How Frequently Should Penetration Testing be Carried Out?

A penetration test helps your organization determine if your cybersecurity or physical security is effective. It will also pinpoint any vulnerabilities in your security program and help determine solutions to the problems.

As more and more data breaches happen and the cyber-attacks become more sophisticated, it is imperative that all companies conduct penetration testing. Penetration testing will find your company’s vulnerabilities and help fix those problems, but it can also help you spend wisely on cybersecurity and keep your company compliant with governmental regulations.

Whether your company is small, midsized or a Fortune 500 business, penetration testing is necessary and can help you in many ways. However, the frequency of which your company should conduct them depends on a number of factors:

  • The Addition of New Systems, Locations or Infrastructure
  • Regulatory Compliance
  • Popularity or Proliferation of Your Company
  • The Size of Your Organization

When do I Conduct a Penetration Test?

You know it is important to conduct penetration testing but determining when to do it can be more complex because it can be an expensive process. However, not conducting a test can cost your business much more in the long run. So, lets explore the factors you should consider when determining the frequency of penetration testing:

The Addition of New Systems, Locations or Infrastructure.

If you make a significant change to your critical infrastructure, software, networks and/or policies, you should run a new penetration test. It will detect vulnerabilities that may have occurred to the addition. This is especially true if you are adding a new physical location. It will need a physical penetration test as well as a cyber assessment test. Not only will the new test protect your assets, but it will also help ensure you protect the new investment. Plus, it will help you determine the best cybersecurity measures to protect the new systems or devices.

On the other hand, if you are transitioning to a cloud-based business and getting rid of physical servers and networks, you should ask your cloud provider about their penetration testing. Your company may benefit from the capital expense of the provider. You also would likely not have access to the cloud provider’s infrastructure to conduct a pen test yourself.

Regulatory Compliance.

Numerous compliance standards require companies to run a penetration test. If you are required to be compliant to a governmental regulation, it may determine your pen testing schedule for you. For instance, payment card industry (PCI-DSS) regulations require an annual penetration test and anytime your organization has system changes. The Sarbanes–Oxley Act of 2002 (SOX), International Organization for Standardization (ISO) 27001 and the Health Insurance Portability and Accountability Act (HIPAA) also mandate an annual penetration test from a third party.

The Size of Your Organization.

Just as popularity puts a larger target on your company, the same can be said about the size of your company. Larger companies are bigger targets to cyber criminals because their assets are larger and because their online presence is often larger. Big companies have more vulnerabilities because they have more employees and more devices equaling more access points. Companies with big budgets and a lot of employees worldwide should opt for a pen test every six months or quarterly.

Popularity or Proliferation of Your Company.

If your company is experiencing notoriety, being highlighted in the media or undergoing an increase in business, you are at a higher risk to cyber-attack. The more popular you are to the general public also increases your popularity to cyber criminals. As you start to gain a higher media presence, it is wise to conduct a penetration test.

Make Sure You Follow Best Practices for Penetration Test Frequency.

The general rule of thumb is to conduct a penetration test annually. However, there is always exceptions to the rule. To benefit the most from a pen test, your company should develop of relationship with the third-party conducting your testing. Once your trusted provider completes an initial penetration test, it will have a thorough understanding your systems, vulnerabilities, cybersecurity program, etc., and they will be able to work with you to determine a logical and effective pen testing schedule, which may be yearly, biannually or quarterly if you