Hackers for hire: How testing protects your data — and bottom line

Getting hacked hurts. Not only is it often a PR nightmare and the cause of sleepless nights, a company data breach is a financial fright fest that can cost you millions of dollars.

That generally isn’t a secret. But given how many people are working remotely, which creates an entirely new set of security issues, I want to provide some insight into how the good guys protect networks so you can prevent hackers from breaking in.

I’m going to give you a bit of context into the business impact of data breaches, how hackers for hire provide value, and the benefits of working with experts to protect your network year-round — the industry term for this is continuous penetration testing, but we’ll get into that later.

Breaches break the bank — and the brand

It’s easy to think it will never happen to your company. Or, if it does, so what? You ask: Why would anyone want to break into my network? We don’t have anything of real value. But are you sure? What about unprotected passwords, employee information, credit card data, sensitive customer and client information? The list goes on.

The point is, most organizations need to keep hackers out. The average data breach costs a business $3.86 million, according to IBM.

Along with the financial drain, data breaches affect:

  • Company credibility (be prepared to hire a good PR firm);
  • Employee morale; and
  • The trust of your business partners.

But then, what’s the best approach to protecting your organization’s network? Along with all the essential steps any IT department will take, penetration testing is often used to make sure your defenses work how they should.

What’s a penetration test and why do I care?

Here’s an easy way to understand penetration testing. Think of your home as your company’s “network.” You’ve set up security cameras, window sensors, and even trained the family on how to use the alarm. For your network, these would be things like firewalls, complex passwords, and employee training.

However, do you really know the alarm system works? Are there blind spots the cameras can’t catch? Is little Johnny sharing the code to the garage door with some sketchy, but dangerously charming, neighbor kids? Same things goes for your organization. The only difference is hackers constantly refine new tactics and technology to break in and steal sensitive data — the neighbor kid just wants to get to the beer fridge.

To test their security, companies employ experts who poke holes in network defenses, expose weaknesses, and provide actionable steps to help address the issues they find. The technical term is penetration testing. A more effective approach is continuous penetration testing.

The role of continuous penetration testing

With continuous penetration testing, your network is monitored year-round versus once a year. Here’s why that matters: Testing your network once a year is like hitting the gym on New Year’s and considering yourself fit. It doesn’t work. Hackers don’t go on annual retreats to develop new approaches for the upcoming year. Instead, they’re cooking up something new as often as Netflix releases a new series.

Like preventive health care, continuous penetration testing is how you know your network is safe at all times. Find the problems before they make your network “sick.” A few benefits of incorporating testing into your cybersecurity strategy are:

  • Testing security controls. You get visibility into technical shortcomings.
  • Unearth human and system vulnerabilities. Penetration testers are hackers working for the good guys. We find issues most IT teams are too busy or too overworked to know about.
  • Long-term monitoring and constant testing against the latest threats.

Additionally, testers are teachers. Any good firm will provide actionable steps and guidance to help your IT team fix vulnerabilities. They also provide your employee tools needed to reduce the chance of a breach (i.e., multifactor authentication guidelines for logging into apps, password guidance, etc.).

How to pick a partner

If you decide to add a penetration testing partner to your quiver of cybersecurity resources, make sure to do so smartly.

It’s important you vet each potential partner. We generally recommend you at least ask these four basic questions:

  • Do they have a strong track record that’s proven?
  • Can you see an example of a report to review how actionable their findings are?
  • Do they use a portal or ticketing system to make fixing issues easy?
  • Do they assist in remediating vulnerabilities, and is it part of the contract?

Remember, even one data breach is costly and can damage your business. Proactive, continuous penetration testing is one way to keep the bad guys at bay and your network safe.

Casey Cammilleri is owner of Sprocket Security, a Madison-based cybersecurity firm that specializes in continuous penetration testing.

Click here to sign up for the free IB Ezine — your twice-weekly resource for local business news, analysis, voices, and the names you need to know. If you are not already a subscriber to In Business magazine, be sure to sign up for our monthly print edition here.