7 Benefits of Cybersecurity Penetration Testing
Security breaches are prevalent in today’s business environment and reports indicate that these threats are not going away any time soon. As a result, organizations need to take steps to safeguard their confidential data and other sensitive information. Smaller-sized organizations like small businesses and not-for-profit entities are particularly vulnerable. A recent study by Symantec found that 43 percent of phishing campaigns affected small businesses in 2016, a significant uptick compared to 2011 when just 18 percent of attacks targeted small businesses.
Even organizations with limited resources have affordable and effective options for protecting valuable data. I recommend penetration testing, a type of cybersecurity vulnerability assessment, to my clients working in the not-for-profit sector. Many of my not-for-profit clients feel compelled to conduct cybersecurity penetration testing when they consider how accepting online donations may create vulnerabilities for not only for themselves but also for their donors. Potential donors may feel more comfortable donating online once they hear that the organization has safeguards in place to protect their information. Penetration testing is performed by an outside, third party and can be tailored to the needs, or concerns of the organizations.
Regardless of an organization’s size and area of impact, penetration testing can be a valuable tool. It can help all types of not-for-profit organizations and small businesses understand their information security vulnerabilities in a clear and concise manner.
Below are seven benefits of cybersecurity penetration testing:
- It is adaptable for your particular organization. Testing can suit your unique needs from external and internal-facing networks to web and mobile applications, wireless systems or a combination of these.
- It identifies threats with several techniques. Assessments can employ a variety of methods to identify threats, including social engineering, which is used to uncover sensitive information by email phishing attempts or calls to exploit confidential information.
- It helps satisfy compliance requirements. Regulations that need to be followed include the Payment Card Industry (PCI) Data Security Standard and the Health Insurance Portability and Accountability Act (HIPAA). Keep in mind that the HIPAA Privacy Rule may apply to practitioners in public practice with clients in the medical field. For more information on this, read this blog post.
- It meets mandatory testing requirements. In some cases, penetration testing is mandatory. While it is always recommended, it is a required annual activity for any entity transmitting, processing or storing one million or more credit card transactions with any one card brand annually, those who have experienced a recent PCI data breach or have otherwise been requested by a credit card processor or bank.
- It protects stored credit card data. It is also required if an entity is storing credit card data in any manner, using certain kinds of desktop payment processing, online payment processing methods or acting as a PCI service provider to a third-party.
- It keeps sensitive personal information safe. It can be used to help protect personally identifiable information (PII) data, such as donor and staff information. It can also help higher education institutions comply with the Family Educational Rights and Privacy Act (FERPA) and identify vulnerabilities that may expose sensitive student information.
- It reports critical information. The reports generated should be written to meet the needs of an IT department, management, internal and external auditors and examiners. They should clearly define the scope of the testing, the methodology used and the results of the testing to make recommendations to address any findings. The reports should also be subject to a rigorous quality assurance process to ensure accuracy and completeness.
Penetration testing should be considered along with other closely related information security and compliance services, such as vulnerability scanning, information security consulting, on-site assessments and forensic investigations.
Testing also should not be a one-time occurrence. Once findings are remedied, a retesting window is important so organizations can be assured that the vulnerabilities identified are resolved.
Although no cybersecurity practice can guarantee that a breach won’t occur, strong cyber defenses, specifically penetration testing, can provide your organization with valuable protection for your data and assets.
To better understand, mitigate, plan for and respond to cybersecurity threats, visit the AICPA's Cybersecurity Resource Center containing helpful videos, articles, whitepapers, fact sheets and CPE opportunities.
In addition, those working with or for not-for-profits may be interested in participating in the upcoming webcast Cybersecurity Pitfalls and Information Risk Management for Not-for-Profits, which is being hosted by the AICPA Not-for-Profit Section on Wednesday, February 22.
Frank Jakosz, CPA, Partner-in-Charge- Not-for-Profit and Higher Education Practices, Sikich LLP. Frank has more than 40 years of public accounting experience and expertise serving not-for-profit organizations. He serves on the AICPA’s Not-for-Profit Advisory Council.
Lock image courtesy of Shutterstock