As companies are digitizing their business operations and processes, we tend to underestimate the new technology risks we are exposed to. One of the major risks is hackers exploiting a vulnerability that exists within your IT infrastructure. The possibility that the hacker could take full control of your IT infrastructure becomes extremely likely once they gain entry into your internal network. According to a study conducted by Microsoft and Frost & Sullivan:
A large-sized organization in Asia Pacific can possibly incur an economic loss of US$30 million, more than 300 times higher than the average economic loss for a mid-sized organization (US$96,000) [in the case of a breach]; and cybersecurity attacks have resulted in job losses across different functions in almost seven in ten (67%) organizations that have experienced an incident over the last 12 months.
To mitigate the risk of a security incident, we need to be able to prevent, detect, respond and recover from such attacks. We can prevent many attacks by making sure we remediate all known software vulnerabilities and performing regular security assessments to identify possible unknown vulnerabilities. However, we can never guarantee that a system is secure forever. We will need to have a proper procedure on how to detect, respond and recover from incidents. Here, we will be focusing on why we need to perform a security assessment, such as Penetration Testing on our IT infrastructure so that we can prevent these nasty incidents from happening.
Penetration Testing, also called ethical hacking, white-hat hacking, or pen testing, is a form of security assessment that tests a computer system, network, or software application to find security vulnerabilities that an attacker could exploit. The scope of penetration testing can vary depending on our requirements. It could range from a simple single web application penetration test to a full-scale penetration test on the company, also known as Red-Teaming or Adversarial Simulation.
Here are four reasons why businesses should consider conducting a penetration test on themselves:
1. Risk Assessment
How much is your business worth today? How crucial to your business is your IT infrastructure? How much would it cost if that IT infrastructure is disrupted for a day? Basically, this thought exercise is a risk assessment of your business. It uncovers the risk you are exposed to and its impacts. You can either choose to do it on your own or engage an expert to conduct an independent risk assessment. The result of the risk assessment should provide you with a list of prioritized objectives that you need to achieve in order to secure your business. Depending on the likelihood and impact of the threats, Penetration Testing can be one of the top priority objectives.
As we continue on, we will touch on various impacts and threats that your business may face. These threats should be properly addressed if the risk is deemed significant to your business.
2. Regulations and Compliance
During the risk assessment, you will assess the impact of not complying to certain laws and regulations if you do not perform a penetration test on your products. Non-compliance to regulations may cost you a hefty fine, lose you your license to operate, or even worse, get you jail time. It is important that you seek legal counsel to assess local laws and regulations and ensure that your company complies with those regulations. If your company is a financial institution in Singapore, your company is required to comply with local financial regulations, such as MAS Technology Risk Management (TRM) Notice. Under the MAS TRM, it is required to perform a security assessment, such as Penetration Testing and other forms of security assessments on your IT infrastructure and applications.
Data privacy has been getting more attention and regulators from different countries are implementing strict data privacy laws to protect their citizens. The European Union’s GDPR, Singapore’s PDPA, and Indonesia’s PDP Bill are examples of data privacy regulations implemented in different countries. The company may be subject to those privacy laws so long as its customers are residing in that country. Even though Penetration Testing may not directly address the concern of data privacy, it helps to reduce the risk of a data breach from software vulnerabilities.
Your company’s reputation will definitely suffer when a data breach occurs and it is publicly announced. This may cause a loss of customer confidence and lead to a drop in revenue and profit. Your company’s share price will also be affected as the investors may worry about the above impact. As people get to understand about data privacy and how it affects them, the impact of a data breach will increase tremendously that could cause significant loss to the company.
4. Competition and Rivalry
Losing your company’s proprietary data will be disastrous, especially if this data is in the hands of your rival companies. While your competitors may not be the one to perform cyber attacks on you, they could acquire this data indirectly. Cybercriminals like to publish their wins on public websites, such as Pastebin, or sell this information in the dark web in the form of cryptocurrencies. Your competitor may get hold of this information through one of the 2 possible ways and you may never know it. This goes back to the risk assessment to identify the threats to your proprietary data and its impact on your business.
Penetration testing can help to mitigate the threats of the above risks that your business may face. However, good security practices should be adopted in order to secure your business. By taking a risk-based approach on cybersecurity, you will address the prioritized threats and review your business risk exposure continuously.