As a managed IT and cyber security provider, Internos conducts cyber security testing on a regular basis for clients. Unfortunately, many IT providers do not; then companies find out too late that their security testing needs were not being met by their MSP.
Yes, you need cyber security testing! It is an important part of your overall security and business continuity. But that doesn’t mean you need the most expensive, intensive testing available out of the gate. There are many types of cyber security testing and not every scan will be necessary for your particular business. A cyber security assessment with internal and external vulnerability scans is all that most small businesses need, not an expensive penetration test. Don’t know what those terms even mean? Take a look at our nutshell descriptions.
Penetration Scans (a.k.a. Penetration Tests, Pen Tests or Ethical Hackings)
A penetration scan is an authorized and simulated cyber attack on your business by cybersecurity experts to evaluate the security of your systems.
It is rarely needed for most small businesses. Instead, internal and external vulnerability scans are the best place to start. After the vulnerability scan is done and all problems are fixed, then you and your IT partner can decide if you really need a penetration scan.
A vulnerability scan is a test that looks for and reports potentially weak spots both inside your network (internal) and the external ways your network could be compromised. Security assessment tools of today are sophisticated, rapid and automated, which keeps the costs reasonable. The frequency of these scans will depend on your business. For example, if your business accepts credit cards, all external IPs and domains exposed in the CDE (cardholder data) are required to be scanned at least quarterly by a PCI (payment card industry) ASV (approved scanning vendor).
Assessment (a.k.a. Cybersecurity Assessment, IT Assessment, Cyber Risk Assessment)
An assessment is a comprehensive review of your company’s technology systems and environment. It determines if technology helps or hinders your business, and helps your partner or in-house IT experts make recommendations for the better use of technology to meet your objectives.
Network audits are absolutely necessary. Consider what happened last year to Solar Winds. They were compromised in March 2020 but it went undetected until December 2020.
Unauthorized changes can be made to a network without admins being aware, such as hardware, software and end-user devices being added. Network audits address security and performance and provide visibility so you can understand performance glitches across your network, such as when backup or data archiving fails or devices reach end-of-life status. Because you can “see” it through the scan, you can adjust settings, restore function and replace components as needed.
Compliance audits are kind of like a teacher making sure you’ve crossed your Ts and dotted your Is. They ensure your company is following all the rules, regulations and laws of specific government agencies that relate to your particular business. PCI compliance, as we mentioned above, is one of them. It applies to any business that accepts credit card payments. Other types of compliance pertain to different types of businesses, including privacy, environmental, employment, antitrust, advertising, marketing, fair labor standards, medical and more.
Internal compliance audits (self-audits) are done for some businesses by staff or a vendor partner. Most companies perform these periodically throughout the year to determine their overall risks to compliance and security and make sure everyone is following guidelines.
External compliance audits are formally done by an independent third party. They measure if an organization is complying with state, federal or corporate regulations, rules and standards. Specific formats are followed and those formats are determined based on the compliance regulation being assessed (e.g., taxes, HIPPA, OSHA, EEOC).
Getting the Right Cyber Security Testing for Your Business
So, what testing does your business need? There’s no one answer to that question. It depends on the type and size of your business. It could be “all of the above” but that is unlikely for most small to medium size businesses.
Working with an IT managed service provider (MSP) should ensure that you are getting the right testing at the right time. But many IT providers don’t include testing in their standard packages. That means they may not be running the security checks frequently or thoroughly enough.
How would you know? Your MSP account manager should inform you about any testing completed as well as the security improvements being made (and why) on a regular basis. If you are not getting this communication, it may be time to reconsider your IT support provider.
Usually it’s best to find an IT partner who is willing to invest the time to really understand your business and what it needs before recommending costly, and potentially unneeded, tests. If you do need in-depth testing, it can be planned and budgeted in advance. Cyber security testing is a daunting but necessary task. Internos can help give you guidance and answer questions. Contact us. We’d be happy to help.
Use our Managed Service Provider Checklist to Find the Right
Our easy-to-follow checklist can guide you through the process of the best IT services provider for your business.
Are you a first-timer to IT support? Maybe you aren’t happy with your current MSP? This checklist will help you outline and define: