How Often Should You Be Running Penetration Tests?

Today’s business environment is global and highly-interconnected. As data, users and services increase, so too does the need for organisations to remain vigilant and prepared for a cyber-attack.

Adding to this is the frequency and level of sophistication in attacks, which has grown rapidly in recent years.

Being proactive is critical. And a key offensive component of any strong security program is penetration testing. It allows organisations to discover and manage vulnerabilities, avoid costly downtime and preserve brand and corporate reputation.

Despite this, too many organisations choose to do the bare minimum and conduct penetration tests only when required, such as complying with regulatory or legislative compliance obligations, which generally results in a box ticking exercise to appease the auditors.

For many other organisations, penetration testing is performed following a breach. By that stage, it’s too late. A malicious actor has gained access and achieved what they set out to do - leaving the organisation to respond to the incident, and scurry to protect their data and potential erosion of shareholder and customer trust.

Being proactive with regular penetration tests can leave an organisation feeling like they may have paid for something that may not reduce their exposure to a security breach. Yet penetration testing is more than simply checking a box.

“Penetration Testing itself can include a range of different things,” says David Morrison, General Manager - Governance, Risk and Compliance at Loop Secure.

“The tests themselves can include automated or manual techniques, and can be performed on a range of services, including web applications, network devices, mobile devices or other points of exposure. The techniques used also vary, and could include social engineering, phishing, physical intrusion or traditional scanning and analysis techniques.”

But are “pentests” needed? Five years ago, there was plenty of argument that they weren’t worth doing.

Morrison explains that today, the general consensus seems to have changed. “Pentesting has come a long way in a short space of time. So much so, it is now a core component of any cyber security strategy and has now reached a level of sophistication that matches most skilled malicious actors.”

“The best way to secure your defences starts with the right organisational mindset - that is, taking an offensive approach and hiring the best security team that your budget will allow. Organisations also need to be willing to expose their security weaknesses and implement remediation measures, rather than taking an ‘it will never happen to us’ approach as it will come back to bite you.”

Penetration tests have a number of benefits. First and foremost, security breaches and service interruptions are costly. Service downtime means lost revenue for your organisation, and it places a dent in your brand reputation. For some organisations, it can also result in hefty fines.

Penetration tests also help expose vulnerabilities that may not be identified by other testing techniques, such as automated scans and system audits. Through penetration testing, organisations can discover their vulnerabilities, prioritise them, and take steps to tighten security even further.

These benefits clearly demonstrate the value of penetration tests. However, the frequency is not so clear, and depends on a number of factors.

For example, some industries, such as the financial sector, can be a more popular target for a cyber-attack, placing organisations in this sector at greater risk.

Frequent penetration testing might also become a legal requirement for the finance sector. The Australian Prudential Regulation Authority (APRA) wants to shore up the security of Australia's finance industry by making financial services firms adhere to a cyber security prudential standard to ensure they’re keeping their systems secure against the latest trends in attack. These standards (CPS-234) are due to be implemented mid-2019 and will force financial services firms to review their cyber strategy.

Other factors can determine the frequency of penetration tests. For example, the addition of new network infrastructure or applications, or when new office locations are established. These types of changes potentially create new points of vulnerability, which can be identified by the right type of penetration test.

Despite your industry regulations or the changes in your IT assets, any organisation that handles data, and needs to maintain the confidentiality, integrity and availability of this data, particularly personal customer and transactional data, would agree that annual penetration tests are too infrequent.

According to Morrison, most organisations with sophisticated security programs have rolling penetration tests.

“Having a rolling penetration testing program will allow your organisation to discover a range of different vulnerabilities, and to remediate these vulnerabilities much faster than would be possible through an annual penetration test. Therefore, go beyond the standard annual requirement and penetration more regularly, using a range of techniques and targets. The stakes are too high for your organisation.”