Is once a year enough? I’m talking about penetration tests, of course. The independent think tank Cyber Resilience Think Tank has recently been quoted as saying that it’s time to pension off the old “Penetration test” as it’s known. I can't say that I agree with this prediction. Quite the opposite, I'd say that we should be talking about how once a year is far from sufficient and that a penetration test isn't enough.
When organizations started carrying out penetration tests back in the early 1990s, the idea was to get an overview of all the weaknesses and vulnerabilities in their web applications. As this was a relatively new discipline, the findings presented by IT security suppliers often highlighted more than a few severe vulnerabilities. Customers just received a report that they could work with over the coming period. Some of the tests were repeated to check the vulnerabilities the customer had dealt with. A new penetration test was carried out the following year where the report – it is hoped – showed some progress. Simply put, penetration tests were used as a part of a procedure designed to reveal an organization’s weaknesses.
However, it soon became apparent that an annual penetration test wasn't enough. So, we – the industry – introduced scanning as a method for picking up on weaknesses during the year. Many companies still use this model today, and it remains a highly valuable approach for many businesses.
For enterprises that have climbed a little higher up the maturity ladder; however, scans are ceasing to be a process for identifying vulnerabilities and becoming a patch management check instead. The problem is that we cannot uncover all the new attack methods and technologies. Scanning is good for checking vulnerabilities as of right now – but that’s as far as it goes.
What do we do about all the new attack methods that rear their ugly heads over the year? Can we live with the thought that up to a year can elapse between our tests and checks to see whether we are vulnerable as a company? For many enterprises, the answer will unsurprisingly be “no”.
That is why I believe the answer is a penetration test that takes a year to complete and features ongoing reporting. There’s no reason to bury the idea – instead, look at it in a different light. Of course, this will demand closer interaction with your cybersecurity provider. In return, however, you’ll soon see a strong return on your cybersecurity investment as you’ll tackle vulnerabilities faster and more accurately and. In particular, you’ll have the latest attack technologies tested as soon as they are released.