No business is immune to cyber-attacks. In fact, every year, nearly half of all UK businesses suffer some sort of breach. But there are measures that your organisation can take to minimise risk, helping you to maintain your income, your valuable internal resources, and your reputation with your clients.
Since 2013, we have been helping organisations of all sizes and types identify, safely exploit, and remediate technical vulnerabilities before malicious attackers can gain access and compromise their information assets.
Penetration testing—also known as pen testing or ethical hacking—is a method of identifying possible ‘penetration points’ in IT security; any vulnerabilities or gaps that could be exploited, leaving your business at greater risk. These weaknesses might take the form of:
This testing format is undertaken by security experts, either remotely or onsite. Once gaps have been identified in your systems and networks, penetration testing consultants provide expert advice for strengthening your defences.
A penetration test will give you an understanding of the level of technical risk emanating from your IT infrastructure and web applications. This ensures you have the information you need to fix gaps in your organisation’s IT setup before they become problematic.
A correctly scoped test will provide peace of mind that the networks and applications tested have been configured in accordance with good practice and that there are no common or publicly known vulnerabilities in the tested components, at the time of the test.
Regular testing gives you the confidence that your valuable data is as safe and secure as possible. It also helps you to demonstrate to your clients and stakeholders your strong and ongoing commitment to IT security.
Think of a penetration test like a financial or quality audit. Your team keeps operations running smoothly and an external party validates that the processes they work to are sufficient. It’s about being proactive and doing everything you can to keep your business safe, while showing customers and stakeholders that their information is secure.
The digital world is not static and new vulnerabilities are being discovered every day. So, much like carrying out an annual MOT on your car, we recommend regular penetration testing for all businesses to ensure ongoing mitigation of risk; however, it is even more important if:
Penetration testing should form part of your risk management strategy; it will provide you with an awareness of your current risk profile to allow you to reconcile it with your risk appetite through the use of the technical controls, as defined by your Information Security Management System (ISMS). If your organisation is ISO 27001 compliant, penetration testing can help you demonstrate the required continuous improvement.
Vulnerabilities can exist within every area of technology, from the hardware you use to your operational processes. That’s why PGI offer a range of CREST accredited security testing, covering all potential risk areas:
Examining your operating systems, applications, software, and firewalls.
Examining public-facing and internal web applications.
Examining wireless networks, access points, and any encryption.
An enhanced Penetration Test required by government departments, other public bodies and certain companies connected to government systems.
A configuration review will provide you with detailed insight into your IT infrastructure
PGI's penetration testing team have their fingers on the pulse of the latest threats and are keen to make your organisation harder to access for criminals.
Help me find my vulnerabilitiesIT Manager, Wansbroughs
With years of experience in the field of security and IT management, our team have gained a unique insight into the opportunities that attackers are looking for and which aspects of your system they view as a possible weakness. We use the most effective methods to identify vulnerabilities, without disrupting operations, allowing us to highlight problem areas and work with you to identify the most suitable solutions.
We recognise the importance of being certified to industry standards; that’s why PGI is an accredited CREST member.
Should you find yourself a particularly heavy user of these types of services, PGI also offer in-depth training and mentoring packages.
Essentially, a vulnerability assessment is an automated scan used to identify vulnerabilities while a penetration test aims to exploit those vulnerabilities to get a deeper understanding of the holes in your defences.
We’ve written a whole blog post on the subject:
PGI’s experienced, CREST and Tigerscheme accredited team. All of our Penetration Testers have undertaken significant study, passed in-depth technical exams and been mentored before being allocated client work.
PGI is accredited to ISO 9001—the international quality standard—which ensures all of our processes remain of a high quality.
Typical tests follow a set methodology. In simple terms, it might look like this:
Along with their in-depth experience, PGI’s team use a wide range of tools to identify vulnerabilities, including industry best practice open source and commercial applications; they select the appropriate tools for the scope of work.
Testing will span anywhere from a week to a month, depending on the scope of work. For example, a simple website may take 1-2 days, while a more complex scope of work may take several weeks.
The threat is constantly evolving so a penetration test will only validate that your organisation’s IT infrastructure is not vulnerable to known issues on the day of the test. This is why testing should be performed regularly—many organisations commission quarterly or yearly tests.
If you are implementing any changes or new systems, infrastructure or applications, you will also need to test these before they are live. We strongly recommend not waiting until your next scheduled test to check that if there are vulnerabilities.
If you would like advice on how often you undertake a pen test, we recommend discussing this with one of our Information Assurance Consultants.
All penetration testing services you buy should be conducted by qualified consultants who hold relevant and in-date industry qualifications—such as Qualified Security Team Member (QSTM/CSTM), Check Team Lead (CTL), Check Team Member (CTM), Senior Security Tester (SST), and Offensive Security Certified Professional (OSCP)—and work for a CREST accredited company. PGI and our Penetration Testers are CREST and Tigerscheme accredited.
On completion of testing, the client can expect to receive the completed report within 7 days; however, any critical issues identified during testing will be communicated to the customer immediately. Any recommendations provided should be reviewed within the context of the business before implementing any remedial actions.
Almost all tests can be undertaken remotely, and we will always recommend the most cost-effective method. Please contact us to discuss your requirements.
As a CREST registered company, the PGI Red Team undertake pen tests in organisations of all types and sizes under strict standards that minimise the risk of disrupting operations. Where possible, we will perform tests on dev or test systems to avoid impact on production assets. Regardless of the system being tested, PGI consultants are always contactable during the test should a problem arise.
The cost is entirely dependent on the size of the systems or applications to be tested. Typical small to medium-sized organisations can expect to be quoted between 5 and 10 days of consultancy. This quotation may be significantly higher for larger organisations.
