On the face of it, giving a team of highly skilled computer hackers carte blanche to attack your IT systems may not seem like the best of ideas- but that’s kind of what a penetration test is – and it is not as crazy an idea as it may sound.
A penetration test is a simulated attack on your IT systems, carried out by ‘White Hat’ hackers employing ‘Black Hat’ techniques to determine how vulnerable every aspect of your business is to malicious attack. Encompassing anything and everything from probing your company website to the physical security of your office building, a pen test is a great way to find out if your business is at risk. No matter whether it’s IP, data, physical assets or otherwise that is key to your business, you should take every precaution to keep it safe.
So what should you expect when you commission a pen test? You agree a scope with the testers, and decide whether your test will be ‘white box’ (where the testers are provided with certain specific information about your systems) or ‘black box’ (testers have no prior knowledge of your systems), and then set them loose. When the test is complete you’ll receive a comprehensive report of the weaknesses and vulnerabilities identified during the test, and recommendations of how they can be mitigated or otherwise neutralized.
A well-scoped penetration test will give you not only peace of mind that your business is as secure as can be, but evidence of a penetration test (and more importantly, the actions taken to secure your business as a result) can be key to attaining compliance with industry standards, or to qualify your business for cyber security insurance should it be a suitable fit.
Great. So you should go ahead and get a pen test booked in, right?
Well, not quite.
A penetration test is certainly a great way to show that your business is not only aware of the importance of security, but has taken steps to ensure that your clients’ business is in safe hands.
But first, you will want to have considered and squared away certain security fundamentals before letting (albeit ‘good guy’) hackers loose on your business. You wouldn’t spend good money on state of the art alarm system for your office if you hadn’t first checked you could close and lock the door- so here’s a few key security fundamentals you should take care of, to make sure that when you are in a position to engage a security team to simulate an attack against your business, you make them earn their money:
- Keep up to date – Make sure you have the policies and procedures in place to ensure your servers and endpoints (all Desktop PCs, laptops, tablets and mobile phones) as well as all your applications are up to date. Each time a vendor releases a patch for an operating system or a piece of software it raises awareness of the vulnerabilities it fixes, so patch your systems as soon as you can before the bad guys can take advantage.
- Protect your devices – Deploy Endpoint protection in the form of Anti-virus and personal firewalls to prevent and detect malicious activity on ALL your employees’ company equipment. Remember, it can take only one device connected to your network to be compromised for your whole business to be exposed.
- Identify and secure your perimeter – It doesn’t matter if you host servers on your premises or if you leverage the cloud for your back office systems, identifying and securing the areas where your data is open to attack is the responsibility of your business. If your employees access emails on their phones, or if you have remote workers then you must ensure that access and communication between your business and the outside world is controlled, auditable and secure.
- Stay connected, safely– Communicating electronically and taking advantage of the internet is a big part of any modern business, but also presents one of the biggest risks. Email gateways and Web filtering can help your business mitigate some of the most common form of breaches and attacks seen today, preventing malicious emails from reaching your employees and protecting them from compromised and potentially harmful websites.
- Educate your employees– Most important of all, educate your employees. Set clear policies and procedures around not only security, but all business practices. This will establish a normal state of operation to help employees identify anything out of the ordinary, and empower them to flag up any activity or communications that look suspicious. Securing your business is the responsibility of all your employees, so make sure they feel confident about being able to go about their jobs safely and securely.
Whether you’re ready for your first pen-test, need help making sure you’ve done the right groundwork before getting started, or need any other security advice – get in touch.