Imagine the CEO telling the Board of Directors that due to no real fires for several years, the company plans to cut back on smoke detectors and fire drills! Sounds unrealistic? We agree, but ….
How about the same CEO saying that they will reduce the IT budget for the coming year, as there has been no cyber incidents? Ironically, this does actually happen.
Many things develop over time, like the need for maintenance of a building. That is a slow process which can be observed over time and can be planned for and dealt with at a given time.
Other things, like traffic safety, is not like this. You do not delay putting on the seat belts until the traffic has reached some limit of uncertainty. You know that an accident can happen in a split second and at any time.
Also, cyber breaches are in the latter category. Surely, an attack may develop and also be ongoing for a long time, but the breach still happens fast, and the consequences may be immediate.
Yes, I know you have heard it before – an attacker is successful if succeeding once, whilst the defended is unsuccessful if failing once. But irrespectively of hearing it before, it is the grim truth and defending the IT system may be a lonely job against a multitude of adversaries. And sometimes you feel you also need to fight internal opponents, like the manager who’d like to cut down on the IT security spendings, giving “no return”.
The main benefit of using an external company to do a vulnerability scan or penetration testing is to enhance the security of your IT system. External personnel are certified and have the experience and tools to discover issues that may go undetected by internal staff.
There is however one more advantage – it brings internal focus to the security work being done. An external vulnerability scan should always end up with a formal report listing findings, significance, and recommendations. Such reports can also be used internally to demonstrate the work being done and the need for continuous monitoring and maintenance – and resources.
Book a free online meeting with a senior penetration tester.