Hearing “all of your confidential information is extremely vulnerable, we know this because…” is bad news, but whatever follows the ellipses determines just how bad. Consider two scenarios.
- “All of your confidential information is extremely vulnerable… we know this because a hacker took all of your customers’ credit card info and locked all of your files behind ransomware.”
- “All of your confidential information is extremely vulnerable…we know this because we did a vulnerability scan of your network, and have some suggestions on how you can improve.” 61% percent of small businesses are victimized by cyber attacks each year, and one in five victims do not survive. It is financially worthwhile to make sure that you end up being the person hearing the latter sentence.
Scenario 2 describes the statement after you have had a vulnerability test conducted. A vulnerability test is a comprehensive audit of security flaws that a hacker could exploit, and the possible consequences. This is the equivalent of a doctor giving a physical examination. This information will allow you to know what your risks are and plan your security policies accordingly.
Vulnerability tests should be conducted quarterly and can be done by in-house IT or outside consultants. They should be done quarterly, or whenever you are incorporating new equipment into your IT network.
What is a pen-test: A pen-test is a simulated attack on a network to test the strength of its security. Usually, the pen-tester will have a specific objective (e.g. “compromise this piece of data…) A vulnerability scan tells you “what are my weaknesses?” and pentest tells you “how bad a specific weakness is.”
How often should you pen-test: Different Industries will have different government-mandated requirements for pentesting. One of the more broad-reaching regulations, the PCI DSS, for example, requires pen-testing on an annual basis. However, it is prudent to go beyond the legal minimum. You should also conduct a pen-test every time you have
- Added new network infrastructure or applications,
- Made significant upgrades or
- Modifications to infrastructure or applications,
- Established new office locations,
- Applied a security patch
- Modified end-user policies.