Do You Really Need A Penetration Test?


May 21, 2019

The short answer is probably not.

But let’s start

at the beginning. To truly answer whether you need a penetration test, you need to know why you need one.

  1. Are you uneasy about the security of your environment?
  2. Is a third party recommending you consider it?
  3. Do you need one to comply with certain regulations for your industry?

If you answered yes to number 3, then, unfortunately, you are going to have to bite the bullet. But if you aren’t required by regulations to run penetration tests on your environment, read on to find out what you should look out for and why it might not be needed after all.

What exactly is a penetration test anyway?

Also known as a pen test, it’s a simulated cyber attack on your network to check for exploitable vulnerabilities. Penetration tests are performed by third-party vendors who are unfamiliar with your network. Also known as “ethical hackers”, they are hired to intentionally hack into your system and find all of the blinds spots in an attempt to increase security. It can involve the attempted breaching of any number of application systems, to uncover vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.

You might’ve heard that this is the best way to detect any vulnerabilities in your environment, but while that may be the case, it might not actually help you very much. Let’s dive into some of the downsides of doing a pen test.

It’s Expensive 

The price of a penetration test can range from a few thousand dollars for a non-complex business to more than $100,000 for complex enterprises. Even though the price clearly varies, the cost is often prohibitive for small to medium size businesses. And if you’ve found a more affordable option, make sure you know what you’re getting. A true penetration test involves real people spending real time hacking into your environment, not just software running remotely. That’s a vulnerability scan, not a penetration test. The line is blurry with some providers so make sure you ask for clarification.

So what is a vulnerability scan then?

Vulnerability scans are performed by automated tools with the goal of checking for known software vulnerabilities that could be exploited. There are two main types: unauthenticated and authenticated. An unauthenticated scan is performed as if an intruder without access to the network got in, while an authenticated scan is performed as a trusted network user, to show vulnerabilities accessible to each one. But once you have all of the information, what do you do with it?

Identifies the Problem but No Solutions

Yes, a penetration test will identify the intricate blind spots in your environment and a vulnerability scan will let you know the issues with your business software, but now what? It’s like going to the mechanic and having them tell you EVERYTHING that is wrong with your used car. Ok, that’s great, but where do I even start? And do I really have to fix everything? All the penetration test will do is give you an assessment, then leave you empty-handed when it comes to making improvements. So basically, you pay thousands of dollars for the test but will still have to pay even more for an expert to come in and provide solutions for the vulnerabilities.

Furthermore, if your company is aware that it doesn’t have certain security measures in place already – like managed firewalls or updated antivirus services – then all the penetration test will do is tell you what you already know without providing you with solutions.

Now what?

Ok so now that we’ve told you all the downsides of a penetration test, you’re probably thinking, there’s no way for me to know if my network is truly secure, or if my internal IT department is actually doing everything they should be doing, or if my technology provider is taking care of everything. We might just have an answer for that…


Looking for a better way to evaluate?


Penetration tests aren’t the end all, be all. There are better ways to evaluate the security of your technology.

Tyler Daniels is a Senior Marketing Specialist with Integris.

Keep reading

Signs an Email is Phishing: 5 Signs of Phishing in Your Inbox

Signs an Email is Phishing: 5 Signs of Phishing in Your Inbox

For years we've read articles teaching us to identify the signs an email is phishing. We all know the signs, yet we still miss the blatant indicators and take the bait. According to Security Magazine, citing SlashNext, "The first six months of 2022 saw more than 255...

A Personal Twist on Zero Trust Security

A Personal Twist on Zero Trust Security

The massive Australian data breach in late September inspires me to share a personal twist on Zero Trust Security. What makes this incident colossal? BBC News Australia reports, "Australian telecommunications giant Optus revealed about 10 million customers - about 40%...

How Much Do Managed IT Services Cost? (Factors & Price Ranges)

How Much Do Managed IT Services Cost? (Factors & Price Ranges)

Several factors drive the cost and price ranges of managed IT services. Fees range between $100.00 to $250.00 per user per month. Factors that affect cost are headcount, the size and sophistication of your IT systems, and whether you outsource some or all of the...