To pentest or not to pentest

Jim Hawkins of C3IA Solutions

With many businesses having staff at home as well as in the office, it is making it harder to protect their systems from cyber-attacks.

One of the country’s leading cyber-security companies, Dorset-headquartered C3IA Solutions, says attacks are growing in frequency and complexity.

It is therefore suggesting that firms submit their systems to penetration testing – to discover where the weaknesses lie.

As police sometimes consult former burglars on how best to secure buildings, ‘pentesting’ uses hacking skills to give businesses a steer on what part of their security requires more work.

Jim Hawkins from C3IA Solutions, based in Poole, said the extra layer of security this brings could make the difference between being hacked or not.

A cyber-attack might not only cost the business in terms of money, but it could lose information and its reputation will be harmed.

A government report has revealed that 39 per cent of businesses and 26 per cent of charities reported a cyber security breach or attack in the last year.

One in five of them ended up losing money, data or other assets – medium-sized businesses lost an average of £8,460 and large businesses £13,400.

Jim said: “Successful cyber-attacks are down slightly as companies realise the importance of securing their systems.

“But the number of attacks are up and they are necessarily more sophisticated.

“It means security keeps needing to be improved, especially now as there is a great deal of mixed working, with staff at home and in the office.

“This blended IT environment presents weaknesses in many systems that can be exploited by cyber-crooks.

“Whilst cyber-security should be a routine board discussion, having anti-virus software and a firewall is simply no longer enough.

“Modern businesses require an advanced and effective approach to security, which is where pentesting comes in.

“A pentest is a method for gaining assurance in the security of an IT system by attempting to breach some or all of the system’s security, using the same tools and techniques as an adversary might.

“It consists of an authorised simulated cyber-attack on a computer system, performed to evaluate the security of the system.

“The test is performed to identify vulnerabilities, including the potential for unauthorised parties to gain access to the system’s data and features.

“It allows businesses to test new infrastructure, applications, web services or significant business changes.

“They can then identify and validate potential security risks in their IT systems before cyber-criminals can make use of them.

“It brings confidence to clients and partners, improves a company’s reputation and can save a lot of money.

“We find that companies are greatly reassured when we perform a pentest, even if it reveals weaknesses – because these can then be addressed.

“It is however important to instruct qualified people from reputable companies to carry out the tests – you don’t want to invite a crook into your system.”