22nd July 2019

Cybersecurity: do you need to invest in penetration testing?

According to digital security specialists Gemalto there were 945 major data breaches that exposed 4.5 billion records in the first half of 2018. That’s a staggering 291 individual bits of sensitive information stolen every second. Most of these breaches were identity theft and malicious outsiders successfully using phishing techniques to get hold of data.

Cybercriminals are getting cleverer and are developing ever more sophisticated ways of stealing data. They’ve managed to do just that to Facebook, Adidas and Morrisons, so if big companies like that can’t keep themselves safe, how can smaller ones hope to do so?

The truth is they can’t. No-one can. But there are ways you can make it much more difficult for cybercriminals to break in. And if you make it harder, criminals will move on to an easier target.

How can I make it harder?

You could try penetration testing. This is where you get an ‘ethical hacker’ to try and get into your systems. They basically copy what the bad guys do, so they can identify any potential weak spots. They do things like sending spam and phishing emails, using social engineering, and targeting websites and domain servers.

Security firewalls are also sometimes ‘attacked’, and pretend viruses are sent to mimic what a real virus would do in the real online world. They’ll also sometimes pose as employees or contractors and try and break in from the inside. Techniques include tailgating workers into buildings and distracting people, so they leave systems open when leaving their workstation.

A report is sent once everything’s been done with recommendations for improvement.

How often should I do penetration testing?

The minimum is once a year. If you move premises or install or upgrade any new soft or hardware, you should also do some testing. Some companies, particularly those involved with heavy regulation and compliance, might be required to do it more regularly by law.

Larger companies usually have more data that’s desirable to criminals, so they probably need to test more frequently than a smaller one. There’s no hard and fast rule though – test as often as you think you need to. If any areas have been identified where you need to do more, fix those and then test again.

This is bound to be expensive, isn’t it?

Penetration testing can be expensive, but it’s not as costly as a data breach. That could cost your reputation with customers as well as actual money, so it’s worth investing what you can afford to in it.

You can keep the costs down and help your data to stay safe by making sure there are no vulnerabilities in your business. Regularly educating staff on the importance of strong passwords, not downloading malware and keeping them up-to-date on security awareness all make you less likely to have a data breach.

It’s also important they know how to recognise a phishing email and how to report it. You can set up an email address to forward suspicious emails to and reward employees who regularly correctly identify email nasties.

Free software online

There’s lots of free or open source penetration testing software available online. The most popular ones are Nmap, Metasploit Project, Wireshark, and John the Ripper.

They all do different things, from cracking your password to looking for open ports on your system. Running one or two regularly can show you any flaws so you can address them before the hackers strike.