How often should you conduct penetration testing?

Tom Tuunainen

An organization that handles sensitive data must be diligent in its security efforts, which includes regular penetration testing. Even a small security breach can result in significant damage to the financial result of an organization – not to mention its reputation.

There are two main reasons why regular penetration testing is necessary in order to secure operations. Firstly, applications are continuously evolving, and new vulnerabilities are constantly discovered. Penetration testing helps one to identify the vulnerabilities and allows one to fix them before they can be exploited. Secondly, depending upon the organization, and the type of data the organization handles, one may be required to comply with security standards. Penetration testing can help one to verify that the organization meets the standards, and thus one can avoid penalties for non-compliance.

Many organizations have a once-a-year testing cycle. But what is actually the best frequency for penetration testing? Is once-a-year enough, or should one test more frequently? If you are only testing once a year, the likeliness that vulnerabilities will go undetected for long periods of time is high, and this could leave the organization open to an attack. To mitigate this risk, testing every 4-6 months is typically considered a good thing to do. A more frequent penetration testing cycle is however considered a must, if one e.g. operates in a high-risk industry. If this is the case, one may need to test on a monthly, or even a weekly basis. But even this might still not be sufficient enough!

Periodic testing is no longer considered sufficient in today’s ever faster changing world. As businesses rely more and more on their IT solutions, continuous testing becomes increasingly important. If you are not able to move quickly enough, you can be sure that you will be impacted by a security breach. Continuous testing allows you, however, to find and fix vulnerabilities immediately as they are detected, instead of waiting for a periodic assessment. The main question nowadays is thus not if you conduct penetration testing, it is how you do it. If you are serious about securing your organization, there is no excuse to wait for your next allotted budget. You must take steps towards continuous testing immediately!

Tom Tuunainen
R&D Developer
Centria University of Applied Sciences
Tel. +358 40 681 7207