Think of your IT system as your building.
In your building, you store all your information – both of your customers and what you need to run your business. If you add that a breach costs, on average, well above 4 million USD (source: IBM) – how would you prioritize security?
And running a risk analysis of your company - would you leave all security to internal staff as a part-time responsibility?
Having an external company perform a vulnerability check and penetration testing of your system is an inexpensive solution that considerably increases security.
What is penetration testing?
Simply put, pen-testing is when one of the good guys (or girls) is doing what the bad guys could do. They will scan your system for vulnerabilities and see if these can be exploited. In other words, they discover your vulnerabilities before the hackers do.
Afterwards, you will get a report of any findings – and recommendations to what to do to mitigate these vulnerabilities, improving your defence and resilience.
Why not use internal staff?
Own staff is the most crucial part of keeping your network secure, but there are two main reasons to use external.
Relevant for small businesses?
It is tempting to think that cyber-attacks only hit large businesses, but statistics say it is not. According to Forbes, 43% of cyberattacks target small businesses in 2022. From the same source have only 14% of these companies proper defences. And 83% aren’t financially prepared to recover from such attacks.
But – what is needed for a small company will differ from the need of a large company, making the service and cost proportional to size. Even a tier 0 scan will help your small company improve security and get an inventory of what software is being used on your servers. For a first-time scan for a small business, we highly recommend a tier 1 scan. This is because you will get assistance from one of our consultants to prioritize the tasks, answer any questions about the findings, and plan the path.
Not more than you need – the four levels.
The exact need for vulnerability scan/penetration testing varies from company to company, so to make it easier to define, Nemko has developed a service delivery model where each "tier" of service delivery is progressively more advanced and thorough.
|
|
|
Extended Tier 2 for large environments |
|
|
Penetration test with a report and assistance |
|
|
Automated scan with assistance |
||
Vulnerability scan with automated evaluation |
|||
Tier 0 |
Tier 1 |
Tier 2 |
Tier 3 |
Each tier includes and builds on all lower tiers. For example, if you choose tier 2, tiers 0 and 1 are included in the “package.”
Tier 0
The penetration tester conducts a vulnerability scan and provides the customer with an automated report of the findings.
Tier 1
The penetration tester will assist the customer with highlighting and prioritizing the various risks accompanying the vulnerabilities and provide general mitigation strategies.
Tier 2
After performing a vulnerability scan, the penetration tester will perform a penetration test and produce a report with findings and suggestions for remediation.
Tier 3
This is an extended version of Tier 2. This applies to projects where additional time is needed due to the scale and complexity of the penetration test.
One-offs or subscription services.
Regular scans are recommended because changes frequently happen in an IT system, and new vulnerabilities are discovered in existing programs. A typical solution is running vulnerability scans and penetration testing followed by automated vulnerability scans regularly, e.g., quarterly.
Extensive penetration testing is usually performed as a one-off or at annual intervals.
A typical process
Typically, then an automated scan is done periodically, giving the customer a continuous overview of the
Nemko
Nemko can help you close strengthen your defence.
Our team of cyber security experts can advise you on how to improve your systems by simulating a hacker attack and exploiting any vulnerabilities they come across to get an in-depth analysis of your system’s security. This can be done from the inside or as an attempt to get in. We can perform this once or regularly.
We offer penetration testing on networks and can provide vulnerability scanning of networks, Android and iOS applications.
Want to learn more about penetration testing and how it could help your company?
Schedule a 10 min virtual meeting with us at your convenience.