Is an annual penetration test really necessary?

Published: 13 March 2024

‘Is there a need for an annual penetration test?’ is a question that I used to be asked on nearly every customer engagement in years gone by. However, since the insurance industry have almost mandated that an annual penetration test is undertaken; it is becoming a far less frequent discussion. Nevertheless, it is one that is important to discuss. 

Firstly, some primer on penetration testing. This is the act of a skilled cyber professional attempting to identify, exploit and document weaknesses within an organisation’s systems and platforms. These vulnerabilities occur for a variety of reasons, commonly: 

  • Unpatched/not updated software or components 
  • Mis-configurations that provide incorrect access 
  • Easily exploitable or leaked passwords 
  • Default username/password combinations being left enabled 

The risk of these vulnerabilities is that they can lead to unauthorised access, data exfiltration, data destruction and the most common cyber crime – ransomware. Penetration tests are designed to not only look at the outside of your infrastructure as the rest of the world observes it, but thoroughly test the inside portion of your network – essentially the “trusted” side of your IT operations, where much of the valuable data and other items reside.  

A periodic test is highly recommended to ascertain if there are any gaps that need reviewing and ultimately resolving. Whilst many organisations do a great job at conduction continuous updating and maintenance of an IT estate, there are an incredible amount of vulnerabilities that are released over a given year that impact everything from Windows machines through to network devices and even Smart items that are placed on to networks; all of which present a risk. Conducting an annual or 6 monthly test is a great way to keep on top of these and maintain a good cyber security posture. Equally, most Cyber insurers will want at least an annual penetration test conducting as a requirement to retain valid insurance. 

Ultimately, without conducting periodic testing and knowing your starting point; there may be threats that are present that you simply don’t know about. 

Written by: Simon Barnes, CTO.

Want to learn more?

Read More

ERP Training and User Adoption Strategies for Implementation...

16 April 2024

Having a clear ERP Training and User Adoption Strategy is essential to ensure your ERP implementation is a success.

Why using multiple layers of backup is a necessity

11 April 2024

It's important to backup. Ransomware risks continue to rise and files can become corrupted. Read our blog to find out more.

The Power of CRM and Marketing Automation Integration

21 March 2024

CRM and Marketing Automation: Find out more on how to take your customer relationships to the next level in our blog.

Microsoft Intune and Autopilot – What are the key feat...

20 March 2024

Find out about the key features of Microsoft Intune and Autopilot in our latest blog, helping Device Management and Set up.

MFA: why you need additional Cyber Security defence  

14 March 2024