Is an annual penetration test really necessary?

‘Is there a need for an annual penetration test?’ is a question that I used to be asked on nearly every customer engagement in years gone by. However, since the insurance industry have almost mandated that an annual penetration test is undertaken; it is becoming a far less frequent discussion. Nevertheless, it is one that is important to discuss. 

Firstly, some primer on penetration testing. This is the act of a skilled cyber professional attempting to identify, exploit and document weaknesses within an organisation’s systems and platforms. These vulnerabilities occur for a variety of reasons, commonly: 

• Unpatched/not updated software or components 
• Mis-configurations that provide incorrect access 
• Easily exploitable or leaked passwords 
• Default username/password combinations being left enabled 

The risk of these vulnerabilities is that they can lead to unauthorised access, data exfiltration, data destruction and the most common cyber crime – ransomware. Penetration tests are designed to not only look at the outside of your infrastructure as the rest of the world observes it, but thoroughly test the inside portion of your network – essentially the “trusted” side of your IT operations, where much of the valuable data and other items reside.  

A periodic test is highly recommended to ascertain if there are any gaps that need reviewing and ultimately resolving. Whilst many organisations do a great job at conduction continuous updating and maintenance of an IT estate, there are an incredible amount of vulnerabilities that are released over a given year that impact everything from Windows machines through to network devices and even Smart items that are placed on to networks; all of which present a risk. Conducting an annual or 6 monthly test is a great way to keep on top of these and maintain a good cyber security posture. Equally, most Cyber insurers will want at least an annual penetration test conducting as a requirement to retain valid insurance. 

Ultimately, without conducting periodic testing and knowing your starting point; there may be threats that are present that you simply don’t know about. 

Written by: Simon Barnes, CTO.