A Pint of Sweat…
There’s a famous quote by General George Patton: “A pint of sweat saves a gallon of blood.”
In essence, a little bit of preparation saves a tremendous amount of pain and grief later. And what’s true in war with this quote is also true with cybersecurity. Most people and companies don’t give it a second thought until after they’ve been hacked or suffered a data breach. Once they do suffer the inevitable, they run scrambling like headless chickens, wondering what happened, what to do, and trying to make the best of a horrible situation.
The trick is, to make sure the odds of a hack or data breach are as low as humanly possible. You have to do your best to make your company no longer the low hanging fruit that makes it such a tempting and tasty target for hackers. This is why it is so critical to get a penetration test and other cybersecurity services performed regularly.
You may be wondering, “Why the devil do I need a penetration test, my IT guy is really good, they set us up with a great firewall, an excellent antivirus, and our systems are secure.” If I had a nickel for every time I heard something like that, I’d be richer than Jeff Bezos in no time. It makes no difference how good your firewall, antivirus, or systems are. All it takes is one person clicking on one phishing email, and your whole system is compromised, infected, or encrypted with ransomware, malware, or whatever other malicious bit of code came with that email. Phishing attacks are actually one of the methods tested by most competent penetration testers, since we know all too well that the Human element is often the weakest. That $10,000 firewall you bought may as well be a glorified marshmallow toaster if even one person within your company clicks on every phishing email they receive.
This is also why third party penetration testing and cybersecurity in general is so critical. The analogy I always use is this; can a general contractor who just built a home for a client do an inspection for the county on that home? Can a newly graduated lawyer taking the Bar exam grade their own work? No, they can’t, it’s a conflict of interest. The same is with penetration testing. Someone who wasn’t involved in the building, maintenance and updates of computer systems has to be the one to test it, since we come in cold. Plus, the IT techs know where all the proverbial skeletons are hiding, so they may “conveniently” overlook key details of the system that would leave it vulnerable, such as passwords that never expire, a weak password policy, a server that hasn’t been patched since the Stone Age, and the list goes on.
Granted, getting a penetration test may not be cheap, but it is a drop in the ocean compared to what a small business can lose due to a single hack or data breach. Their bank accounts can be drained, staff has to work overtime to recover files and other work that was lost or deleted by the hacker, there is the possibility of lawsuits. Plus, if the hack becomes public, customers will flee like rats from a sinking ship because they no longer trust you to keep their information safe. Then the cost of the penetration test wouldn’t seem so bad as the doors to your business are shuttered and all your hopes and dreams go up because you didn’t think you needed a penetration test.