Cyber security is a growing concern for organisations of all shapes and sizes, with any company that fulfils a vital function or holds sensitive information being a target. Having a strong cyber security strategy has become a necessity, not a luxury, and one of the most effective ways to maintain a strong cyber security strategy is penetration testing. The main aim of penetration testing is to identify technical vulnerabilities in IT and communications systems that could leave your organisation open to attack, should they be exploited by a potential threat actor – from a disgruntled employee or casual hacker to a state sponsored cybercriminal. Once identified, these weak points within a network infrastructure, application or even business logic can be remediated to strengthen your overall security posture. You can think of a penetration test as a fire drill for IT security. A fire drill which simulates the real thing might reveal that a door is routinely locked, an exit blocked or fire extinguishers that are either missing or non-functional. Flammable materials lying around also present a real risk of malicious fires. A penetration test provides that same kind of real world attack experience by mapping vulnerabilities, exposing gaps in security policy and process and ultimately managing risk.

Traditionally, penetration testing has been seen as something only large enterprises need and have the budget for, but the truth is that small and medium-sized business are now firmly in the cybercrime cross-hairs and are in need of protection. In fact, recent research from Symantec suggests 60 percent of attacks are aimed at the SMB sector. It is no longer a question of whether you can afford a penetration test but rather whether you can afford to be breached. Breach costs can be financially devastating by the time you've rolled forensic investigations, incident mitigation and reputational damage into the total cost. Experian’s third annual data breach preparedness study reveals a worrying lack of understanding among SMEs regarding the true cost of a data breach, with estimates falling short by an average of 40percent.

More recently, cyber criminals are also looking to directly monetise hacking through the likes of ransomware, the fast spreading type of malware that encrypts computer files, rendering the data unusable. The hackers then simply demand payment, usually in electronic bitcoins, in exchange for a key to unlock your files.

Although penetration testing was once seen by major corporations and financial institutions, it is now an essential part of information security strategies for companies of all types and sizes.

So, where the impact used to be in terms of fines or loss of reputation and business, there is more likely to be a direct financial impact. Many SMBs are constantly looking for ways to cut costs and may consider cheaper alternatives to penetration testing, for instance looking to test them. Ignoring cases where obtaining a penetration test from an independent third party is a requirement, even if you were just looking to self-assess your security posture there are still plenty of good reasons not to do so. The main reason is the complexity of penetration tests and the person responsible for the testing may not have the necessary technical knowledge to carry out the various aspects. Another is self-testing is prone to providing an unrealistic picture, as an internal employee could bring additional access or knowledge about their own infrastructure that could skew test results. The fact that an external provider will be unbiased and independent really cannot be stressed enough, as these are vital requirements for a meaningful penetration test.

Another cheaper solution that is often considered is automated vulnerability scanning. These have their place and can help an organisation to improve its security posture if identified issues are properly remediated. However, a vulnerability scan can only go so far. Anything more complicated than simple scans of infrastructure and web applications can lead to a lot of false positives. In addition, any issues will need to be manually reviewed to ensure they are legitimate issues. Automated scanning has its place but should only be used in conjunction with a more robust and manual penetration test approach.

A successful penetration test does not end after the test has been done; it must also assess the impact of any issues found. A properly conducted pen test by a team of certified professionals will result in a comprehensive and focussed report; far more so than any automated process could hope to achieve. This is important, because the success of the testing should be measured less in what has been found and more in how those weaknesses can be mitigated. By providing clarity through detailed reports stating the technical impact and ease of exploitation, you can better understand the risk and so be in a better position to implement the most appropriate and proportionate mitigation methods. With network breach and data loss headlines appearing day-in, day-out, the threat to businesses is not going away and the impacts are far reaching.