While every business need is different, it’s best practice to perform penetration tests regularly, 1 – 2 times per year.
However, compliance, installation of new networking infrastructure, changes in cyber policies and tolerance to cyber risk all play a role in how often penetration tests need to be performed.
Some penetration testing services also offer continuous testing.
In this article, I’ve put together a simple 3 point checklist you can follow to determine how often you should perform a penetration test for your business.
Free Security Policy Templates
Get a step ahead of your cybersecurity goals with our comprehensive templates.
Why Should You Perform A Penetration Test?
Penetration tests simulate an attack against your network in order to test every aspect of your IT security management system.
Through gathering information about a certain target, finding common network vulnerabilities in systems, exploiting them to the fullest and documenting the results is what encompasses every penetration test.
The benefits of performing a penetration test are huge as it provides a unique insight from an attacker’s perspective on the robustness of your system.
Depending on the extent of knowledge that a company provides to the penetration tester, they are categorized in multiple ways that define the methodology for each test.
Considering the high costs of certified penetration tests, along with the man hours needed to choose the right vendor, set up plans, and in certain cases, configure internal access for the penetration tester, most companies perform 1 to 2 tests annually.
What Determines How Often You Should You Perform A Penetration Test?
Here’s a 3-point checklist that will help you narrow down your penetration testing requirements:
- Assess your business’s risk of cyber attacks by performing a cyber risk assessment. Focusing on cyber risk assessment will help you identify weak spots, or vulnerabilities, that need to be worked upon.
- Compliance, another huge factor for a penetration test, is the requirements certain certifications and standards have that qualify your company to operate legally. These standards are usually industry-specific.
- Most companies have a fluid environment and often make changes to critical infrastructure, software, and policies. Depending on the change, a new penetration test may need to be performed to reassess your network’s security and ensure unintended vulnerabilities are identified and resolved.
You may also want to consider the type of attack that most aligns with your goals.
For example, you would perform an external penetration test when evaluating the defense of your network to an outside attacker.
However, if your goal is to test how an attacker would proceed once inside your network, then you would conduct an internal penetration test.
Performing both tests semi-regularly provides the best way to stress test your security defenses and the readiness and responsiveness of your internal security team.
Assess Your Business’s Risk To Cyber Attacks
A security risk assessment is part of every company’s risk management strategy, or at least it should be. This is because almost every company relies on some sort of technology or information system to operate.
A security risk assessment is focused on the identification, estimation, and prioritization of risks to allow safe operation and use of Information systems. The outcome for each type of security risk is measured in terms of likelihood and impact matrix.
Depending on each company’s structure, business goal, and day to day operations, the likelihood of high-certainty attacks that would have a high impact on the business should be classified as a critical risk.
This security risk assessment matrix should be your go-to guide in helping you prioritize the risks you find.
Your Budget
Determining your budget for the cyber risk assessment will be crucial for your prioritization of cyber risks and should not be taken lightly.
If a company doesn’t invest in proper cyber risk assessment, you cannot expect your defenses to be proper.
Many companies view cyber attacks as an afterthought to running numerous profitable projects, which is a mistake.
Planning for cyber safety from day one, and taking into account cyber risk, security and privacy by design will be an achievable term that will significantly contribute to the future success of your company.
What Is The Monetary Impact?
To make things easier, you should prioritize each risk by calculating the potential monetary impact that could arise if that risk becomes a reality.
For example, imagine you have a web server hosting an eCommerce site that generates $1 million in monthly revenue. What would be the impact to your business if a threat actor exploited a vulnerability to the web server and shut it down for 1 week?
Of course, this isn’t always the scenario. If mitigating a certain risk would cost a lot more than the actual damage of a realized risk, mitigating it would be a waste of prioritization. Planning for risks by determining the frequency of attacks and allocating money towards mitigation is the key.
Compliance Requirements
Most companies strive to achieve regulatory compliance to show due diligence, attract new customers, and retain the old ones.
Some compliance standards require companies to be certified to allow them to operate, as a successful cyber attack can cause real-life damage to individuals.
The Payment Card Industry Data Security Standard (PCI DSS)
Both network and application penetration tests are required by PCI DSS and any other part of a system that can affect the mechanism of the cardholder data. This compliance mandates annual frequency of tests.
Both network and application penetration tests are required by PCI DSS and any other part of a system that can affect the mechanism of the cardholder data. This compliance mandates annual frequency of tests.
Federal Information Security Management (FISMA)
FISMA is a compliance standard relating to government institutions and does not require a penetration test, but puts heavy emphasis on it.
Health Insurance Portability and Accountability Act (HIPAA)
Strictly speaking, a penetration test is not required in order to be compliant, however, a cyber risk assessment is required.
International Organization for Standardization (ISO) 27001
ISO 27001 requires a penetration test to be performed at least annually.
Gramm-Leach-Bliley Act (GLBA)
GLBA act dictates that effective mitigation controls must be in place in order to meet the requirements. Arguably, conducting a penetration test annually will help tremendously in order to achieve this objective.
Changes To Critical Infrastructure, Software, And Policies
Companies make changes to their systems and architecture for several reasons.
New cloud vendors are chosen because they offer a better service, old software is decommissioned due to being ineffective, and old systems are decommissioned due to 3rd party vendors ending development support.
Some changes are critical to standard business operations such as phones and emails, which are required for reliable communication. In practice, network equipment changes along with new network security software change the environment.
Software solutions that deal with access control processes and user management are often changed as well.
Information security policies are one of the core requirements for any functional security system. They define the scope and most of the activities around an information security management system.
Major changes in policy lead to major changes in the information systems which requires a thorough security check. Thus, performing a penetration test around any major changes is highly recommended as it provides you with the most helpful insight into the newly defined system.
Conclusion
Penetration testing strengthens your security posture by providing you with valuable information about what outside malicious actors can see. It is highly recommended to perform penetration tests at least once a year and up to twice a year if any major infrastructure or policy change occurs.
It is very likely that your company is also subject to compliance standards that require a penetration test to be conducted. In this case, you shouldn’t just focus on ticking the box but rather use the opportunity to excel the company in the right direction.
If you happen to be a victim of a security breach, waving a paper of some cheap and basic penetration test will not save you from upset clients. As the saying goes, better safe than sorry.
Related Content
