The short answer is probably not.
But let’s start
at the beginning. To truly answer whether you need a penetration test, you need to know why you need one.
- Are you uneasy about the security of your environment?
- Is a third party recommending you consider it?
- Do you need one to comply with certain regulations for your industry?
If you answered yes to number 3, then, unfortunately, you are going to have to bite the bullet. But if you aren’t required by regulations to run penetration tests on your environment, read on to find out what you should look out for and why it might not be needed after all.
What exactly is a penetration test anyway?
Also known as a pen test, it’s a simulated cyber attack on your network to check for exploitable vulnerabilities. Penetration tests are performed by third-party vendors who are unfamiliar with your network. Also known as “ethical hackers”, they are hired to intentionally hack into your system and find all of the blinds spots in an attempt to increase security. It can involve the attempted breaching of any number of application systems, to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.
You might’ve heard that this is the best way to detect any vulnerabilities in your environment, but while that may be the case, it might not actually help you very much. Let’s dive into some of the downsides of doing a pen test.
The price of a penetration test can range from a few thousand dollars for a non-complex business to more than $100,000 for complex enterprises. Even though the price clearly varies, the cost is often prohibitive for small to medium size businesses. And if you’ve found a more affordable option, make sure you know what you’re getting. A true penetration test involves real people spending real time hacking into your environment, not just software running remotely. That’s a vulnerability scan, not a penetration test. The line is blurry with some providers so make sure you ask for clarification.
So what is a vulnerability scan then?
Vulnerability scans are performed by automated tools with the goal of checking for known software vulnerabilities that could be exploited. There are two main types: unauthenticated and authenticated. An unauthenticated scan is performed as if an intruder without access to the network got in, while an authenticated scan is performed as a trusted network user, to show vulnerabilities accessible to each one. But once you have all of the information, what do you do with it?
Identifies the Problem but No Solutions
Yes, a penetration test will identify the intricate blind spots in your environment and a vulnerability scan will let you know the issues with your business software, but now what? It’s like going to the mechanic and having them tell you EVERYTHING that is wrong with your used car. Ok, that’s great, but where do I even start? And do I really have to fix everything? All the penetration test will do is give you an assessment, then leave you empty-handed when it comes to making improvements. So basically, you pay thousands of dollars for the test but will still have to pay even more for an expert to come in and provide solutions for the vulnerabilities.
Furthermore, if your company is aware that it doesn’t have certain security measures in place already – like managed firewalls or updated antivirus services – then all the penetration test will do is tell you what you already know without providing you with solutions.
Ok so now that we’ve told you all the downsides of a penetration test, you’re probably thinking, there’s no way for me to know if my network is truly secure, or if my internal IT department is actually doing everything they should be doing, or if my technology provider is taking care of everything. We might just have an answer for that…
Looking for a better way to evaluate?
Penetration tests aren’t the end all, be all. There are better ways to evaluate the security of your technology.