In times in which there is seemingly a new scandal about IT security incidents every week, many IT managers ask themselves how often they should put their systems to the test. After all, you have to know where your weaknesses lie to always be one step ahead of attackers. Penetration testing is a proven way of identifying and eliminating critical vulnerabilities before they become a problem. In this blog post, I would like to give you some guidance on how often and when you should commission penetration tests.
An individual penetration testing program is necessary
There is no one single answer as to how often companies should have penetration tests performed. In my opinion, it makes the most sense to develop a penetration testing program that is tailored to your own IT security needs. Your individual penetration testing program should answer the following questions:
- What types of penetration tests are required? (Internal/external infrastructure pentest, web application pentest, IoT devices pentest, etc.)
- How extensive do these pentests have to be and, if possible, should vulnerability scanning be carried out as a complementary process?
- In which frequency must pentests be performed? E.g. annually/semi-annually
- In which situations should extraordinary pentests be performed?
Depending on a variety of individual factors, your penetration testing program will be extensive or rather narrow. Factors that influence the scope of your penetration testing program include
- size of the network and the company
- criticality of the data, applications and systems in your IT landscape
- threat level in the company’s sector (financial services, health care, …)
- Existing compliance or audit mandates (ISO 27001, PCI DSS, …)
- Your available IT security budget
An annual external pentest as a starting point for your penetration testing program
An external infrastructure penetration test performed once a year should always be part of your penetration testing program. Thereby, all systems accessible via the internet, such as firewalls, VPN, DNS, e-mail systems and file servers are checked for vulnerabilities. In addition, for larger companies (from approx. 100 employees), the internal systems should also be checked (so-called internal infrastructure penetration test). The larger the company, the more important it becomes to check internal systems because with the size of the company, threats from the inside become increasingly probable.
Situations that require unplanned penetration testing
There are some special situations that require an unscheduled penetration test. These include:
- Making major changes in your network (but be careful: only when the changes are completed), otherwise security vulnerabilities may reappear immediately after the pentest
- The occurrence of an IT security incident
- The deployment of new system applications
How often, how extensively and at what time a company should have penetration tests performed depends on many individual factors. A well-thought-out penetration testing program, which is regularly adapted to the company’s situation, is the key to maintaining an appropriately high level of security at all times. An annual external infrastructure penetration test should always be part of your program.