It’s an unfortunate reality that cyber-crime continues to evolve. No company is immune from attack and it’s not a question of if, it’s a question of when an attack will occur. Small companies often believe they are not on the “attack radar” as there is a perception that their data has less potential value for attackers. The reality is 43% of all cyber-attacks target small businesses, largely because they can serve as a conduit to access larger companies.
Periodic testing of company network resources, commonly referred to as network penetration testing, is an effective way to identify security gaps that could lead to a data breach. When evaluating options for testing, there are four important details to consider:
It’s not just about testing the external network
There is a well-known slogan that describes a food product as “crunchy on the outside and soft and chewy on the inside.” This concept also applies to the network security of many companies, as resources are largely focused on securing all external facing assets. The problem with this philosophy is that it overlooks the obvious risks inside a network. Since 60% of all data breaches result from an internal threat, one could easily argue that testing resources inside the firewall is more important than testing external resources.
Not all security gaps have the same potential impact
The average test will yield a variety of results that will be prioritized based on the potential risk each represents. While it will be tempting to focus on the highest risk findings first, it’s also important to evaluate the likelihood that each item would be used in an attack. For instance, if a finding requires specific access points, specialized skills, or multiple resources to invoke a successful attack, there is a much lower likelihood that it will ever be used. Because most hackers are looking for an easy return for their effort, they will naturally focus on attacks that require less time and fewer resources to complete.
Scanning vs Testing
In markets where competition is tight and price is an overriding factor in selecting a company to conduct testing, it’s important to evaluate the approach. There are firms that will propose a network scan as a security test. From a process perspective, most testing starts with a network scan to identify potential exploit targets. This component is the first step that should be followed by a second step to test and verify the ability to exploit a finding. Without the second step, the findings from the scan cannot be quantified. Before engaging a firm to conduct testing ask about the methodology and what steps are involved in their testing lifecycle.
The cost of testing and fixing is much less than recovering from a breach
For any company second guessing the value of conducting a security test consider this: the average cost of a data breach in 2021 was $4.24 million. While the cost of conducting a network penetration test will vary widely depending on the size of the environment, it’s safe to plan on spending between $10-30K. This expense pales in comparison to the cost of recovering from a data breach. It’s also important to note that the recovery costs do not include the reputational impact, which is hard to quantify but easy to understand.
Cyber criminals never rest, so make a solid commitment to test network resources – both internal and external – on a regular basis. Equally important is ensuring that findings are addressed in a timely manner as each one represents the potential for a data breach.