Do You Really Need A Penetration Test?


May 21, 2019

The short answer is probably not.

But let’s start

at the beginning. To truly answer whether you need a penetration test, you need to know why you need one.

  1. Are you uneasy about the security of your environment?
  2. Is a third party recommending you consider it?
  3. Do you need one to comply with certain regulations for your industry?

If you answered yes to number 3, then, unfortunately, you are going to have to bite the bullet. But if you aren’t required by regulations to run penetration tests on your environment, read on to find out what you should look out for and why it might not be needed after all.

What exactly is a penetration test anyway?

Also known as a pen test, it’s a simulated cyber attack on your network to check for exploitable vulnerabilities. Penetration tests are performed by third-party vendors who are unfamiliar with your network. Also known as “ethical hackers”, they are hired to intentionally hack into your system and find all of the blinds spots in an attempt to increase security. It can involve the attempted breaching of any number of application systems, to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.

You might’ve heard that this is the best way to detect any vulnerabilities in your environment, but while that may be the case, it might not actually help you very much. Let’s dive into some of the downsides of doing a pen test.

It’s Expensive 

The price of a penetration test can range from a few thousand dollars for a non-complex business to more than $100,000 for complex enterprises. Even though the price clearly varies, the cost is often prohibitive for small to medium size businesses. And if you’ve found a more affordable option, make sure you know what you’re getting. A true penetration test involves real people spending real time hacking into your environment, not just software running remotely. That’s a vulnerability scan, not a penetration test. The line is blurry with some providers so make sure you ask for clarification.

So what is a vulnerability scan then?

Vulnerability scans are performed by automated tools with the goal of checking for known software vulnerabilities that could be exploited. There are two main types: unauthenticated and authenticated. An unauthenticated scan is performed as if an intruder without access to the network got in, while an authenticated scan is performed as a trusted network user, to show vulnerabilities accessible to each one. But once you have all of the information, what do you do with it?

Identifies the Problem but No Solutions

Yes, a penetration test will identify the intricate blind spots in your environment and a vulnerability scan will let you know the issues with your business software, but now what? It’s like going to the mechanic and having them tell you EVERYTHING that is wrong with your used car. Ok, that’s great, but where do I even start? And do I really have to fix everything? All the penetration test will do is give you an assessment, then leave you empty-handed when it comes to making improvements. So basically, you pay thousands of dollars for the test but will still have to pay even more for an expert to come in and provide solutions for the vulnerabilities.

Furthermore, if your company is aware that it doesn’t have certain security measures in place already – like managed firewalls or updated antivirus services – then all the penetration test will do is tell you what you already know without providing you with solutions.

Now what?

Ok so now that we’ve told you all the downsides of a penetration test, you’re probably thinking, there’s no way for me to know if my network is truly secure, or if my internal IT department is actually doing everything they should be doing, or if my technology provider is taking care of everything. We might just have an answer for that…


Looking for a better way to evaluate?


Penetration tests aren’t the end all, be all. There are better ways to evaluate the security of your technology.

Tyler Daniels is a Senior Marketing Specialist with Integris.

Keep reading

vCIO vs. vCISO: What’s The Difference? 

vCIO vs. vCISO: What’s The Difference? 

Managing your IT operations is a big job, especially if you're a small or mid-sized company without the resources to hire a full internal IT staff. In these cases, most companies hire a managed IT service provider to fill the gaps. Yet, knowing who to hire and what...

Retainers for vCIOs and vCISOs: A Comprehensive Guide

Retainers for vCIOs and vCISOs: A Comprehensive Guide

If you're running an IT department at a small to mid-size company, you know— the demands on your infrastructure are greater than ever. Cyber threats are growing at an alarming pace, primarily fueled by the accessibility of AI to hackers. Cloud productivity, system...