Reduce Risk with a Penetration Test (or: ‘How to talk about insurance without falling asleep’)
A penetration test on your IT systems can help find your weaknesses before someone else does …
Ok, what’s the dullest subject on the planet?
Mortgage calculations? Britain’s Roundabouts? Tax Returns? Certainly not politics at the moment (but we won’t go there).
I’m going to plump for Insurance
Now, I’m not having a go at people who deal in insurance here. Some of my best friends are underwriters. But it’s face-meltingly dull.
I’m not a fan of maths in general. I suffered rather than studied maths at school. So insurance calculations, percentage premiums and all that are already on the back foot with me. On top of that, though, insurance is by definition something you don’t want to need. A bit like a nuclear arsenal. Although that comparison strays into the interesting, so forget I mentioned it.
You see, insurance is focused on a sum of the negatives. All the ‘what ifs’ and the ‘just in cases’ are condensed into a single, complex mathematical calculation. A calculation that attempts to weigh the fallout of any of countless possible mishaps against the likelihood of them coming to pass. Honestly, I’m falling asleep as I type this.
Ok, just so I don’t send you to sleep as well, let’s look at the issue from another angle in an attempt to slap us all round the face.
Oo. Sounds a bit sexier, doesn’t it? When we start talking about risk – essentially the other side of the insurance coin – we start exploring things like parachutes not opening or getting caught in the gears of a combine. Yes: it’s the nitty gritty of what could go wrong that we need to focus on. Not the algorithm that decides how much we need to pay and the terms and conditions of its cover.
And when we talk about risk, we also look at the ways we can mitigate it and militate against it. Yes, I had to look up ‘militate’ when I saw it in my research too. We’re here to expand your vocabulary as well.
To come back to the overall theme, being ‘careful’ is more boring than ‘devil-may-care’. But it is our default state. We wouldn’t get very far without a healthy sense of self-preservation and risk-avoidance. So we lock the front door when we go out, and we look both ways when crossing the road. Well, we used to.
Mitigating the risk
When it’s car insurance, driving more carefully mitigates the risk of a collision. There are quite a few insurers now that will give discounts for careful drivers. They use dedicated devices or apps on your mobile phone to log your driving behaviour. It’s an active way to make sure that exposure to risk is limited. It also means you save money in exchange for the information.
So, what about risks to business? Well, Health & Safety is important, sure, even if notoriously complained-about. But when it comes to bad things that can happen in business, data leaks have emerged as one of the nastiest occurrences. And probably one of the most costly in terms of redress and fines.
British Airways was fined £183m back in 2019, and that will have added to the bill for consultants and IT staff working to fix the vulnerability that caused it. In the US in 2017, credit company Equifax lost the personal and financial information of nearly 150 million people due to unpatched software one of its databases. The $575m fine was spectacular because they failed to inform the public for several weeks.
Data leaks are usually the result of weaknesses in cybersecurity being exploited, and, like Equifax, they are vulnerabilities that are discoverable and fixable if you stay on top of your systems. Regular checks on the systems running your business (let’s face it, they’re at least as critical to your organisation as the physical infrastructure) are the equivalent of driving carefully. Reduce risk. Insurance.
“What’s the best way to check my company’s systems for weaknesses?”, I hear you cry.
Well, have you seen the film ‘Catch Me If You Can’, starring Leonardo di Caprio and Tom Hanks? It’s the highly entertaining remarkable story based on the life of Frank Abagnale Jr, a charming individual who was convicted of theft, forgery and fraud. Abagnale claims to have passed himself off as a lawyer, a doctor and an airline pilot, despite having no training or qualifications for any position. His gift was for forgery – and he was active in the 1960s-70s, when paper documents were the main source of proof.
When the FBI finally caught up with Abagnale, he was tried and convicted and served over 3 years in a US federal prison. However, his relationship with the FBI became quite interesting. The success he had with evading capture by the FBI for years made him an important source of information to them. He has given lectures at the FBI Academy and also claims to have worked directly for them (although can you trust his word on that?).
Bit of a digression
The point is, sometimes the best way to test a system, whether it be document forgery or digital security, is to use the techniques that a genuine criminal or hacker might use. And that’s what you can do with your IT security. Have you encountered such a thing as a penetration test?
Penetration test? What the hell is that?
I know: it does sound, er, alarming. But essentially a penetration test employs a series of techniques that attempt to find ways into your IT systems. It’s very similar to what hackers and bots really use to gain access. Where they find ports left open or information exposed, flags are raised. You can then look for the actions to take to patch the holes in your system.
Ideally, you need to run a penetration test on your IT systems regularly. New threats and ways to exploit vulnerabilities are discovered regularly, particularly with widely-used systems and software, so you need to make sure that you’re a) regularly patching your systems and b) regularly testing to make sure that there are no new vulnerabilities in them.
Not as bad as it sounds. Ok, how do I get a penetration test?
At Idency, we have an extensive set of tests and checks we can carry out as part of a service we call IdencyAudit. Penetration tests are part of that service and we can also help you work out what you need to do to secure your system when weaknesses are found. Because let’s face it: it’s important for you to find them before someone else does.
Give us a call if you’d like to discuss – we’re happy to advise or just chat through the process.
So – I think we can all agree that insurance is as dull as ditchwater (or is it dishwater?). When it comes to risk, though, it’s much better – and it could save you huge amounts of money – if you take action before disaster strikes.
Goodnight – and don’t have nightmares …
Andy BGet in touch