With cyber threats continuing to evolve rapidly , it’s increasingly important for organisations to regularly test their security posture.
Penetration testing, conducted by professional ethical hackers, is a security assessment designed to help organisations identify hidden vulnerabilities across networks, systems and applications.
The challenge for many businesses can be understanding when and how often pen testing should be performed. Redscan recommends that every organisation commission pen testing to assess critical systems at least annually, while large businesses should conduct them at least quarterly.
It is, however, also necessary to consider additional testing around key business events. This blog outlines four scenarios where additional penetration testing should be conducted.
1. After significant infrastructure changes
As organisations grow, their IT environments are constantly evolving. Increased cloud adoption, proliferation of IoT devices and rise of BYOD and remote working are creating new security risks that could leave environments more vulnerable to attack.
Organisations making significant changes to their on-premise, cloud or hybrid infrastructure need to ensure they keep security testing front-of mind to ensure that assets remain free from vulnerabilities and are securely configured.
Penetration testing should also be conducted after the installation of new security technologies. Scenario-based testing can help to validate and improve the effectiveness of cyber defences to safeguard against the latest threats.
2. When launching a new product, service or application
Launching a new product or service is a daunting and time-consuming task for any business but rushing to market without taking the necessary security precautions could be a costly mistake.
Web application testing should form an essential part of the QA process, helping to uncover software vulnerabilities related to data encryption, authentication, session management and input validation (such as SQL code injection). Testing should also be conducted prior to the release of major product updates.
3. When going through a business merger or acquisition
With IT environments going through an unprecedented rate of change and huge amounts of digital assets changing hands, security testing should form a vital part of the M&A process.
Given the vast amount of confidential data that will need to be shared between parties, data security is essential. Penetration testing should be performed before and after any merger or acquisition to help protect organisations at this crucial juncture. A cyber-attack that occurs during this process can be hugely damaging for organisations’ reputation and value.
4. When working towards regulatory compliance
Regardless of the industry a business operates in, serious regulatory sanctions await if it fails to take appropriate steps to improve security.
With the introduction of the GDPR and DPA 2018, regulators are taking an increasingly hard-line approach to any organisations that falls short of data and information security requirements. Likewise, organisations falling under the scope of the PCI DSS and NIS Directive will find themselves in hot water if they fail to perform security assessments on a regular basis.
PCI DSS penetration testing, for instance, must be performed on an organisation’s complete cardholder data environment (CDE) at least annually.
How can Redscan help?
As the back-to-back winner of Computing Security’s Pen Testing Solution of the Year award, you can trust our experienced team of security consultants to conduct the regular assessments you need to identify and address vulnerabilities, plus support compliance with the latest regulations and standards.