Download PDF

Aug 2024

Five penetration testing myths

According to the NCSC, penetration testing is “a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system's security, using the same tools and techniques as an adversary might.” Despite it being a great way to understand the effectiveness of your processes, we still hear many reasons why organisations “don’t need” penetration testing. How many have you heard in your business?

Categories Cyber Security Strategy

1. “I’ve never been hacked so I don’t need a penetration test.”

Being compromised is not a case of if, but when.

A penetration test can simulate attackers’ efforts to compromise organisational data and infrastructure using various external points of access, thereby assessing the ability for an attacker to gain entry.

Alternatively, providing internal access to simulate an assumed breach, can provide opportunity for an authorised consultant to use offensive security tactics to manually assess threat vectors within network infrastructure.

2.“A penetration tester may harm my network, providing no subsequent support.”

The aim of a penetration tester is to attack a computer network and provide recommendations, subsequently enhancing security posture of the organisation, protecting the network from real compromise. Actions taken by a penetration tester are agreed between the tester and the client.

Penetration testers are trained to target vulnerabilities in a controlled manner, taking major consideration of potential risks, but always understanding how the organisation can be supported to fix any vulnerabilities discovered.

3. “Penetration tests are expensive, why should I invest?”

It’s true that penetration testing can be a large-scale investment, however the benefits outweigh the initial high cost.

Following a penetration test, businesses can prevent larger scale loss from high-risk potential threats such as ransomware, phishing, and insider threats – potentially impacting 70-100% of an organisation due to information leakage, and could even lead to fines from governing bodies.

4. “A penetration test doesn’t suit my needs.”

How do you know? Our penetration tests aren’t a simple checklist, but a bespoke, tailored approach based on your requirements.

If you require targeted security testing, or a full assessment of the entire infrastructure, we can build it into your plan.

Whether you're a small business with less than 100 employees, or a large enterprise running multiple stacks of technology, penetration testing provides the assurance of a safe network environment.

5. “Penetration tests are too technical.”

A penetration tester is, at heart, a consultant who is simply able to discover and clearly define findings to various audiences, whether at overarching business level, or in detail to technical teams to provide further information and recommendations to support security.

We provide all clients with a non-technical summary, addressing key findings and risk alongside provided recommendations that any member of any organisation can understand and action.

If you have questions about penetration testing and how it could provide a deeper level of your security posture, get in touch at cyber@waterstons.com