Why an Annual Penetration Test is Important 

Why an Annual Penetration Test is Important 

Should I Get An Annual Penetration Test ?

Many organizations ask the simple question, should I undergo an annual penetration test? Penetration testing is the best way for an organization to identify the vulnerabilities that could impact a company’s confidentiality, integrity and/or availability of data before being exploited by a bad actor.  Penetration testers use the same tools and techniques as a cybercriminal to identify the vulnerabilities in an organization’s defenses that are most likely to be exploited. 

Why Undergo an Annual Penetration Test? 

How frequently should companies undergo a penetration test?  Ideally, an organization should undergo penetration tests at least annually for a few different reasons.  The following are four reasons for frequent testing. 

Evolving Infrastructure 

Modern corporate IT infrastructures evolve rapidly.  Cloud computing makes it possible to rapidly spin up and take down infrastructure.  DevOps and agile design methodologies enable applications to change rapidly.  Technological innovation connects new types of devices to corporate networks. 

All of these changes have the potential to introduce new risks and vulnerabilities.  An annual penetration test enables an organization to identify these risks and take steps to remediate them.  Less frequent testing can result in a company building up security debt and increases the opportunities for cybercriminals to attack an  organization’s systems. 

Newly Discovered Vulnerabilities 

All software has bugs.  New bugs are discovered on a regular basis.  In 2021, over 28,000 new vulnerabilities were discovered, and 2022 is on track to surpass that number. 

Ongoing vulnerability research and discovery means that software and systems that were considered secure yesterday may be a security liability tomorrow.  Regular penetration tests provide insight into the vulnerabilities in their systems and provide strategies for remediating these issues and reducing an organization’s cybersecurity risk exposure. 

Regulatory Compliance 

Most companies are subject to compliance with a broad variety of regulations and standards.  Companies that collect and process payment card data for financial transactions must comply with the Payment Card Industry Data Security Standard (PCI DSS).  The EU’s General Data Protection Regulation (GDPR) and other data privacy laws mandate certain protections for customer data.  In many sectors, additional industry-specific laws such as the Health Insurance Portability and Accessibility Act (HIPAA) and anti-fraud and anti-money laundering laws exist as well. 

In some cases, regulations and standards require annual assessments, making an annual penetration test necessary for compliance.  For the rest, penetration testing can be invaluable for identifying the vulnerabilities that would lead to non-compliance and preventing data breaches or other security incidents that could result in regulatory penalties. 

Strategic Planning 

Companies face a variety of different cybersecurity threats, and there are a variety of different tools and solutions out there to protect against these threats.  It’s financially impossible to buy one of everything, and doing so would be a bad idea if it was possible. 

Cybersecurity investments and strategic planning should be based on an understanding of an organization’s security risks and how to maximize the return on investment of security investments.  Regular penetration tests can provide an organization with visibility into its risk exposure and an understanding of the main threats that it faces.  This information is crucial to the ability to develop a cybersecurity investment that optimizes the use of security budget. 

Planning a Penetration Test with Netragard 

A penetration test provides an organization with visibility into its security risk and what it needs to do to maintain regulatory compliance and protect itself against cyberattacks.  While more frequent assessments are always better, penetration tests should be performed at least annually to keep the company up-to-date on its current risk exposure. 

Penetration tests should also be tailored to an organization’s IT infrastructure and security needs.  For more information about planning a penetration test or to schedule your next one, feel free to reach out today. 

Blog Posts

Karen Huggins

Chief Financial, HR and Admin Officer
Divider
Karen joined the Netragard team in 2017 and oversees Netragard’s financial, human resources as well as administration functions. She also provides project management support to the operations and overall strategy of Netragard.
 
Prior to joining Netragard, she worked at RBC Investor Services Bank in Luxembourg in the role of Financial Advisor to the Global CIO of Investor Services, as well as several years managing the Financial Risk team to develop and implement new processes in line with regulatory requirements around their supplier services/cost and to minimize the residual risk to the organization.
 
With over 20 years of experience in finance with global organizations, she brings new perspective that will help the organization become more efficient as a team. She received her Bachelor of Finance from The Florida State University in the US and her Master of Business Administration at ESSEC Business School in Paris, France.

Philippe Caturegli

Chief Hacking Officer
Divider
Philippe has over 20 years of experience in information security. Prior to joining Netragard, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements.

Philippe has over 10 years of experience in the banking and financial sector that includes security assessment of large and complex infrastructures and penetration testing of data & voice networks, operating systems, middleware and web applications in Europe, US and Middle East.

Previously, Philippe held roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.)

Philippe actively participates in the Information Security community. He has discovered and published several security vulnerabilities in leading products such as Cisco, Symantec and Hewlett-Packard.

He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), PCI Qualified Security Assessors (PCI-QSA), OSSTMM Professional Security Analyst (OPSA), OSSTMM Professional Security Tester (OPST), Certified in Risk and Information Systems Control (CRISC)and Associate Member of the Business Continuity Institute (AMBCI).

Adriel Desautels

Chief Technology Officer
Divider
Adriel T. Desautels, has over 20 years of professional experience in information security. In 1998, Adriel founded Secure Network Operations, Inc. which was home to the SNOsoft Research Team. SNOsoft gained worldwide recognition for its vulnerability research work which played a pivotal role in helping to establish today’s best practices for responsible disclosure. While running SNOsoft, Adriel created the zeroday Exploit Acquisition Program (“EAP”), which was transferred to, and continued to operate under Netragard.
 
In 2006, Adriel founded Netragard on the premise of delivering high-quality Realistic Threat Penetration Testing services, known today as Red Teaming. Adriel continues to act as a primary architect behind Netragard’s services, created and manages Netragard’s 0-day Exploit Acquisition Program and continues to be an advocate for ethical 0-day research, use and sales.
 
Adriel is frequently interviewed as a subject matter expert by media outlets that include, Forbes, The Economist, Bloomberg, Ars Technica, Gizmodo, and The Register. Adriel is often an invited keynote or panelist at events such as Blackhat USA, InfoSec World, VICELAND Cyberwar, BSides, and NAW Billion Dollar CIO Roundtable.