Cybersecurity New Year’s Resolution: Undergo Annual Penetration Testing to Strengthen Our Data Security Defenses



You make New Year’s Resolutions about exercising more frequently, dietary changes for the better and other health-related personal promises to yourself and your family.

But what about the health and well being of your data security defenses?

Is 2019 the year to resolve to be proactive about regular IT security & compliance checkups?

As the threat environment increases almost daily because of the application of artificial intelligence, virus mutations, and the proliferation of professional data thieves and kidnappers, it just makes good sense.

Before December is out, 360 Advanced recommends you make public a resolution to add penetration testing to your lineup of periodic IT compliance procedures in 2019. A penetration test, or “pen test”, is a simulated cyber-attack against your system’s security controls intended to target, identify, and correct any exploitable vulnerabilities.

How to Choose a Pen Test Provider

If you are already a client of 360 Advanced, you need to look no further. Because there are numerous small (seemingly innocuous) changes in your software applications; personnel, vendors, CRM platforms, accounting and finance procedures, operations, data access permissions, and even office and plant environmental management systems (HVAC).

Penetration tests should be conducted at least annually (quarterly preferred), and certainly any time there are major architectural changes to your network and systems. All of those changes create potential vulnerabilities that an ethical hacker can expose for you.

Penetration testing is performed by 360 Advanced’s experienced team of ethical hackers with the goal of evaluating and identifying potential exploitable vulnerabilities before the bad guys do. Penetration tests are conducted against a variety of different environments, including web applications, networks, and other systems.

According to BOSS Magazine, here are a few key factors to consider when selecting a security specialist to work with.

  • Professional Certification.

    Qualified providers will be able to demonstrate their knowledge of the latest hacking techniques and procedures and offer assurance that they conduct assessments as safely as possible, as to avoid any possible damage or disruption.

  • A Proven Track Record.

    Don’t forget that one of the most important ways of verifying the quality of a provider is their reputation. The provider should be able to share excellent client references from businesses similar to yours.

  • Experience Performing a Range of Testing.

    There are many different forms of pen testing to choose from. You might require very specific web application test or a broader assessment such as a network penetration test. In many cases you will require a range of testing capabilities, so make sure that your provider is experienced in providing them all.

IT security and compliance specialists at 360 Advanced explain that the scope of most penetration testing typically involves some combination of the following:

  • Vulnerability Scanning

  • External Penetration Testing

  • Internal Penetration Testing

  • Web Application Testing

  • Social Engineering

  • Physical Penetration Testing

  • Flag-Based Testing

  • Threat Intelligence Reporting

  • Single Phase Testing

  • Three Phase Testing

Mergers and Acquisitions Often Overlooked

While we traditionally think of pen testing benefiting service providers that house millions of records of confidential consumer records, law firms – small and large – are often at serious risk of cyber-attack because of the nature of the data they control.

Data privacy, cyber security, and data breach risks are important due diligence issues in mergers and acquisitions. Post-acquisition discovery of security problems, and even notifiable breaches, is a far too common scenario.

According to one report, more than a third (40%) of acquiring companies engaged in a merger and acquisition transaction said they discovered a cybersecurity problem during the post-acquisition integration of the acquired company. A pre-emptive pen test (by either party to the deal) would have identified likely vulnerabilities before closing. The most highly publicized example of an M&A-related cybersecurity problem was Verizon’s discovery of a prior data breach at Yahoo! after having executed an acquisition agreement to acquire the company.

This discovery almost scuttled the deal, and ultimately resulted in a $350 million reduction in the purchase price paid by Verizon, with Yahoo! required to pay a $35 million penalty to settle securities fraud charges alleged by the U.S. Securities and Exchange Commission (SEC) and an additional $80 million to settle securities lawsuits brought by unhappy shareholders.

“At the end of any Pen Testing project, a Security Assessment Report is issued,” says Eric Ratcliffe, Director of Compliance Strategy for 360 Advanced.

“In that Report, you want to make sure you receive a summary of activities completed, findings and actionable recommendations, and some detailed information about any found vulnerabilities.”

Typically, a Post-Security assessment meeting is held with your servicer to discuss the results of your Penetration Test.

For more information on how to start your Penetration Testing initiative, contact eratcliffe@360advanced.com.