penetration-testing4In our previous articles, we have shown examples of typical threats and taken you through the process of choosing a penetration test vendor.  This week we will guide you through the long-term goals of penetration tests and explain some of the repercussions of not maintaining your penetration test procedures and regulatory compliance.

Often in discussions with customers, questions arise about why penetration tests are necessary when they already have other security measures in place.  We have already discussed some of the legal reasons that penetration tests are important, but let’s not overlook the big picture; the ongoing security of your business network.

Security breaches and any related interruptions in the performance of your system network will cause downtime, financial complication or even permanent data loss. Major security breaches have the potential to steal usernames and passwords, hack into business bank accounts and hold private business data to ransom.  While not all security breaches incur the same level of danger, something they do share in common is that they threaten an organizations reputation, erode customer loyalties and attract negative publicity.

Within the last year, major businesses such as CVS, Walgreens and many others were hit by credit card security breaches.  The most forward thinking of these businesses were able to mitigate the damage and quickly lock down the problem areas.  Some businesses offered credit checks and monitoring services for their clients in an effort to curtail public outcry.  But even under the best circumstances, these breaches were costly.  A study conducted by the Ponemon Institute (2014 Cost of Data Breach Study: Global Analysis) reported the average cost of a data breach for an affected large company is now $3.5 million. Costs associated with the Target data breach that occurred in 2013 reached $148 million by the second quarter of 2014. These security breaches are most likely the result of so called “rubber stamp” pen tests; penetration test that pass regulatory compliance on a technicality, but offer little in the way of real protection.

The unfortunate reality is that it is impossible to safeguard all information, all the time.  Organizations have traditionally sought to prevent breaches by maintaining layers of defensive security such as anti-malware software and user access controls.   The problem is that new vulnerabilities are discovered every day and attacks constantly evolve in terms of their technical and social sophistication, as well as in their overall automation.   Therefore, the long-term goal of penetration testing is to identify the most likely entry points for a security breach and take steps to block those access points.  When carefully monitored, analyzed and supported with the appropriate use of technology, it is possible to discover security holes before they can be exploited.

Ultimately, it’s important to be upfront with yourself and identify the long term security goals for your organization.  If your organization’s primary motivation is only regulatory compliance and you feel the urge to simply “check the box,” with a lesser penetration test, that is an option.  But in doing so, you will need to accept that security breaches and their repercussions will become part of “the everyday cost of doing business.”  Instead, we strongly urge you to consider your options; seek out a qualified penetration test vendor and implement a full security solution that will stay with your organization for a long time to come.  The cost of doing anything less should be more than you are willing to spend.