01/09/2015
Although several statutory regulations exist that should motivate companies to perform penetration tests to detect gaps in their IT security, many companies still consider the topic to be rather unimportant. As a result, many companies treat penetration tests with polite reserve. These three arguments will help conscientious security officers convince their bosses that comprehensive and tailored penetration tests are both necessary and worthwhile.
Budget restrictions often cause IT bosses to forget just how valuable penetration tests are to a company’s or public authority’s information security. Yet, these tests not only detect risks, but when properly executed, they can also reveal how to best use a very tight budget. That is why it is a good idea to have them performed efficiently by experts with the right experience:
- A single security incident can ruin a company. A data leak can end up costing as much as a penetration test or, in a worst case scenario, can bankrupt a company. Not to mention the fact that the probability of such a security incident grows every day. Numerous studies have proven this point and even the BSI (Germany’s Federal Office for Information Security) warns that: The number of targeted attempts at corporate espionage and sabotage is rising. The only way to find out what methods hackers might be using to penetrate your company is to perform an effective search for those methods yourself.
- An incident reflects on the department and on the management. If a security gap is ever taken advantage of that could have been detected by a penetration test, the consequences will not be limited to just the company. The IT boss who failed to pay enough attention to information security as well as the entire department will suddenly find themselves in hot water. If worst comes to worst, individuals may even be held personally responsible: For example, OLG Hamm is already holding people in managerial positions personally responsible for similar security incidents.
- A penetration test can save money. Penetration tests can be designed to focus on a specific area. For example, they can be narrowed down to target areas that are known to be at high risk for internal or external attacks, such as those listed as the OWASP Top 10. This allows detected vulnerabilities to be secured without exhausting the entire year’s budget for security.
“Naturally, a professional penetration test does cost money in the beginning. However, it is a priceless investment in data security for a company. We recommend selecting a serious and experienced external provider. They are the only ones who can help choose the right focal points for the systems that need to be tested and who can also conduct the tests with the level professionalism needed to do so,” states Bernhard Weber, information security expert at msg.