Penetration testing is a vital starting point for every organization’s cybersecurity strategy. Pen tests help companies pinpoint network vulnerabilities and deliver guidance on how to fix them.
One challenge is ensuring that the tests cover enough ground to identify key compromised areas. Another is getting a report from the testing partner that’s comprehensive and easy to understand.
When a business recognizes the need for a penetration test but doesn’t get the results it needs, it receives no benefit from having the test performed. It’s a bit like going through an invasive medical exam only to receive a diagnosis in a foreign language.
To avoid that fate, here’s what you should know about making the most of a penetration test and how to find the right pen testing partner.
Click the banner to discover BizTech's list of small business IT influencers.
What Is a Penetration Test?
A penetration test is an assessment of a network’s security. When performed by a third party, a pen test involves a certified ethical hacker who attempts to breach either interior or exterior business networks (depending on the type of test performed) to identify potential points of compromise.
Penetration testers are trained to think like hackers, and they use the same methods as their malicious counterparts. The concept is similar to safeguarding your house: To burglar-proof your home, you might want advice from someone with experience breaking into homes.
This is because there’s a difference between trying to prevent an attack and looking for weak points. What may appear to be secure may actually be vulnerable — finding out is all in the approach.
When it comes to penetration testing, two misconceptions are common.
First is that pen tests deliver largely the same results, regardless of who runs them. But the expertise of testers make a big difference in how they approach network attacks and what they find.
Second is that great pen testers are enough on their own. The reality is that even top-tier testing won’t improve defenses if it’s not paired with comprehensive reporting. It’s vital that testers detail everything they do because businesses need to know what was tested, how it was tested, and where it failed.
UNPACK: Find out how IT leaders are reimagining their cybersecurity infrastructures.
The Different Kinds of Penetration Tests
There are several common types of pen tests, each with its own purpose:
- External tests look for ways that outside actors might gain access to public-facing network components.
- Internal tests evaluate what could happen after an attacker gains internal network access.
- Wireless penetration tests assess the security controls on Wi-Fi networks and connected devices.
- Social engineering tests measure the success rate of attacks such as phishing.
- Physical penetration testing evaluates the physical security of hard assets such as access points, server rooms and desktops for potential vulnerabilities.
- Web application testing attempts to gain network access through connected web apps.
DISCOVER: What small businesses need to know about cyber insurance.
How Often Should Pen Tests Happen?
For many companies, aiming for a complete penetration test once per year is a reasonable goal based on budget resources and time constraints. If possible, every six months or even quarterly may be advisable.
In many cases, however, even annual penetration tests don’t happen. Budgets are one problem, as TechRepublic reports, with 1 in 3 companies citing money as their reason for not conducting the tests more frequently. Some organizations may think, if it’s not broken, don’t fix it. But while weak networks may not look broken on the surface, many will show cracks under even the slightest pressure.
Finally, there’s still a pervasive concern about security uncertainty; many companies don’t want to look like they don’t know what they’re doing. The problem here is that avoiding penetration tests because they could reveal unknown issues doesn’t solve the problem, it simply keeps companies in the dark.
EXPLORE: Find out how IT leaders should strategize during a period of economic uncertainty.
How to Pick a Penetration Tester
Picking the right penetration testing partner is critical for getting actionable results. But how do companies know who’s good and who’s not?
Start with experience. Providers with more industry experience and expertise are typically more thorough and more trustworthy. Next, assess the tester’s transparency. Companies should ask for a sample report to see how testing results are delivered. If a pen tester won’t provide this, walk away.
Finally, make sure to look for a provider that prioritizes privacy. This means that your penetration testing results should be given only to the individuals you designate and should not be shared among the provider’s internal teams or with your workforce at large.
Simply put, penetration testing should be a top priority for businesses that want to understand where they’re vulnerable to attack and learn what they need to do about it. By partnering with an experienced provider, companies can get actionable data that is well worth the cost.
This article is part of BizTech's AgilITy blog series. Please join the discussion on Twitter.