What does penetration testing do for your business and how much does it cost?
Most businesses already have security technologies they have spent money on to protect their operations. Platforms such as firewalls, password management systems, blocking technology for malicious web content and email attachments, etc. are all technical controls used to keep out attackers. However, in today’s business environment, you need to consider whether this is enough to protect you from the wide array of online threats and risks relating to global cyber adversaries. The reality is, using blocking technologies such as those listed above cannot provide your insight into where the gaps in your cyber defences are, so how can you possibly know whether your investments have made you secure? You may need to show your board or investors that you have done as much as possible to protect their business, and address the ramifications of reputation damage, lawsuits, and loss of customers. It is time to consider using a penetration test to determine how sound your controls are and where gaps may exist that you can patch before your adversaries find these holes and move into your infrastructure.
What will a Penetration Test add to your Security Posture?
We’ve previously covered how to pick a penetrating testing company in another article (provide link), including some of the considerations you’ll need to work through before awarding the contract to a service provider. The reality of penetration test is that the provider will employ experts that know how to think like a hacker and use that knowledge to look for ways to bypass your security controls. Penetration testers will analyse network environments, applications, and infrastructure, but can also test mobile and client-server applications, devices, wireless, telephony, VoIP or OT – Industrial Controlled Systems and even break into your offices (under your guidance of course). Penetration testers, given the scope, will quickly identify all the potential vulnerabilities in your business, covering people, processes and technology, and attempt to exploit these to show how exposed your organisation is to real attacks. For this reason, penetration tests are recommended for any assurance programme to look for the chinks in your armour and to uncovers areas of concern you may need to patch or monitor for ongoing threats.
The time it takes to conduct a penetration test varies based on the scope and the scale of the task. Considerations such as the complexity of your infrastructure, the diversity of services, the location of systems (on-premise or in the cloud), all change the scope, objectives and change the way you look at costs.
How much does a Penetration Testing Cost?
It’s hard to put a generic price tag on a high-quality penetration test, as depending on the scope it could cost anywhere between $5,000 and $100,000. On average, you should be scoping an assessment that lasts about a week, such that costs are between $10,000 - $30,000, depending on the team size. A larger scope will require a bigger team of testers to assess everything in the timeframe, which can significantly elevate costs. As with any services business, costs will always vary.
CXO Security offers penetration testing so we know only too well how to scope and plan for an appropriate test. In fact, we often collaborate with our customers to redefine what’s in scope, since they start from a position of knowing they need one but don’t know how to get the best bang for their buck.
We will begin by looking at complexity, methodologies, and the experience we need to bring to the job to ensure we get the best results for the customer. We will also need to consider expenses since some tests can be conducted remotely, but a physical test that needs a tester to travel to multiple locations will cost more. Let’s look at some of these cost factors in more detail:
Complexity: The size and complexity of your environment is the biggest factor in scoping and pricing a penetration test. The model is easy to understand - a more complex environment requires more labour for the assessment.
Methodology: Penetration testing providers may have a different way to conduct their pen test. Some use expensive tools, which could increase the cost. But, adversely, more expensive tools could reduce the time of your test and produce higher quality results.
Experience: Depending on the scope and the experience needed to test the target systems or applications, you’ll incur different costs. Testers with specialist experience or lead testers will be more expensive. It’s always worth asking the testing provider how hard the activity is and asking them about the experience of the resources doing the assessment. Testing for vulnerabilities in a network environment is something senior assessors will do very well. Finding coding issues within a C++ application will require a lot of experience in understanding the principles of secure coding and they will need to be very aware of the developers make that lead to final product vulnerabilities. Always ask your provider for the credentials of the assessor, that way you can determine the value for money you are getting for the engagement.
Onsite or Offsite: Most penetration tests are undertaken remotely; in some circumstances, large/complex environments may require an onsite visit to adequately assess your facility’s security, network access and susceptibility to social engineering.
Remediation: Some penetration tests include remediation assistance/advice and/or retesting within the quote. Others will just provide a report of their findings. We always recommend that a penetration test includes a detailed report, mitigation recommendations and a follow-up test once you are comfortable your remediations are completed.
CXO Security recommends before you commission a penetration test, you talk to several providers to understand how each of them operates. Have a preliminary meeting with each provider to see how they scope your work and be open about your budget, so the provider ensures the most important systems or information stores are in scope.
If you are not happy with a quote or feel something isn’t right with the scoping or descriptions of the deliverables, speak up and discuss this with the provider. CXO Security ensures we are assessing the most relevant target systems, thus giving our customers the best value for money. If you want to learn more about scoping a penetration test or how our assessments work, get in touch with our team today.