Is once a year enough?

Is once a year enough? I’m talking about penetration tests, of course. The independent think tank Cyber Resilience Think Tank has recently been quoted as saying that it’s time to pension off the old “Penetration test” as it’s known. I can't say that I agree with this prediction. Quite the opposite, I'd say that we should be talking about how once a year is far from sufficient and that a penetration test isn't enough. 

When organisations started carrying out penetration tests back in the early 1990s, the idea was to get an overview of all the weaknesses and vulnerabilities in their web applications. As this was a relatively new discipline, the findings presented by IT security suppliers often highlighted more than a few severe vulnerabilities. Customers just received a report that they could work with over the coming period. Some of the tests were repeated to check the vulnerabilities the customer had dealt with. A new penetration test was carried out the following year where the report – it is hoped – showed some progress. Simply put, penetration tests were used as a part of a procedure designed to reveal an organisation’s weaknesses.

Click the "read more" button to read the entire blog.