For decades we have been providing penetration testing services for companies across the globe. From small businesses to large enterprise organization and those between, we’ve served them all. Many of the companies we serve receive penetration tests annually, in some cases even twice a year, while others are receiving one for the first time.
Companies having Penetration Tests Often
The companies that receive frequent penetration testing already have an idea of what they want tested and when they want it done. Like clockwork, they have the penetration test performed and then begin the remediation process for the issues that are discovered. In many instances, issues are discovered that could have led to a full compromise, while other times the penetration tests validates the job they already did protecting their systems; with all the hardware, software and other security solutions they have already implemented .
For these companies the mission is to find holes in their existing security and fix them. For others, the penetration test is to check a box, usually driven by a security compliance or an initiative from the board of directors.
Companies having their first Penetration Test
The push to conduct a penetration test for the first time could stem from similar pressure as the companies that routinely have a penetration testing conducted. It may be triggered because of a merger or acquisition. For whatever reason, the company is testing their infrastructure for the first time.
One of the consistent questions we are asked by first time companies is “when should a penetration test be conducted?”. When is the right time? Is it before a change up in the infrastructure or overhaul of a particular system? Is it before a merger or after? Is it before they spend their IT budget or should it be built into the next years budget?
Time is of the essence and it’s not on your side. These are all good questions, and here is our opinion on the matter.
There is no ideal time to conduct a penetration test, only a bad time not to. Let me explain. Hackers are at it 24/7/365. They have all the time in the world to scour the internet looking for victims to target. They are opportunistic and their time is money. If they spot a company that looks soft from a security perspective, you will become their new ambition…
Hackers only see what is available to them the instant they discover you. If they feel that they have a chance to breach your system they will begin their reconnaissance victim along with a few select friends; and you may or may not become a statistic.
Hackers also don’t care what you plan on doing, only what you actually are doing about your security. If you have made the commitment to have a penetration test conducted because YOU suspect there may be problems or know you have issues, don’t procrastinate. Move forward and get one done now.
Our advice to companies asking the questions above is always the same. If you are concerned about being attacked, waiting a few more days, weeks or months to verify where your issues lie is not a good idea. You need to act now, not after your headline news.
Validation through Penetration
In case you don’t agree, consider this. A penetration test is a validation of your security controls. It verifies if all the hardware, software, monitoring, outsourcing and the gobs of money you have spent on security solutions are working. A good penetration test will validate what is working, or what you thought was working, and will point out your soft spots as we like to call them. It will tell you what to focus on to improve your chances against hackers.
Budget Blues, The Hidden Benefit
Now if you are one of the many companies fighting for a security budget, let me share with you an additional value that a penetration test offers. A test that identifies serious vulnerabilities that were exploited in the process of the penetration test accompanied by a detailed report. The report contains all of the ammunition you would need to convince management that they need to loosen up and spend more money on that security solution you’ve been seeking approval for.
Trust us, nothing motivates a manager or a board of directors faster than seeing a blood-red report that exposes all the company’s weaknesses within your infrastructure. The contents of the report cannot be unseen and is usually enough to get budget approval.
Bragging Rights
The other hidden bonus is that you get bragging rights if the report comes up clean and nothing is discovered. It is a rare occurrence, but it does happen to our competition…alot…
When it does, you are going to look great in the eyes of your management. You will have validated your request for the last budget received. You’ll get brownie points too.
That makes no sense…
Some say it makes no sense to test now if you are going to make a bunch of changes in your infrastructure. While that may seem like nonsense, remember that while these changes are being planned, or equipment is being purchased, you are still bare naked so to speak. After all, you’ve admitted that you know you have problems…If you see them, I will guarantee you that the bad guys see them too. A network overhaul can take weeks or months to complete. You need to know what you don’t know about your infrastructure to make informative decisions. A penetration test is going to tell you all you need to know about the state of the existing infrastructure.
Cheaper than other stuff you're spending money on
In our experience, we have learned that a penetration test is a fraction of the cost of an equipment and system overhaul. It is the least expensive tool and brings the most value to a security plan. There are dozens of companies that we have convinced to conduct a penetration test prior to an overhaul. They gained valuable insight as to what they suspected was a concern and things they gave no consideration to, but turned out to be very serious issues that were NOT in their overhaul plan. The report provided critically important information that allowed the plan to be altered in time for the new changes to be made.
The way it is
These are not scare tactics. This is your reality. We live in the networks of our customers, and we see many issues that could have been resolved if companies would realize that a penetration test is like a physical exam. You get one because you feel there might be an issue that deserves a look, or you are making sure you are preemptively being evaluated to avoid future issues. Penetration testing is the very same. Don’t wait until you are security sick.
Be in the Know
If you are curious to know how much a penetration test will cost, we can assure you the process is easier than many expect. It requires a minimum amount of your time for a quote to be delivered. Our process ensures that you will know exactly what the recommended plan is, how long it will take and what it will cost. I guarantee you, it will be the wisest decision you make in regard to validating your security.
Trust me, It’s better that SecuSolutions finds the issues than the alternative. It’s definitely less costly, this we can assure you of.