.

PCI DSS (payment card industry data security standard) governs any part of a system that is involved with the mechanism of cardholder data. The standard stipulates that annual penetration tests should take place when significant infrastructure modifications or upgrades take place.

Change: A pen test should occur when critical infrastructure, components, policy, system processes, or software changes occur. A pen test should occur regularly in a changing environment, and whenever a security patch is installed, new web apps or infrastructure are added, significant network or infrastructure changes occur, or when offices are added to the network or the existing office location changes.

Conclusion

It makes sense for companies to plan for cyber safety from day one and perform penetration testing once or twice a year. OmniCyber recommends level 1 penetration testing quarterly, dependent on risk, and level 2 penetration testing annually, but more often if the company is high-value or high-profile.

The needs of every organisation or business are different, and most companies are aware that penetration testing should take place regularly. However, companies can find it challenging to determine precisely what regularly means to them and how to determine when a pen test should take place.

If the amount of time between penetration tests is too long, then the opportunities and likelihood of a successful cyberattack increase. If a business only instigates a pen test as often as the maximum amount of time stipulated in law or regulations, then cybersecurity risks increase exponentially. The worst-case scenario is to conduct a pen test only once a cybercriminal has made an attack.

Contact OmniCyber to book a penetration test today and protect your business.