What Cyber Security Testing Do You Really Need? (Vulnerability Scan, Penetration Test, Audit, Assessment, Compliance Audit)

We’ve said it before and we no doubt will say it again:  Even if you use a managed service provider (MSP) for Information Technology (IT) support, don’t just assume that your MSP is performing security assessments at the right frequency. It ain’t necessarily so!

Your MSP should be proactively monitoring the industry for new and improved security tools and techniques and for new threats which emerge constantly. Your MSP should also be performing vulnerability assessments on your environment on a regular basis, but are they? Your account manager should inform you about what security improvements are being made and why. Sadly, we’ve met people from many companies who thought this was being done but found out later that it was not.

The converse is also true. You might be paying for vulnerability assessments that are unnecessary for your particular business.

Types of Cyber Security Testing

Most small businesses need only a cybersecurity assessment that consists of internal and external vulnerability scans, not an expensive penetration test. But what do those terms even mean? Here’s a rundown of the most common cybersecurity test terminology and when each type is needed.

• Assessment (a.k.a.  IT assessment, gap assessment): An IT assessment is a comprehensive and thorough review of a company’s technology systems and environment. The primary goal is to understand how the current level of technology helps or hinders the business, and it provides insight for IT experts to make recommendations on how to use technology to meet business goals and objectives. 
• Vulnerability assessment (a.k.a. vulnerability scan):  This test looks for and reports on potential weak spots inside your network (internal) as well as external vulnerabilities that might allow threat actors to gain access to your network. Today’s security assessment tools are very sophisticated, they can scan your environment quickly and produce actionable reports. Because the tools are automated, the costs have become much more reasonable as well. How often you need a vulnerability scan may depend on your business and your risk tolerance. For instance, if your business accepts credit cards, all external IPs and domains exposed in the CDE (card holder data) are required to be scanned at least quarterly by a PCI (payment card industry) ASV (approved scanning vendor). 
• Penetration test (a.k.a.  pen test, Red Teaming, ethical hacking): This type of test is essentially an authorized and simulated cyber attack on your business by “white-hat” cybersecurity experts. The goal is the discovery and elimination of security vulnerabilities and an overall reduction in risk to your organization. A pen test is rarely needed for most small businesses. Instead, internal and external vulnerability scans are the best place to start in most cases. After the vulnerability scan is complete and all the issues it identified are addressed, then you and your IT partner can decide if a pen test is warranted.
• Network audits: A network audit addresses both  security and performance and should be done regularly. If you don’t know what you have, you can’t possibly ensure that it is secure.  An audit can find unauthorized hardware and software added to the network which may lead to security,  performance or licensing issues. An audit may also provide visibility into performance issues.  The output of regular audits will allow you to adjust settings, restore function and replace components as needed to improve productivity and security for your organization.
• Compliance audits: Basically, this type of audit ensures your company is following all the rules, regulations and laws of specific government agencies that relate to your particular business. We already mentioned PCI compliance, which applies to any business that accepts credit card payments. There are many other types of compliance that pertain to different types of businesses, including privacy, environmental, employment, antitrust, advertising, marketing, fair labor standards, medical and more
  

Internal compliance audits are self-audits of a company by either staff or a vendor partner. Most companies perform these periodically throughout the year to determine their overall risks to compliance and security and make sure everyone is following guidelines.

External compliance audits are formalized and carried out by an independent third party that measures if an organization is complying with state, federal or corporate regulations, rules and standards. Each follows a specific format that is determined based on the compliance regulation being assessed (e.g., taxes, HIPPA, OSHA, EEOC).

So, What Cyber Security Testing Do You Really Need ?

The type of testing you need really depends on the type and size of your business and your risk tolerance. For some organizations, it will be “all of the above.”  And some organizations may have compliance requirements that push them towards more testing.  For most small to medium size organizations, the best approach is to find an IT partner you can trust to invest the time to really understand your organization and what it needs before recommending costly and potentially unneeded tests. If you do require the most in-depth and advanced testing, it can be planned in advance. When you understand the most appropriate test schedule for each type of test, you can budget for those expenses and plan them so that they create the least impact on your organization.

Testing can feel like a daunting task, but in today’s increasingly digital world where a cyberattack can be devastating, it is a necessary one. If you need some guidance or have questions, contact us or book a meeting.