There is a crucial problem when it comes to penetration testing. It is not in the tests themselves or the way they are conducted; it’s that in many cases they are not conducted at all. In particular, studies have shown that small organisations are significantly less likely to invest in penetration tests or vulnerability assessments. In many cases, SMEs are content to run little more than basic anti-virus software and expect that hackers are more likely to focus their efforts on big business.
This can be a dangerous assumption because hackers do not limit their attention to large corporates. In fact, hackers are clearly aware that large organisations are more likely to have a robust risk posture than their smaller counterparts. As a result, attackers often prefer to focus their considerable skills and aptitude on small businesses where cyber security is often, at best, perfunctory or, at worst, virtually non-existent. According to website SmallBizTrends, a substantial 43% of cyber attacks are thought to be targeted at small businesses
We know that if a breach does occur, the consequences can be catastrophic, especially for smaller businesses. Not only is the business damaged today but the reputational effects and long-term damage can be even more extensive in the future. Indeed, further data captured by SmallBizTrends showed that a worrying 60% of small enterprises went out of business within 6 months of an attack.
Professional support can, of course, be engaged in a time of crisis and a good cyber security professional service will be able to take steps to mitigate some of the damage. But this can be expensive, disruptive and time-consuming. Cyber security consulting firms much prefer to get involved before a breach occurs and to work with their clients to put their security system to the test before a hacker does.
To avoid becoming the victim of a cybercriminal it is crucial to get into his or her mindset and identify where a system’s vulnerabilities lie. From there it is possible to build a demonstrably robust defence which will deter those looking for an easy win. Yet, few small business leaders have the time or the skills to challenge their own systems in this way. Instead, it is more effective and, ultimately, cost-effective to engage with a cyber security consultant with the experience and expertise to set out an appropriate test and exercise plan that will identify where changes need to be made to provide protection from hackers.
There are two main types of test used by cyber security professional services and each has a vital role to play. Firstly, the vulnerability assessment which is the information security equivalent of a household security check. Also known as vulnerability scans, these assessments evaluate computers, systems, and networks for security weaknesses.
The benefits of a vulnerability assessment are obvious: they are quick, affordable and largely automated, they can be scheduled to run on a regular basis. Vulnerability assessments, however, only go part way to providing the reassurance needed. By their very nature, they cannot understand or anticipate the complex ingenuity of sophisticated human hackers. They simply show you where your weaknesses may be.
A penetration test, on the other hand, simulates a hacker attempting to get into a business system through the exploitation of vulnerabilities, which is why the process is sometimes referred to as ‘ethical hacking’. Although penetration testing can be conducted in-house, the risk is that those who work within an organisation are overly familiar with a system and are unable to see it objectively.
This is where the value of a cyber security professional service comes in. A qualified penetration tester can think laterally, using both training and experience to analyse and synthesise. They will put themselves into the mind of a hacker and have the imagination to anticipate possible weaknesses. Penetration testers provide a deep interrogation of an organisation’s data security, before reporting back on the state of the business’s risk posture and how remedial work can improve it.
So how should you best use vulnerability assessments and penetration tests? Well, ideally, using both encourages optimal network security. Vulnerability assessments are great for a weekly, monthly or quarterly insight into your network security, while penetration tests are a very thorough way to really put your network security under the microscope and significantly reduce the possibility of any gaps.
The most common reason for small businesses not engaging a cyber security professional service is cost. But scoping the exercise correctly at the outset means that the budget is spent on what is needed, not on what is not. Also, having a cyber security consultancy firm examine every nook and cranny of a business’ infrastructure and systems, the way a real world attacker would, may save a great deal of money in the long run; not forgetting the value-add of a comprehensive report following the completion of a project, and the access to best practice remediation support.
You may also like: What Is the CISO’s Role in Risk Management?
About the Author
This article was supplied by Security Risk Management Ltd (SRM), the experts in information security. For more information on the information security challenges faced by businesses or to engage with SRM for your next project, visit www.srm-solutions.com.