Does Your Business Really Need Penetration Testing?
Recap from the June 18th, 2019 CISO/Security Vendor Relationship Podcast
by Lydia Pert
With cyber threats increasing exponentially, breaches are no longer a matter of “if,” but “when.” If there are vulnerabilities in your system, chances are hackers will find them. It’s up to you to make sure you are aware of your weak spots — and fix them before the bad guys find them and exploit them. In the most recent CISO/Security Vendor Relationship Podcast, the Cloud Security Tip discusses the significance of penetration testing in light of relentless attacks.
Penetration testing, also known as pen testing or ethical hacking, is an authorized attack against a computer system to find security vulnerabilities. The main point of a pen test is that you want to start with a friendly, authorized entity hacking your system to help you identify weaknesses -- rather than finding out the hard way that you’ve been breached.
Pen testing is crucial for every organization because hackers are attempting to breach computer systems and networks at a nearly constant rate -- according to a Clark School study, hackers are attacking every thirty-nine seconds. On top of that, Cybersecurity Ventures revealed that there are approximately 3,809,448 records stolen from breaches each day -- to break it down, that’s 158,727 every hour, 2,645 every minute, and 44 every single second.
Do Small Businesses Need Penetration Testing?
Short answer: Yes.
Long answer: A lot of people are under the misconception that penetration testing is necessary only for large enterprises, but based on the information we’ve highlighted, we know that hackers are relentlessly attacking computer systems. We also know that most hackers, like any criminals, look for easy targets. In many cases, small businesses are very easy targets because they don’t have robust cybersecurity solutions in place. According to the Verizon 2017 Data Breach Investigation Report, 61% of all cyber attacks are targeted against small businesses. So yes, small businesses really should invest in penetration testing.
Depending on the size and type of your organization, penetration testing could involve a few different components -- but in general, a lot of professional penetration testers recommend three essential tests: an external penetration test, a social engineering assessment, and an internal penetration test. An external penetration test identifies whether hackers can breach your organization over the internet. A social engineering assessment determines how likely it is that hackers can manipulate uninformed employees. And an internal penetration test identifies what hackers can do once they have gained access to your organization. Combined, these tests will help make sure your small business is secure, and that the sensitive data you collect cannot be stolen by an attacker.
Enhance Your Security with Purple-Teaming
For larger organizations with more resources at their disposal, purple-teaming can bring many benefits. Purple-team testing is a coordinated effort between a red team (penetration testing) and a blue team (network defense) to increase cooperation between the two groups to achieve optimal cybersecurity. During purple-teaming, the red team delivers the information they have gathered while “attacking,” and the blue team provides information on what steps they took to address the vulnerabilities the red team found — all in real-time.
There is increasing understanding within the cybersecurity community that the red and blue teams should be working together to ensure company controls are working correctly and as expected. It can be very beneficial to have both sides working together in tandem to provide a complete audit from both the penetration and defense perspectives. If your organization has the resources available to implement purple-teaming, it could benefit you greatly in the long run.
Wrapping it Up
While penetration testing is important for all organizations, it might not be feasible for small businesses right off the bat. That is understandable, but as you grow and (hopefully) start budgeting for this testing, make sure you are protecting your business in other ways. A reliable business VPN such as OpenVPN Access Server can help keep your business network secure and defended and offers top-notch cybersecurity, remote access, and access control.