The Under-Appreciated Power of Pen-Testing

Nowadays, nearly all business and charities in the UK report using some form of digital communication in their daily operations. An unpleasant but unsurprising consequence of this is that cyber-crime attacks are becoming a more prevalent threat, with the number of reported cases around the country growing year-on-year.

In the last 12 months, nearly one-third of businesses (32%) and over one-fifth of charities (22%) have reported suffering from some form of security breach.

At the same time, changes in EU and UK legislation have had a concurrent impact on the field of commercial cyber-security. The introduction of GDPR in May 2018 has resulted in two things: companies reviewing what they classify as a security breach, and a growing reluctance to report these attacks for fear of violating the regulation and facing the heavy penalties that such an infringement incurs.

The Real Cost of Cyber-Crime

Security breaches can be costly to organisations of all sizes in all areas of the economy, including the third sector and non-profits. The consequences of falling victim to successful attacks could be extremely damaging to the party in question, including such unwanted outcomes as tarnished brand reputation, denial of service, non-compliance with GDPR or customer/client data being leaked – and that’s before the financial ramifications are taken into consideration.

In order to recover from a security breach in 2019, small companies are likely to pay on average £4,180, while medium companies will fork out £9,270 and large firms will pay an average of £22,700. Charities who are affected by breaches typically spend £9,740 to recover. As years progress and attacks become more sophisticated and devastating, higher losses will be felt and the costs of remediation are also predicted to rise.

Security flaws and misconfigurations could lay dormant for prolonged periods of time until exploited by an attacker or identified by a security consultant. It is often the case that attackers do not specifically target organisations or charities based on what they do, but simply aim to identify a specific vulnerability which allows them maximum impact. The recent WannaCry scandal, in which the NHS was victimised because of its use of outdated operating systems, is a salient case in point.

Nipping Issues in the Bud

To help keep organisations secure from attack, regardless of their size or sector, there are a number of tasks which can be carried out to boost online defences, including penetration testing, vulnerability management and cyber essentials accreditation. Pen-testing can be a cost-effective way to help identify potential issues before they are exploited by attackers, thus saving potentially thousands of pounds and hundreds of hours in downtime.

Penetration testing is the practice of testing a computer system, network or web application for potential weaknesses an attacker could look to exploit. Regular penetration tests give organisations the ability to assess their security posture prior to potential attacks and to ascertain if regulations such as Payment Card Industry
Data Security Standard (PCIDSS) and GDPR are being complied with.

Carrying out regular testing allows organisations to replicate a real-life attack scenario in a controlled environment, without any of the dangers involved in an authentic breach. After the penetration test has passed, the organisation in question will be supplied with a report that explains the security concerns of the consultant and detailed advice on how to mitigate the issues. The consultant usually then follows up to offer insight and answer questions on the contents of the report.

The Quorum Cyber Approach

Each test carried out by Quorum Cyber follows a unique methodology decided during a scoping call or meeting with the organisation. By conducting this meeting prior to embarking on the test itself, we can ensure that specific value unique to your organisation is added to every test we carry out.

We routinely identify vulnerabilities and misconfigurations in large applications which could result in data breaches. By focusing our area of concern on the systems, networks and applications themselves (as opposed to the services or environments they offer and inhabit), we are capable of exposing security issues that may have been missed by developers or administrators. In the hands of a malicious threat actor, these issues could grant them access to networks or sensitive data, which could result in devastating losses of all kinds for the organisation.

If you would like to obtain a free quote for penetration testing services or enquire about any other consultations offered by Quorum Cyber, please get in touch via our online contact form or by giving us a call on +44 333 444 0041. Working together, we can help to protect your organisation from outside threats.