Cyber-criminals and hackers become more active and pervasive every day, and the sad truth is that they typically target businesses. This means that if you run a company you need to take steps to protect the data you hold and ensure your cyber security is up to scratch. An important aspect of doing this is performing penetration testing. A qualified ethical hacker will attempt to safely break into your systems, and then provide the details of the weaknesses that they were able to exploit before a potentially malicious attack gets there first.
But too often businesses make simple mistakes when commissioning an organisation to conduct penetration testing which can leave it far less effective than it should be. Here are five of the most common pen testing mistakes that companies make, and what you can do to avoid them.
1. Relying On Your In-House Cyber-Security Team
It can be tempting to rely on your organisation’s in-house IT team to assess your organisation’s cyber-security posture. But this is a bad idea for a couple of reasons. Firstly, your cyber-security team is unlikely to specialise in penetration testing and might lack some of the necessary skills to do the job properly. Secondly, even if the team is fully equipped to do the job, you shouldn’t use individuals that are wholly familiar with your systems. It is important that they should attack your system without any bias or prior experience in order to simulate a real hacking attempt. Work with a company that specialises in pen testing, such as Redscan to get the best possible results.
2. Not Carrying Out Broader Ethical Hacking
While penetration tests are thorough, they are narrower in their scope than fully simulated ‘red team’ cyber attacks. Pen testing on its own is extremely useful but there are other areas of ethical hacking that the testing will not necessarily cover. This could include all kinds of techniques used by real criminals such as social engineering and even physical intrusion. It’s important to subject your business to broader ethical hacking techniques, as criminal hackers will no doubt exploit these. So when you come to choose a business that is going to carry out your pen testing, make sure that they also have a good understanding of the range of different ethical hacking techniques.
3. Limiting The Scope Of The Testing
Additionally, many businesses will attempt to save money on their penetration tests by only focussing on a particular area of their IT environment This can be a very dangerous tactic as you are effectively gambling that cyber-criminals will only attempt to attack those parts of your system that you have protected properly. In truth when you try to save money by limiting the testing, you’re just opening yourself up to spending more money down the line. Get thorough pen testing done and feel confident in the whole of your system.
Another common problem is that companies will make the mistake of assuming that parts of their system are infallible, and thus excluding them from the pen testing. You need to be aware that even if your cyber-security team is sure of the strength of certain defences, the whole point of an external penetration test is to work out whether this is true. Even if you discover that your system is well protected, it was worthwhile to have the test done to give you peace of mind.
4. Not Testing Systems Regularly Enough
Some organisations make the mistake of assuming that having one penetration test carried out means that they are protected for the foreseeable future. The truth is that this can leave your system vulnerable very quickly due to the rapid rate at which new threats are evolving. With growing digitation, more aspects of your business require cyber-security than ever before. Therefore it is highly recommended that pen tests be performed quarterly as well as after any significant changes or upgrades to your infrastructure or applications.
5. Not Acting Properly On The Results
The most important thing that you need do following completion of a pen test is to act on the results. A pen test will show you where your organisation is weakest and can also provide the insight and advice needed to help address any identified problems, but after this, it is up to you implement those changes and ensure that your systems are protected.