Penetration Testing or Pentesting for short is a method businesses and organizations use to confirm the cyber security protections they have in place are effective. Known as offensive security it involves using a third party consultant to test the organizations security by attempting to breach it in the same way a real hacker would do. The main difference is that when the consultant is finished they don't steal the data, instead they provide a detailed report explaining exactly how they were able to compromise as much as they did and how best to go about fixing it. This means when a real hacker comes along they aren't able to do the same things. 

There are restrictions placed on Pentesters which ensure that only non-destructive tests are attempted and close communication with the organization being tested is of critical importance. This places a slight caveat on the effectiveness of Pentesting because a real attacker will not be concerned about doing damage, only about achieving their objective. A Pentester places primary importance on doing no damage and then tests as well as they can within those confines. 

Typically the main areas that receive attention from Pentesters are networks, networking equipment and websites. These are the parts of businesses that change regularly and when changes are made it's important to be sure no vulnerabilities have been introduced. Bringing in the Pentester to confirm in practical terms what vulnerabilities are present and what data can be accessed is an effective method of confirming what data is exposed and what an attacker might be able to do with it. 

Depending on the sensitivity of the data being protected Pentesting is normally carried out either every year, every 6 months or after every major change that is made to the network or website. 

There are 3 main reasons that companies tend to get a Pentest. 

1. Testing is required as part of a regulatory regime that binds the organization - e.g ISO27001, HIPAA or FFIEC

2. In order to attract larger clients - Breaking the ceiling on the next level of clients often requires greater adherence to and confirmation of best practices. 

3. The company is concerned they don't have clarity on exactly where cyber attacks are likely to come from and they want to get ahead of the potential damage a data breach could cause. 

With the introduction of GDPR regulations in 2018 things changed in a big way for companies who control data as since 2018 there has been an additional threat to businesses apart from the reputational damage associated with a data breach. This comes from the Information Commissioners Office itself in the form of potential fines of up to 20M Euros or 4% of global turnover (whichever is greater). This means that businesses that experience a data breach must report themselves to the Information Commissioners Office and may well be fined for not protecting their customers and employees data. To date the largest fine issued by the ICO was to WhatsApp for 225M Euros. 

With the well publicized increase in Ransomware and Phishing attacks combined with the potential to be fined by the ICO, the risks for all businesses who don't invest in cyber security are clear. Travelex was a world famous foreign exchange company until they experienced a Ransomware attack in in 2020. Since then the reputational damage of this attack has forced the company into administration. 

There are however, myriad options and service providers available to choose from and selecting the right provider can seem like a major project in itself.

Choosing the right provider depends on a number of factors but the main one is how far into cyber security testing the organization already is. If you already have Pentests regularly and have eliminated most or all of the low hanging fruit in your estate. You may be ready to move some of your Pentesting budget towards more specific security tests such as Phishing attack simulations. If, on the other hand, you've never had security testing done then you will likely get more value from focusing your budget on identifying low hanging fruit and honing your deployment methods to ensure these issues are caught and fixed before go live time.