THE LATEST MUSINGS FROM PARANET

Our thought leadership blog offers perspectives on how people, process and tools are revolutionizing IT in the modern enterprise.

Why Penetration Testing Is Not Enough to Prevent Data Breaches

While penetration testing is critical for enhancing enterprise security, it's not enough to thwart data breaches. Read on to find out why

Image_1-15

According to the 2018 IBM/Ponemon Institute study, the average cost of a data breach $148 per record. Healthcare data costs per record are more than 2.5 times that amount. The average global cost of a data breach now stands at $3.9 million, with the average number of days until detection a whopping 197 days.

Once the breach is discovered, containing the security risk is close to 70 days away. More than 27% of all companies are likely to have a data breach of 10,000 records or more. Is your company prepared?

A plan to actively detect threats and rapidly correct them is key to reducing costs associated with data breaches. Regular penetration testing and correction are part of a robust loss prevention plan.

Read on to earn more.

What is Penetration Testing?

A pen test or penetration test is a cyber attack simulation against your website and computer system. The pen test involves an attempted breach of your application systems such as your APIs, front-, or back-end servers to uncover vulnerabilities.

The test is essentially a controlled form of hacking. A "white-hat" professional uses the same tools and techniques as a criminal hacker to root out weaknesses. This can include specialized software tools, social engineering to test physical controls or actual digital theft attempts.

Insights provided by a pen test can be used to adjust security policies and mitigate detected vulnerabilities.

Enhance Your Enterprise Security System

Network and application vulnerabilities due to simple human error make up the vast majority of data breaches. Spotting mistakes before they are exploited can make the difference in limiting system vulnerabilities.

Regular web application penetration protocols can find security problems. Have testers review server systems, static content and server-side programs. They can help identify insecure development practices.

Recommendations might include keeping untrusted data separate from commands, improved authentication management or other actions in the design, coding, and publishing of software. Depending on your system vulnerabilities, your mitigation efforts may be worth thousands or millions of dollars in savings.

Useful or Useless?

Potential savings and prevention seem to more than justify the use of penetration testing. However, even the most thoroughly vetted applications can fall victim to data breaches. Security professionals are playing a game of perpetual catch-up with malicious criminals.

Critics of pen testing note that the testing is only as good as the testers (the assumption is that the hackers are better.) They also assert that pen testing does nothing to actually strengthen defense; it only points out vulnerabilities.

Pen Testing Plus Taking Action

Underestimating the human factor in cyberattack defense is a critical mistake. Addressing the many vulnerabilities of your network or website requires resources and time dedicated to both testing and tools.

Upgrading to cutting-edge firewalls, acquiring newer and better software development tools and hiring more IT security professionals helps to fight emerging threats.

As testing reveals vulnerabilities, you need the right tools in place to respond to and mitigate damage. Faulty deployments and poor configurations can be avoided entirely with a system of checks and balances.

Security Compromises Can Kill

State of the art tools and software won't prevent data breaches. Given the statistics regarding large-scale breaches (more than 10,000 records), a data breach is more likely than catching the flu this season.

Healthcare industries saw an average of 32,000 intrusion attacks per day, per organization. Healthcare records are of high value, so hospitals find themselves an extra-attractive target for hackers.

Attacks can be deadly. For example, the MedStar Health ransomware attack made national headlines when it threatened the lives of cancer patients. The shutdown of the email and databases systems stopped treatments for several days.

Attacks can also affect network-connected medical devices and equipment, like ventilators, X-ray and MRI machines or lasers. A takeover of HVAC, power distribution or even electric wheelchairs is possible.

A Measured and Combined Approach

A cost-effective security framework balances measured risk with the possible costs of recovery. As the cost of healthcare data breaches continues to rise, using the best tools available is a reasonable investment.

Cybersecurity professionals are well-aware of the limits placed on healthcare administration. Most budgets are flat or show only slight increases, despite the upward trend of threats in the past five years.

The key is to allocate resources to improved cybersecurity hygiene. A continuous security framework must include automatic vulnerability monitoring, patch management, ongoing risk assessment, and management. Training people to prevent social media attacks and other personal vectors is a close second.

Automatic and manual penetration testing is continuous throughout as part of your vulnerability assessment.

Keep Up to Date

Health Insurance Portability and Accountability Act (HIPAA) compliance is simply inadequate to keep your data and networks safe. A single patient record is worth $50 or more to the wrong type of people. A single hack can be worth millions.

Stay educated about the latest criminal access to hospital networks. As more devices and systems are interconnected to hospital networks, the threats grow. Malware and ransomware are now costing more than $2 billion each year.

24/7 Access, 24/7 Threats

Access to patient records is needed 24 hours a day, seven days a week. Hackers threaten your network on the same schedule. Cyber attacks can result in more than bad press.

Patients' lives are at stake if a network is not protected against attack. A combined approach of automatic and manual threat detection, including penetration testing, is best. Complete the cycle with continuous cybersecurity hygiene.

Unsure if your cybersecurity meets the challenge of bad actors? We can help you assess and remedy threats. Get in touch to learn how we can pinpoint vulnerabilities and ensure that your defenses are adequate.

10 IT Security Threats Your Company Should Know

 

image/svg+xml

Would you like to see us weigh in on a particular topic of interest?

ask here