How often should companies conduct penetration tests?

Introduction

In times in which there is seemingly a new scandal about IT security incidents every week, many IT managers ask themselves how often they should put their systems to the test. After all, you have to know where your weaknesses lie to always be one step ahead of attackers. Penetration testing is a proven way of identifying and eliminating critical vulnerabilities before they become a problem. In this blog post, I would like to give you some guidance on how often and when you should commission penetration tests.

An individual penetration testing program is necessary

There is no one single answer as to how often companies should have penetration tests performed. In my opinion, it makes the most sense to develop a penetration testing program that is tailored to your own IT security needs. Your individual penetration testing program should answer the following questions:

  • What types of penetration tests are required? (Internal/external infrastructure pentest, web application pentest, IoT devices pentest, etc.)
  • How extensive do these pentests have to be and, if possible, should vulnerability scanning be carried out as a complementary process?
  • In which frequency must pentests be performed? E.g. annually/semi-annually
  • In which situations should extraordinary pentests be performed?

Depending on a variety of individual factors, your penetration testing program will be extensive or rather narrow. Factors that influence the scope of your penetration testing program include

  • size of the network and the company
  • criticality of the data, applications and systems in your IT landscape
  • threat level in the company’s sector (financial services, health care, …)
  • Existing compliance or audit mandates (ISO 27001, PCI DSS, …)
  • Your available IT security budget

An annual external pentest as a starting point for your penetration testing program

An external infrastructure penetration test performed once a year should always be part of your penetration testing program. Thereby, all systems accessible via the internet, such as firewalls, VPN, DNS, e-mail systems and file servers are checked for vulnerabilities. In addition, for larger companies (from approx. 100 employees), the internal systems should also be checked (so-called internal infrastructure penetration test). The larger the company, the more important it becomes to check internal systems because with the size of the company, threats from the inside become increasingly probable.

Situations that require unplanned penetration testing

There are some special situations that require an unscheduled penetration test. These include:

  • Making major changes in your network (but be careful: only when the changes are completed), otherwise security vulnerabilities may reappear immediately after the pentest
  • The occurrence of an IT security incident
  • The deployment of new system applications

Conclusion

How often, how extensively and at what time a company should have penetration tests performed depends on many individual factors. A well-thought-out penetration testing program, which is regularly adapted to the company’s situation, is the key to maintaining an appropriately high level of security at all times. An annual external infrastructure penetration test should always be part of your program.

 

Share on linkedin
LinkedIn
Share on email
Email
Share on print
Print
Dennis Kionga

Dennis Kionga

Dennis is Managing Director of Cloud Cape, an IT services company that implements and operates future-proof IT security and cloud solutions for SMEs. He previously worked as a Business Development Manager at Lufthansa Group, where he was responsible for global sales of outsourcing solutions for airlines. He graduated from the University of Mannheim with a Master of Laws (LL.M.). He also holds a postgraduate certificate in Project Management from the University of Cape Town. In his career, he has spent extended periods abroad in Portugal, the Czech Republic and South Africa.

Leave a Comment

Your email address will not be published. Required fields are marked *

About Cloud Cape

We help companies to create transparency in their own IT landscape and accompany them along the path of secure digital transformation. As a ‘cloud-first’ company, we have specialized in the field of cloud security.

Recent Posts

Would you like to know more about us?