What’s better for your bottom line: Investing in cybersecurity now or rebuilding your reputation after hackers steal your client data? As a technology company, it’s assumed you’re also security experts — the last place the public would expect to get hacked — compounding the embarrassment if you’re breached. Without dedicated security personnel (or failure to invest in the relevant training), sufficient, targeted spending on security, or buy-in from top decision-makers who grasp the need for investment, you could be leaving the door wide open for hackers.
Our penetration testing team shows all kinds of organizations how to prevent attacks, and we’ve found that a frighteningly low number of companies fully understand how well they’re protected. We recommend all companies, especially technology companies, engage a penetration testing team to help them understand their exposure to hackers.
What’s penetration testing (and what isn’t it)?
Penetration testing, or “pen testing,” first seeks to find weaknesses and vulnerabilities in monitoring processes and procedures, employees, and information systems that could be exploited. Then, they exploit those vulnerabilities to simulate what a real hacker would do, and if a pen tester can get access to your sensitive data, a hacker can exfiltrate that data out of your company’s network.
It’s a form of “ethical hacking”—and differs from malicious hacking in that a company gives pen testers permission before any action is taken, and, of course, the goal is to help the client protect their systems and data rather than steal it. Penetration testing uses a framework to assess your security controls and your detection controls — how good are you at preventing breaches and, when they happen, how quickly can you detect it when it happens?
Penetration testing is not to be confused with vulnerability scanning, a much less intensive assessment that uses an automated tool rather than manual testing by a team of experts. Vulnerability scanning programs will run through a list of identified vulnerabilities, and it’s prone to false positives. You could think of it as a play or musical. Vulnerability scanning is akin to reading a play to understand the plotline and main characters, whereas a penetration test is more like a dress rehearsal – more in-depth and similar to the actual performance. (We mention this difference specifically because there are companies out there claiming to offer penetration testing, but actually provide vulnerability scanning.)
What can you learn from penetration testing?
With penetration testing, a team manually infiltrates your system, trying different tools and techniques to map out your network and identify and exploit vulnerabilities, rather than just checking if they exist. The testing often takes place over a few days with specific goals in mind. The goal of penetration testing is to identify holes in your systems and also holes caused by people and weak processes, exposing how real an issue may be for the organization if exploited by hackers. Here’s what you can expect to learn from a properly executed penetration test:
Learn how strong your defenses are.
- Penetration testers will do everything they can to infiltrate your system, as well as to test your people, processes, and procedures. Once they find the chinks in your armor, they exploit them to find out just how far they go. After testing, you’ll know where you need to add more security and where you’re doing well.
Know what you don’t know.
- If you had a data breach, would you even realize it? Many companies go months without catching on if they even realize their data’s been stolen at all. Pen testers will help you understand and fortify your detection capabilities by performing suspicious activities and “stealing” your data to check if it sets off your system’s alarm bells. If they go unnoticed, you’ll want to invest in stronger detection and make sure you have an incident response plan in place.
Ensure adherence to compliance regulations.
- Depending on the type of data your company is dealing with, there may be specific regulations you need to follow. For example, if you store any health data, you better be sure you’re HIPAA (Health Insurance Portability and Accountability Act)-compliant, or you could be slapped with a huge fine. Technology companies typically need to make sure they’re complying with SOC (Service Organization Controls) and PCI DSS (Payment Card Industry Data Security Standard) rules; companies that collect, store, or process European Union citizens’ data need to stay on top of regulations relating to GDPR (General Data Protection Regulation). Penetration testing can help you find out if you’re up to code, and some regulatory bodies require it.
Spend your budget wisely.
- By exposing weaknesses in your defenses, your detection capabilities, and compliance with regulations, you can allocate your budget in the manner that best protects you and avoid blindly throwing money at solutions that aren’t helpful.
What do technology companies need to look out for?
Three things:
1. Create the right team. (It’s challenging but imperative.)
Don’t confuse your IT team with a cybersecurity team—IT staff won’t necessarily have the skill set required to create the level of security you need. Finding the right people to do the job is challenging in any field, but for cybersecurity roles, in particular, the demand far outpaces the supply. The lack of skilled personnel and shortage of resources leaves companies unable to create or support a sufficiently strong cyber protection strategy. Even if teams are in place, departments acting as silos can leave gaps in cybersecurity - a problem particularly common when other companies are acquired, which is commonplace in the technology space.
2. A simpler approach to creating a cybersecurity team is to outsource one.
A cybersecurity firm can help you with pen testing and much more. Recognize the value of investing in penetration testing. (We’re talking to you, executive management!)
IT teams know that getting buy-in from those who control the purse strings is no simple tasks. The reality is that no modern company can operate without it, especially a technology company. Investing in cybersecurity is a form of insurance. Nobody wants to pay it, but if the worst happens, it can save your company.
3. Address your customers’ unique security needs (all of them).
Pen testing can be done on your network, your wireless internet, your web or mobile app, or your internet of things system, so whatever you have needs to be tested. When doing a pen test, the goals will be determined by the specific things you need to protect the most and where’s the company’s biggest risk. That depends on what it is that your clients rely on you for. Some clients may rely on you to make sure their data is protected—no company wants to be impacted by a breach because of their third-party technology company. Other clients may not be concerned with the data, but rely on your technology to always be up-and-running.
Don’t fall victim to the thinking that one or two good products will cover you for anything—you need to have experts evaluating your weaknesses and monitoring your system to make sure you’re protecting the right things well.
What to do next
Sure, a company like Uber can recover from a hacking scandal (although not without a significant dent in both their reputation and their valuation), but according to Inc.com, 60 percent of small businesses fold within just six months of a cyber attack. So, it’s time to engage a penetration testing firm if you haven’t already.
What you’ll want to look for is a firm with relevant experience and qualifications like Certified Ethical Hacker, GIAC Certified Penetration Tester, Offensive Security Certified Professional, and Certified Information Systems Security Professional. We also recommend that you agree upon a framework ahead of time, based on your goals. The framework should detail the scope of work and detail the steps testing will take.