The threat of a cybercriminal gaining access to your network is a constant source of anxiety. Amid all of the high-profile data breaches, businesses and organizations of all sizes have been successfully targeted by hackers who employ a wide range of different strategies. Too many companies have had to learn all about the potential cost of a data breach firsthand. The important thing to keep in mind is that all these companies had top-tier security measures and professionals, yet they were compromised.
Cybercrime is growing fast, it’s becoming more sophisticated and it’s proving to be very lucrative, which is attracting more criminals. Hackers can buy effective tools with support off the shelf on the dark web, so the barrier to entry is low. Little wonder Cybersecurity Ventures suggests that cyberattacks are the fastest growing crime and will cost the world $6 trillion a year by 2021.
There are many steps you can take to improve your security posture, but something that’s often overlooked is the need to properly and regularly test the defenses that you’ve built. Breaches are inevitable, but you can learn from them, and part of effectively preventing them in the future is getting into the mindset of your attackers.
In the aftermath of a breach, it’s natural to ask, “Where did we go wrong?” Perhaps your business employed consultants, brought in a raft of security software and took positive steps to shut down vulnerabilities. Maybe you trained your staff, invested in the latest tools and employed a superstar CISO or brought in a virtual CISO. So, how did the hackers get in? Strong security is about more than committing resources. You have to cover all the angles, and that includes subjecting the defenses you’ve built to some serious scrutiny and stress testing.
Many organizations, even very large companies, conduct annual penetration testing. That means once a year they subject their defenses to an internal and external attack designed to emulate a real hacker attack.
I’ve written about the need to test the effectiveness of your security awareness training and anti-phishing initiatives. You don’t assume every employee gets it right the first time — you test them. I’ve also talked about the benefit of real-time visibility and automated policy enforcement with regard to the internet of things blind spot. These principles apply to pen testing as well.
Cybercriminals are persistent and determined, and they will continue to hack away at your systems, often with automated tools, until they find a crack they can exploit.
It’s not just the frequency that’s creating problems here. Hiring pen testing companies can be very expensive. The skills shortage across cybersecurity suggests that’s not going to change any time soon. You’re also putting a lot of trust in the company you choose and its employees because they have access to all of your assets and knowledge of all your weak spots.
What if you could automate your penetration testing, have a research firm assure the test is most current and run it continuously? This could help you understand where to prioritize your security efforts. We come back to this triage concept frequently in discussing cybersecurity because it’s not realistic to build a foolproof security system. You have to focus your efforts where they’re likely to get the best return, and that is exactly at the vector of the worst probable breach.
Automated penetration testing will not only enable you to improve your defenses against hackers, but if you turn to insurers to underwrite your cybercrime risk, then regular pen testing will allow you to provide tangible data that they can use to ensure your coverage and your premiums are appropriate.
Cybercriminals are always probing for new ways onto our networks, and they frequently sit there undetected. If we want to combat them effectively, we need to employ the same intelligent and determined approach. Here are some quick tips to help you do that:
• Consider the risk: What are you trying to protect? Where does the greatest risk lie? Talk to the right people in your organization and ask them. Figure out where a breach would cause the most damage so that you know what you need to safeguard. Brainstorm on where risk lies and how access might be gained.
• Profile attackers: Figure out who might try to gain access to your data and build a profile of them that your pen tester can emulate. Are you concerned about rival companies, criminals and disgruntled employees? Each will likely take a different approach and pose different risks.
• Take a holistic view: You can’t just pen test your apps and call it a day. Attackers will probe and search until they find a weak spot that can be exploited. Try to analyze and test your entire network and infrastructure.
• Harvest actionable insights: You need detailed reports on your pen test findings that are then attached to remediation action. The point is to improve your security, so you need to act to close gaps and then test again to verify your actions were successful.
Real-time protection and continuous assessment of security strategies are crucial to the success of any cybersecurity plan, and penetration testing is an important part of that.