A penetration test — or pen test — is a simulation of a possible cyber-attack against an IT system performed by a professional with no malicious intent. The main purpose of such tests is to find exploitable vulnerabilities before anybody else does so that they can be fixed and addressed accordingly.
Pros and Cons of Penetration Testing
Nowadays, companies of all sizes have a network presence, and the internet has made it easy for attackers to engage with companies around the world. A cyber-attack can damage a company in many ways, not just economically. An organization’s brand, reputation, and even intellectual property could be affected.
Case in point the ransomware attack of 2017 woke the world up to very nightmarish scenario of a crippling attack on their systems
A penetration test can help an enterprise build a more robust and reliable security posture. With that said, not all companies should engage in a pen test, since they aren’t always particularly beneficial. Because of this, it’s important to evaluate whether or not a pen test will have value for your company.
Potential benefits of a pen test include:
Some of the potential drawbacks are:
When Should You Pen Test?
Some companies make the mistake of starting a pen test too early on a network or system deployment. When a system or network is being deployed, changes are constantly occurring, and if a pen test is undertaken too early in that process, it might not be able to catch possible future security holes. In general, a pen test should be done right before a system is put into production, once the system is no longer in a state of constant change.
It is ideal to test any system or software before is put into production. Most companies do not adhere to this recommendation because they are eager to get their return on investment (ROI) quickly. Companies might also fail to follow this best practice because a project has exceeded its deadline or budget. These factors make companies enthusiastic to push their new services live without having conducted the proper security assessments. This is a risk that needs to be evaluated and put into perspective when deploying new systems.
How Often Should You Pen Test?
A pen test is not a one-time task. Networks and computer systems are dynamic — they do not stay the same for very long. As time goes on, new software is deployed and changes are made, and they need to be tested or retested.
How often a company should engage in pen testing depends on several factors, including:
Pen testing should not be taken lightly; it has the potential to provide a critical security service to all companies. For some organizations, it might even be mandatory. But a pen test is not one-size-fits-all. Ultimately, understanding the company’s line of business is fundamental to successful security testing.