Every business owner needs to be aware of the growing threat of cyber-attack. Vulnerable systems and networks can be compromised by a determined attacker, or in some hire a hacker cheap merely by a semi-skilled opportunistic “script kiddie”. Once inside your network, a hacker may be able to download sensitive data (such as customer details, future merger strategy, or staff home addresses), and could even delete business-critical data. But how do you ensure that your systems are safe from hackers? Part of the answer is to call on an expert team of penetration testers.
Also known as “ethical hackers”, these highly-specialised cyber-security experts will attempt to find their way past your defences and penetrate your systems, using the same tools as a criminal hacker would use. However, the crucial difference is that penetration testers operate only with the permission of the resource owner, and under strict terms of engagement. Although specific contracts differ, in general they will not attempt to mount a “denial of service” attack just to prove that your network is vulnerable to that kind of attack. Instead, they will probe for that vulnerability (among others), report it, and leave it to the business owner to verify whether this weakness truly exists in practice in the network.
The job of penetration testers is only half done once the actual testing is complete. They must then move on to the reporting stage, where a detailed and highly technical report is written. They may also give a talk at the client’s premises, depending on the specific agreement made with the organisation. The report will usually contain both an executive summary, phrased in general terms for higher-level management, and also a comprehensive itemising of the findings for the benefit of technical staff. The security testers can be expected to offer a certain amount of follow-up consultancy, answering questions on the report for a short while after its delivery. But anything more than this will usually require a full consultancy contract.
A business owner seeking to engage penetration testers will need to check that they are suitably qualified for the task. Since this is a young industry, there are still several experienced ethical hackers without any formal qualifications. However, more and more, new entrants into the field are finding they need to acquire recognised certifications such as CREST Registered (or Certified) Tester, the Tiger scheme, or CEH (Certified Ethical Hacker). However, as well as these certifications, clients will need to ask questions about the penetration testers’ level of experience, and also their reliability. It is important to feel certain that you can trust their discretion and expertise, since they will be seeking to gain access to sensitive areas of your network. However, hiring a team of fully-certified professional penetration testers will be a very wise investment in the security of your business.