How Can Penetration Testing Protect Your Assets?
Every business has something to lose. But…who loses sleep over it? Whose job is on the line if assets are compromised? Who cares about protecting their assets? In recent data breaches, some companies just haven’t shown the expected response when they compromise assets. Take Uber, for example. The core of Uber’s business is drivers and riders, yet they covered up a hack for over a year. Hackers stole 57 million credentials through a third-party cloud-based service, and Uber paid to cover it up. Uber knew they’d face major backlash when they exposed the cover-up because they didn’t protect their assets.
How can organizations protect their assets? Investing in penetration testing is one way to show clients, prospects, and competitors that you are willing to protect your assets and that you recognize the value of your assets. The value of penetration testing comes from the value of your assets, not the size of your company.
What Type of Assets Do You Protect?
In any industry, there are assets that need to be protected. You may not think that your organization has a “security issue,” but third-party validation through penetration testing can either validate or deny that. Cardholder data, Social Security numbers, protected health information, access credentials, intellectual property – businesses across industries need to recognize how penetration testing can protect their assets.
- Casinos – The gaming industry has earned a reputation for strict, effective physical security. As technology advances, though, so should cybersecurity. If a casino is connected to a hotel, are the networks segmented appropriately? If not, a hacker may have found a way into the casino’s gaming network. From there, they could have access to the security cameras, the ability to manipulate odds, see payout information for each machine, alter rewards information, or worse.
- Hotels – Cardholder data, passport information, rewards numbers, room information, security systems, and more could be compromised if a hotel is hacked. The Marriott hack exposed in 2018 is now one of the largest known thefts of personal records in history. When Marriott’s Starwood reservation system was breached, the personal data of up to 500 million guests was compromised.
- Pharmaceutical – Production and development, intellectual property, operations, clinical trials, and laboratory results can be impacted when the pharmaceutical industry is targeted by cyberattacks. When pharma giant Merck was hit by NotPetya, it disrupted their operations across the world and production of new drugs, ultimately costing them over $600 million in 2017.
- Utilities – The threat of power grids being attacked by nation states is becoming more real every day. In 2018, the DHS linked Russia to hacking US power suppliers and publicly spoke about the cyberattacks to warn and prepare other energy suppliers.
- Data Centers – Whatever data is stored in a data center is under threat. Any insecure access point, like security systems, power supply, security cameras, or HVAC systems, are fair game to a hacker.
- Retail – Cardholder data is the major asset of any retailer. The infamous 2013 Target hack is a nightmarish example of just how much data a retailer is responsible for. The compromised cardholder data of 40 million shoppers led to a $18.5 million settlement for Target.
- Airlines – Passport details, passenger itineraries, rewards information, cardholder data, flight schedules, and the safety of passengers are things that could be compromised if an airline is hacked. Fortunately, no travel or passport details were revealed in British Airway’s 2018 data breach, but 380,000 transactions were compromised due to digital skimming on the airline’s website and app.
- Telecommunications – Because telecom providers communicate, transmit, and store sensitive data, they are a target for cyberattacks. Telecom providers also have attacks coming from two sides: directly to their organization’s network and indirectly through their users. There are new channels of attack with every advance in technology.
- Auto – As automakers incorporate more technology into vehicles and self-driving cars become a reality, the threat of cyberattacks on vehicles is very real. Locks, brakes, volume, AC, acceleration – it’s all been proven to be hackable.
- Education – Educational institutions hold not only attendance and grade records, but Social Security numbers, cardholder data, billing addresses, and many other forms of personal data. Understaffed universities that hold expensive research have a target on their backs. A data breach in the education industry costs $166 per capita, according to the Ponemon Institute.
- Insurance – Cardholder data, protected health information, and other sensitive data are assets given to insurers through websites and apps, making the insurance industry a target for cyberattacks.
- Public Sector – 44% of local governments face cyber attacks daily. The City of Atlanta’s Ransomware attack was an unfortunate example of just how vulnerable cities are to cyber threats and how much it costs for a city to recover.
- Banking – Social Security numbers, credit information, PINs, cardholder data, mailing addresses, email addresses, account balances – it’s all available to banks. In 2014, JPMorgan Chase was the victim of a hack that left half of all US households compromised, one of the largest thefts of consumer data in US financial institution history.
- Hospitals – Protected health information, security systems, expensive research and prototypes, drugs, scheduling information, and operations of facilities are all assets that a hacker could hope to compromise through cyberattacks. Ransomware attacks are extensive in healthcare for this very reason. No hospital wants their computers, elevators, locks, medical devices, or HVAC system held hostage.
Seeing some similarities, here? Any industry can benefit from penetration testing. Any service provider would be embarrassed to sell something that isn’t secure. Any healthcare organization on the HHS’ “wall of shame” will be used as an example of what not to do. Any payment processor’s reputation would be tainted by compromised cardholder data. No matter the industry, organizations need to protect their assets. What is the value of your assets?
How Can Organizations Use Penetration Testing to Protect Their Assets?
Penetration testing can be used to determine how vulnerable your assets are. It puts your security intelligence in your own hands instead of a hacker’s. It shows your security strengths and weakness, then allows you to prioritize your risk levels. If you have compliance requirements, then penetration testing helps align your organization’s security with those requirements. If you do not have compliance requirements, penetration testing is a proactive way to see and analyze the holes in your security posture. Because penetration testing is a simulated yet real-world exercise, it also gives your team a chance to have true “what if” scenarios to practice incident response and, hopefully, avoid the downtime that a breach would cost in the future.
Consider all types of penetration testing and consult with a qualified consulting firm to decide which would be most beneficial for protecting your assets. Internal or external network penetration testing, web application penetration testing, API testing, mobile app penetration testing, code review, social engineering – there are many options that could be useful to your organization’s security efforts.
If you’re questioning whether or not penetration testing would be appropriate for a business of your size or in your specific industry, remember to consider the value of your assets. The value of penetration testing comes from the value of your assets, not the size of your company or your industry.
If your default belief is that we, as an auditing firm, do not employ in-house penetration testers, let us make it clear: we do. We recognize the value of your assets and want to help you find your vulnerabilities and correct them. Contact us today to learn more about our penetration testing services.
More Penetration Testing Resources
7 Reasons Why You Need a Manual Penetration Test
Not All Penetration Tests Are Created Equal