As organisations’ infrastructures attempt to deal with the growing volume and complexity of internal and external security threats, Walsall Housing Group is committed to regular penetration testing of its IT systems to highlight potential weaknesses before they are exploited.
Phil Pettifer, network and security manager, WHG, said, “Penetration testing gives us peace of mind. It’s important to know that a third party has looked at our system and evaluated its security, as well as alerting us to threats or loopholes that we weren’t aware of.”
Apart from peace of mind, there are many reasons why organisations choose to independently assess the security of their corporate network, including financial regulation, maintaining confidentiality of information, measuring third-party security performance and detecting known security flaws.
As the bulk of a penetration test consists of manual effort, the extent of its findings can be very dependent on the experience and quality of the individual tester and the amount of time they are able to spend on the investigation. It is important to use experienced, qualified testers with recognised security testing credentials and the necessary support procedures, such as secure handling, management and destruction of the data obtained during the test.
WHG originally selected Peapod Consulting to provide an internal and external security health check on the IT systems which support its 700 staff. Peapod identified several medium-level risks during the first inspection which could have potentially unlocked WHG’s systems, while subsequent tests have each identified unexpected exposures to new threats, highlighting the need for regular testing.
Referring to Peapod’s penetration test reports, Phil Pettifer said, “These are very good to use when reporting to our board to show how funds are being spent, where resources are needed and demonstrate value in these investments which benefit the whole organisation.”
CERT (Computer Emergency Response Team) estimates that there has been an increase of more than 700 per cent in exploitable vulnerabilities since 2001, while a DTI survey estimated that the average cost of a security incident varied from £8000 to £130,000 depending on the size of the business.