On the face of it, giving a team of highly skilled computer hackers carte blanche to attack your IT systems may not seem like the best of ideas- but that’s kind of what a penetration test (pentest) is – and it is not as crazy an idea as it may sound.

A pentest is a simulated attack on your IT systems, carried out by
‘White Hat’ hackers employing ‘Black Hat’ techniques to determine how
vulnerable every aspect of your business is to malicious attack.  Encompassing anything and everything from
probing your company website to the physical security of your office building,
a pen test is a great way to find out if your business is at risk.  No matter whether it’s IP, data, physical
assets or otherwise that is key to your business, you should take every
precaution to keep it safe.

So
what should you expect when you commission a pentest?  You agree a scope with the testers, and
decide whether your test will be ‘white box’ (where the testers are provided
with certain specific information about your systems) or ‘black box’ (testers
have no prior knowledge of your systems), and then set them loose.  When the test is complete you’ll receive a
comprehensive report of the weaknesses and vulnerabilities identified during
the test, and recommendations of how they can be mitigated or otherwise
neutralized.

A
well-scoped pentest will give you not only peace of mind that your
business is as secure as can be, but evidence of a penetration test (and more importantly,
the actions taken to secure your business as a result) can be key to attaining
compliance with industry standards, or to qualify your business for cyber
security insurance should it be a suitable fit.

Great.
So you should go ahead and get a pentest booked in, right?

Well,
not quite.

A
penetration test is certainly a great way to show that your business is not
only aware of the importance of security, but has taken steps to ensure that
your clients’ business is in safe hands.

But
first, you will want to have considered and squared away certain security
fundamentals before letting (albeit ‘good guy’) hackers loose on your
business.  You wouldn’t spend good money
on state of the art alarm system for your office if you hadn’t first checked
you could close and lock the door- so here’s a few key security fundamentals
you should take care of, to make sure that when you are in a position to engage
a security team to simulate an attack against your business, you make them earn their money:

  • Keep up to
    date

    – Make sure you have the policies and procedures in place to ensure your
    servers and endpoints (all Desktop PCs, laptops, tablets and mobile phones) as well as all your applications are up to date.
    Each time a vendor releases a patch for an operating system or a piece of
    software it raises awareness of the vulnerabilities it fixes, so patch your
    systems as soon as you can before the bad guys can take advantage.
  • Protect your
    devices

    – Deploy Endpoint protection in the form of Anti-virus and personal firewalls
    to prevent and detect malicious activity on ALL your employees’ company
    equipment.  Remember, it can take only
    one device connected to your network to be compromised for your whole business
    to be exposed.
  • Identify and
    secure your perimeter
    – It doesn’t matter if you host servers on
    your premises or if you leverage the cloud for your back office systems,
    identifying and securing the areas where your data is open to attack is the
    responsibility of your business.  If your
    employees access emails on their phones, or if you have remote workers then you
    must ensure that access and communication between your business and the outside
    world is controlled, auditable and secure.
  • Stay
    connected, safely
    – Communicating electronically and taking
    advantage of the internet is a big part of any modern business, but also
    presents one of the biggest risks.  Email
    gateways and Web filtering can help your business mitigate some of the most
    common form of breaches and attacks seen today, preventing malicious emails
    from reaching your employees and protecting them from compromised and
    potentially harmful websites.
  • Educate your
    employees

    Most important of all, educate your employees.
    Set clear policies and procedures around not only security, but all business practices.  This will establish a normal state of
    operation to help employees identify anything out of the ordinary, and empower
    them to flag up any activity or communications that look suspicious.  Securing your business is the responsibility
    of all your employees, so make sure they feel confident about being able to go
    about their jobs safely and securely.

Whether you’re ready for your first pen-test, need help making sure you’ve done the right groundwork before getting started, or need any other security advice – get in touch.