Published: 11th October 2022
Area: Assessment & Strategy
Recent data has revealed that nearly a third of businesses who suffer cyber attacks now experience incidents at least once a week.
With the frequency of cyber attacks on the rise it is essential that you ensure your business systems are built with security in mind, and that they evolve to keep up-to-date with ever-changing threats.
Penetration testing (or pentesting as it’s also known) can strengthen your digital infrastructure by helping you to identify the vulnerabilities you didn’t know your business had.
What is penetration testing?
Penetration testing is used to find and exploit security vulnerabilities in computer systems. By stimulating cyber attacks on networks, applications, websites, apps and portals, the exercise will highlight any cyber vulnerabilities, without impacting the business.
To think of it another way, when you go to bed at night the chances are you will conduct a security check of all your doors and ground floor windows to ensure they are closed and locked and not open for criminals to gain access. Simply, penetration testing is the equivalent of checking that all your ‘digital’ doors and windows are closed and locked and not accessible by cyber criminals.
A failure to identify open access points in your digital infrastructure could lead to theft of data, ransomware attack, interruption of services and damage to strategic reputation.
When should you conduct pentesting?
The UK GDPR states that appropriate technical and organisational measures controls should be implemented to protect your business. It references penetration testing, but does not make it an explicit obligation.
However, if your business has a bespoke network, web-portal or application it is vulnerable to cyber attack.
It is an appropriate technical measure to conduct penetration testing on these bespoke systems to identify whether there are any access points that cyber criminals can exploit to gain access and cause havoc to you, your business and your clients and customers.
In the unfortunate event you should suffer a cyber attack and breach, and are subsequently investigated, it is highly probable that you will be asked about your penetration testing regime.
What are the benefits of penetration testing?
Conducting a penetration test will pinpoint any risks in your networks, web applications and mobile apps that could leave you open to hackers and vulnerable to a potential cyber attack. You can then make any improvements need to be made.
According to Hiscox Cyber Readiness Report 2021, nearly a quarter of firms that were attacked in 2020 (23%) cited bad publicity and the impact on the company’s brand and reputation as a major cost. A cyber assault will likely have a negative effect on the confidence and loyalty of your customers, employees and suppliers, and it can also leave you open to group litigation claims for individuals seeking compensation. Ensuring your business regularly conducts penetration testing, and therefore is continuously identifying and eliminating potential risks, will reassure your stakeholders that their data is safe in your hands.
Cyber attacks can cause severe disruption to business operations, with systems, apps and networks being taken offline for many hours, or sometimes days, with project work, business-as-usual activities and transformation programmes all potentially being severely disrupted.
On top of this, following a breach, the average time for an ICO investigation to conclude is six months – a costly, time consuming procedure further distracting your business and management team.
By identifying potential risks and threats in advance of such an event occurring, you’ll be able to implement additional security measures to reduce the risk of the attack taking place, or to ensure your business can continue to operate if the worst should happen.
Fines of 4% of your global turnover can be issued for non-compliance with UK GDPR and other data protection regulations, as well as for losing personal data as a result of a hack or breach. In addition, failure to notify the ICO of a breach within 72 hours can lead to further fines. If you experience a breach it is likely the ICO will also mandate that you implement or improve your security programme and they may monitor you moving forward. You may also struggle to get cyber insurance and are likely to face significantly higher premiums.
Depending on the industry your business is in, or the industry standards you work against, it may be a requirement to conduct penetration testing. For example, this is an essential requirement for ISO 27001.
We’re here to help you protect your business
Our team of experts will identify your vulnerabilities and then work with you to defend your data and enhance your security to protect your systems.