Who can you trust to test out your IT defences?

Behind every high-profile data-breach headline, there are 100s of other similar stories of cyber attacks that cause major financial pain and reputational loss to their victims. The fact is that cyber crime is no longer a backroom activity but a growing business, driven by hacktivist groups, organised criminal gangs and state-sponsored cyber terrorists. And attacks are no longer directed only at government organisations, large financial institutions and corporations. Companies of all types and sizes are now facing increasing internal and external threats.

Despite more investment in strengthening corporate IT defences, it is impossible to be 100% secure. What is important is that companies discover where their security weaknesses are and take measures to mitigate the risks before someone else finds these vulnerabilities and exploits them for their own means.

The best way to do this is through simulating real-world malicious attacks with the latest and most sophisticated techniques used by cyber criminals. A comprehensive penetration test will see just how easy it is to break into a network or computer system and steal valuable data or – in the case of ransomware – deny access to critical assets.

Demand for this very skilled and technical investigation and analysis is on the rise, but with hundreds of companies offering their services, how can you have confidence and trust in the people you choose to do this sensitive work. You need to be sure that you are working with professionally qualified and skilled individuals in companies with the appropriate processes and methodologies to protect data and integrity.

That’s where CREST comes in. CREST is a not-for-profit body established in 2006 by the technical security industry with the support of the UK Government to provide internationally recognised accreditation for organisations and certification of individuals providing penetration testing, cyber incident response and threat intelligence services. All CREST member companies undergo stringent assessment every year and sign up to a strict and enforceable code of conduct; while CREST qualified individuals must pass the most challenging and rigorous examinations in the industry worldwide, to demonstrate knowledge, skill and competence.

How does a penetration test work?

Before conducting a penetration test, it is important to explore the threat landscape of your business, its internal security requirements and concerns, to ensure that the work is tailored appropriately.

The penetration test itself comprises a comprehensive examination of the infrastructure environment under assessment, reviewing available systems and services to determine if and how these could be abused by a real-world attacker to gain unauthorised access to information assets or compromise integrity.

Once the testing is complete, all relevant parties should be fully briefed and a prioritised mitigation plan produced, aligned with your organisation’s risk appetite. Where patterns of vulnerability have been identified, a root cause analysis can be performed to help address the problem at source, rather than treating individual symptoms.

The benefits of a pen test include:

  •  Understanding the current exposure and risk profile in the context of the infrastructure environment, to protect assets and brand
  • Receiving constructive and pragmatic remediation advice to help target resources to reduce residual risk in the most cost-effective way
  • Identifying flawed information security processes and address these at the root cause
  • Meeting internal and external compliance requirements
  • Demonstrating due diligence in protection of confidential information

Penetration testing is just one of a wide range of technical assurance services from simple vulnerability assessments to in-depth advanced Red Team targeted attacks. In addition to putting an infrastructure to the test, it is also important to look at application security to assess all elements of functionality from simple flaws such as input validation errors to complex weaknesses including the poor implementation of business logic.

The challenge is to identify and manage risks before they become threats. If you don’t want to feature in the next data-breach news headlines, you need to stay one step ahead of the cyber criminals to safeguard your business against financial loss, reputational damage and harmful publicity.

By Gemma Moore, Director and Penetration Tester at Cyberis, an Information Security Consultancy.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.