14/01/2016
Penetration tests can save companies from financial ruin - but they are considered time-consuming and expensive. However, professional tests not only minimize risks, especially in times when IT budgets are tight, they also help save money and ensure the continuity of a business. Three arguments in favor of this essential security measure.
Budgetary restrictions often cause many IT directors to forget just how valuable penetration tests are to a company’s or public authority’s information security. After all, not only do they reveal gaps in systems and processes, but when performed properly they can also disclose how to effectively use a very tightly calculated budget to sustainably enhance IT security throughout a company. Not to mention the fact that many of these tests are now statutory requirements. That is why it is a good idea in general to have penetration tests performed systematically and by experts with the right experience:
- Tests are an important part of IT compliance. The BSI, Germany’s Federal Office for Information Security, has made it abundantly clear: the establishment of security systems alone does not guarantee companies have satisfied statutory requirements. The requirements are manifold and range from the internal control system specifications set forth in the German Commercial Code (HGB §238) and mandatory early warning systems for emergency prevention (§99 Paragraph 2 of the German Stock Corporation Act) to the strict guidelines for storing and processing personal data found in the Telecommunications Act. Penetration tests help examine the technical aspects to determine how effective they actually are, while audits can be a useful way of reviewing non-technical requirements.
- Independent testers are worth it. Even the mere act of planning regular testing by a neutral third party can have a positive impact on a company’s reputation and generally tends to enhance the security level. A neutral perspective from someone outside the company also has the further advantage that the party who developed the security is not the one testing its effectiveness. This prevents potential conflicts of interests and ensures objective testing.
- Penetration tests save money. Penetration tests reveal concrete gaps and are thus more valuable than simply preparing for some assumed and abstract threats. There are also certain risks that only become apparent to IT departments through tests used to identify vulnerabilities. Budgets tend to be limited, but can be effectively used for specific tests and to eliminate concrete gaps - instead of procuring a high-performance firewall in the hopes of having “all-round protection”, an approach that fails to identify errors inherent to a system or other vulnerabilities.
“Naturally, a professional penetration test does cost money in the beginning. However, it is a priceless investment in data security for a company. After all, neglecting security can not only lead to customers losing faith in a company, but can also result in enormous monetary losses. We recommend selecting a serious and experienced external provider. They are the only ones who can help choose the right focal points for the systems that need to be tested and who can also conduct the tests with the level of professionalism needed to do so,” states Bernhard Weber, information security expert at msg.