Have You Been Tested?

Posted by Robert Smallcombe

Give a monkey a typewriter, enough time and you will get the works of Shakespeare.

Give a hacker a laptop, enough time and you will get your IT systems compromised.

Looking at the above two statements you would get rather long odds on anyone denying the probabilities at play. Yet in the same vein IT Managers haven’t invested money to ensure that they are beating any hacker to the punch and receiving an in depth view of any threats or vulnerabilities they face. Instead, such things are left to chance whilst managers look the other way.

Ethical-hacking, or penetration testing, as the name suggests involves some rather intrusive and potentially painful examination. Depending on requirements, the tests can be broken down in to three main categories, each with varying levels of risk and complexity.

External Network Infrastructure Testing:

  • This assessment provides an understanding of an organisation’s risk from an internet-based attack on their public facing infrastructure.

Internal Network Infrastructure Testing:

  • This assessment aims to identify any risks organisations will face from an internal threat actor, be that a malicious employee or accidental malware download by an employee.

Specific Application Testing:

  • This approach takes a deep dive into any custom or in-house developed applications, internally or externally facing, and provides a report on the threats or vulnerabilities that could pose a risk to the organisation.

GDPR has brought penetration testing into particularly sharp focus, providing business leaders with a compelling reason to evidence that they are indeed completing their own due-diligence on their IT systems and networks. For instance Article 35 mandates a Data Protection Impact Assessment (DPIA) is carried out when the “processing of data is likely to result in a high risk to the rights and freedoms of natural persons”.

Penetration testing, then, is a valuable tool, not only providing quick wins through outlining actionable steps to mitigate risk but also in showcasing a positive approach to data security and regulatory requirements.

To find out more about how penetration testing could help your business, visit: