|25 Feb 2022
What is a Penetration Test and why would I need one?
As a busy organisation, your focus is on your mission. Whether you’re supporting humanitarian efforts, promoting animal welfare, fighting climate change, or working to improve health equity, you are focused squarely on providing critical services and support to your community. Your organization is deeply engaged in delivering programs, co-ordinating and managing volunteers, processing donations, supporting fundraising efforts, and myriad other activities.
With all these priorities on your plate, IT security might seem like something that can wait. Unfortunately, it can’t. IT security is more critical than ever for the charity sector.
Cyber criminals can exploit the smallest of security gaps, so how do you replicate a hacker’s methods and identify the weak entry points to prevent a cyber-attack?
Organisations everywhere pay people to break into their systems and find sensitive information. The reason they do this is simple: to catch a thief, you must think like one. Hiring ethical hackers, otherwise known as penetration testers, to try and keep one step ahead of the cyber criminals.
Although costly, if the right penetration test prevents your charity from falling victim to cyber criminals, it could be a very sound investment and give you, your donors and your Board some peace of mind!
We decided to take our own advice and carry out a Penetration Test. This is our story.
Charities Institute Ireland’s Experience
After scoping what we needed to test, we chose BH Consulting to conduct penetration testing on our Web applications and Stripe payment integration. The testing was carried out over a two-week period in collaboration with Cii’s Website developer. There were no interruptions to our operations or to any online activity during the testing period. As soon as any security issues were detected, the team at BH notified us on the same day, explained the potential risk and provided mitigation recommendations, to which our developer quickly responded. We were pleased to get a clean bill of health on our payment integration process, verifying that card payment details never touch the Cii website.
As part of the final report issued, Craig Balding, Associate Consultant at BH Consulting wrote: ‘In facilitating an effective penetration test and in particular ensuring that risks were promptly and effectively communicated to the relevant parties and addressed quickly, we believe that CII has reacted in the right way and that the resulting conversations with their platform provider led to further defect reduction and security improvements.’
We carried out this penetration testing for two key reasons; principally, to reassure our members that their data is safe with us, and that strong cyber security is a core standard for us. We also wanted to demonstrate the value of the process for our members and provide them with feedback on an actual test. We’re happy to discuss our experience in more detail with members who are considering undertaking a similar exercise.
How do you commission a Penetration Test?
There are plenty of companies that offer penetration tests, but the test itself is only as good as the person or people who will carry out the test. And it’s only useful if they test the right things and provide you with the right feedback to act on their findings.
Find the right Penetration Testing Company
It is important to use a cyber security company you can trust, so getting references or testimonials from past customers is important.
Scope out the key areas for Penetration Testing
Carry out a cyber security risk assessment and you will have a clear idea what IT operational areas that you want to concentrate on. For example, with staff working remotely, you may want a remote working penetration test, or you may need a penetration test for specific compliance purposes.
Alternatively, you may want advice about how you can best use your budget to reduce cyber security risk and improve your overall cyber security.
Scoping your penetration test clearly is the only way to ensure that the right things get tested.
Establish exactly what kind of Final Report you will receive
The most important result of any penetration test are its findings. It is imperative that these findings are presented in a way that makes it easy for you to act on as effectively as possible.
In practice, you should ensure that the testers provide a clear description of every vulnerability they discover, along with precise information on how to fix each one. Some of the digital vulnerabilities may be quite complex, but what’s important is that you understand the solution rather than the problem. Many penetration testing companies offer free retests after you apply the recommended fixes to verify that they are effective.
It is also useful to request a concise Executive Summary with non-technical explanations outlining the problems and the risks to your organisation. This can be especially useful for helping trustees and stakeholders to understand why funds need to be spent fixing any problems found.
Good Procurement Practice – get at least 3 quotes
Penetration testing costs can vary widely, so it’s good practice to get multiple quotes for tests that are clearly scoped, with details of who will be carrying out the tests and what their qualifications and experience levels are, so you know exactly what you’re paying for. Happy hunting!