But apply that to security testing, and it’s not just money that’s on the line; it’s the protection of your data, financial loss and your reputation too. How do you know if something is truly secure if you haven’t tested it thoroughly by professionals who know what they are doing?
Testing is an area of cyber-security investment where you can’t afford to cut corners. The less you spend, the more likely you are to get a service that doesn’t have the depth, skills or expertise to keep you secure.
The problem is that anyone could set themselves up as a security tester, especially in a market where the right skills are a scarce resource. It’s easy to run an automated tool that scans your network or applications. And it’s easy to conclude there is no risk and therefore that the system is secure because no vulnerabilities have been identified.
But in reality, vulnerability scanning is just one facet of security testing. Whilst cost effective, it isn’t always appropriate or applicable. For example, on a banking website, it wouldn’t be able to look for vulnerabilities behind a secure token log-in page. There are also certain vulnerabilities that are specifically designed to avoid detection by automated tools, and these could pose a major threat to your security.
The next level up is to perform vulnerability or penetration testing – so-called ethical hacking - assessments. These combine off-the-shelf and in-house developed tools but also add a layer of manual testing by experienced testers. It takes someone with years of knowledge and experience to effectively interpret what they discover, and what it means for your security. In an evolving threat landscape, an experienced tester is also able to apply knowledge from similar organisations and systems to test for vulnerabilities, because they are performing tests daily and keep learning.
How do you find the right supplier of penetration testing services – someone you can trust and who will do more than tick a box to say it’s been done.
There are some simple things to look for to make sure you are using certified people and accredited organisations.
The easiest way to do this is to choose a CREST accredited organisation that employs individuals who have taken CREST exams and hold CREST certifications. CREST provides organisations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up-to-date knowledge, skills and competence in the latest vulnerabilities and techniques used by real attackers.
Security testing is an ongoing activity which never stops, just like attacks launched by malicious people never stop. Are you doing enough to secure your business?