As the profile of penetration testing grows, a wider variety of service options and providers are entering the marketplace.
This gives businesses more choice when deciding on the package to pick. But not all penetration tests are created equal, so here are a few things to look out for to help you select the most effective solution.
Penetration testing requires real hacking techniques to be used against your IT resources. So you want to make sure that the people who are doing the testing have your best interests at heart.
Look for qualified, experienced, well-trained testers who are employed by a company that is dedicated to providing ethically sound, accountable services to clients of all shapes and sizes.
Accountability can be assured through evidence collection, which takes place over the course of the testing. Just remember that because this industry is relatively young, reputations are still being developed, so a little trust is required.
One way to be sure that a firm is on the level is through its attainment of relevant industry certification. CREST is an internationally respected association of independently-approved information security providers, so a certification from CREST is a desirable feature of any UK penetration testing company or consultant. The same is true of the TIGER Scheme, which provides certificates and qualifications.
Picking apart an IT system to look for its weak points is all well and good, but a penetration testing company also needs to provide you with the information that will help you address these flaws. If they don’t, you will be stuck in the limbo of knowing that something is wrong, but not having the ability to fix it.
The value of penetration testing is entirely tied up in the effectiveness of the feedback you get after the fact. So before you commit to a service, find out exactly how a provider will be able to assist you once all tests have been conducted.
Although media coverage focuses on big businesses that are subjected to attempted hacks and other disruptive attacks, smaller organisations are also in the firing line when it comes to cyber security.
Because of this, penetration testing should be able to adapt to suit your firm even if it only employs a handful of people, rather than hundreds.
With the rollout of the General Data Protection Regulation (GDPR) just around the corner, businesses need to ensure that their security systems and data policies are up to scratch. If not, they could face steep fines many orders of magnitude larger than in the past .
Along with the GDPR, some organisations also need to ensure compliance with the Payment Card Industry Data Security Standard (PCI DSS) to protect all transactions and related data.
Modern penetration testing should take both of these things into account, preventing a business from being caught off guard when the regulators come calling.
This is not necessarily something that all businesses will need, but a truly comprehensive penetration test will include an investigation of security at your business premises.
There are many methods via which hackers can subvert IT systems and steal data through physical access to on-site devices and infrastructure. Being able to add this to testing process will help you cover all the angles and help provide a realistic representation of your security posture.
The final thing to look for in an effective penetration test is the ability to assess cyber security awareness levels amongst employees, and if necessary to create training programs to address any shortcomings.
This should include the option to check how staff respond when targeted by a phishing scam tailored to your organisation. You will then be better equipped to defend against malware, ransomware and social engineering techniques used in a number of attack types.
There are other aspects of penetration testing which will vary in importance according to the nature of your business, so it is best to talk to the experts to get a better idea of what is at stake.