Why You Should be Penetration Testing and How Often
Following our previous blog post “Penetration Testing: What is it and will my business benefit?” we received a lot of questions from our customers and partners about how often they should be carrying this test out. In this article, we aim to address just that.
Penetration Testing: Why?
As mentioned above, our previous blog explains exactly what penetration testing is and the benefits that it will provide you. Here’s a quick recap of why you need to be performing pen tests in your business:
- Identify your security flaws
- Improve on your vulnerable areas
- Gain an insight into the level of real-world risk and how a real attack would impact your business
- Better manage your defences
- Run your business cost-effectively and without disruption
- Meet regulatory requirements and avoid fines
- Maintain trust with your employees and clients
For more information on why you should be doing it, read our full blog here.
Penetration Testing: When?
So by now, you know how important pen tests are and why you should be doing them, now the real question that you’re looking to get answers to is how often should you be doing it.
Unfortunately, there’s no magic “one-size-fits-all” solution I’m afraid. The answer all depends on your business.
In general, don’t carry out a penetration test on a system that is being deployed! In this stage of development, systems and networks are going through a state of constant change so carrying out a test would be worthless as it won’t point out potential future vulnerabilities. Instead, wait until right before a system is put into production to carry out a test.
To determine how often you should be carrying out penetration tests in your business, you need to take into account these factors:
- Company size – bigger companies typically have more vulnerabilities, e.g more employees with access to sensitive information, more potentially weak passwords, more emails, and a greater online presence etc. This may mean that you need to carry out penetration tests more regularly than smaller companies, such as once or twice a year as opposed to once every 2 years.
- Budget – pen tests can be expensive so obviously, your cash flow will play a role in how often you are able to conduct them. Organisations with a smaller budget may be restricted to once every 2 years, while bigger companies may be able to afford more frequent and thorough testing if they want it.
- Regulations, laws, and compliance – depending on your industry, some companies are required by certain laws and regulations to perform a certain amount of security tasks, such as pen testing, on a regular basis.
- Infrastructure – if your company runs in a 100% cloud-based environment, sometimes you may not be allowed to test the cloud provider’s infrastructure. The provider may already conduct its own internal pen tests, so you can decide whether you need to test your other measures.
- New security measures, systems or networks – whenever you are implementing anything new to your business that may have an effect on your security, always carry out a penetration test soon after to prevent it from becoming a vulnerability.
Take away message
Although there is no single solution for every business, it’s important that companies realise the importance of carrying out penetration tests and the role that they play in our overall security strategy.
As businesses are dynamic, always growing and developing, it’s essential that pen tests are conducted regularly along the way to make sure that any vulnerabilities aren’t exploited and to prevent any costly consequences that you may be unable to resolve. How often you carry them out is completely up to you.
Need to test your business’s defences?
RGM Security offers a wide range of security services as well as penetration testing to check your defences and threat awareness training for your staff. If you need training or just advice, please don’t hesitate to contact us!