Are you interested in improving the cyber security of your business? If so, having penetration testing carried out is an important step in the process. During a penetration test, an ethical hacker or team of specialists will attempt to safely break into your IT system. They will then provide you with details of how they were able to do it, as well as offering advice on what you will need to do to improve your organisation’s defences. Here is how you can arrange a penetration test for your business in six steps.
Step One: Choose an ethical hacking specialist
The first important step is to choose the ethical hacking and cyber security specialists who are going to be carrying out your penetration test. It is best to work with an independent team of industry-certified penetration testers who don’t possess first-hand experience of your systems and can approach assessments from a fresh perspective.
Ensure that you select a team with a wide range of hacking experience, incorporating everything from infrastructure and application testing to different forms of social engineering. This will help to ensure that a greater number of exposures are identified.
Step Two: Plan thoroughly
Next you need to plan the scope of the assessment. Go through it with your testers and have an agreement in place for what areas of the IT environment will be tested. In an ideal world you would make no part of your system off-limits, as this is supposed to be a test of how your defences would stand up to a real attack.
Penetration testers will not be able to exhaustively test your entire system, so if you have specific areas or assets that you would like to prioritise you should let the testers know beforehand.
Step Three: Don’t pre-empt the test
It is absolutely essential that you should not attempt to put any plans in place beyond the normal system of your penetration test. Changing your defences in any way or preparing yourself for the incoming attack defeats the object of the test – you aren’t trying to demonstrate how good your defences are, you are simply trying to uncover any potential weakness that could be exploited by cybercriminals.
Step Four: Tell as few people as possible
It is vital that you keep as many people in the dark about the test as possible. The ideal penetration testing scenario would be carried out without the knowledge of the majority of the staff in the business so that you can see exactly how people respond. This can be an interesting way to understand whether any additional staff training is required.
Step Five: Don’t use it as a reason to blame someone
Remember that a penetration test is not a way to single out anyone for blame should an assessment discover vulnerabilities. If the testers are able to break into your system and access data, this doesn’t mean that the appropriate action is to punish the IT team or discipline staff who didn’t take the correct steps. Using the penetration test as an excuse to punish staff will lower morale in the company and make it seem like you were just trying to catch them out. A penetration test should be viewed as a learning exercise.
Step Six: Follow up the results
Remember that the overall point of the penetration test is to expose flaws within networks and applications – but that is not where it should end. Ultimately you need to use the results of the penetration test to improve your cyber security. A penetration test will take time and resources so if you fail to follow up on the results after it has been completed, it will all be a waste.
Your penetration testers will put together a report with advice and recommendations for the changes that could be made to your system to ensure it is better protected in future. Additionally, the test can help you understand where to channel future investments in your cyber security. Make sure you carry out those changes to make the penetration testing engagement a success.
