Pen Testing and security checks

Business Insights

The problem with IT systems is that they break. Sometimes they break because someone does something accidental. Sometimes they break because someone does something malicious and on purpose. Our entire world and economy are based around information technology, and our lives are digitised. We trust the systems that we use with everything we hold dear. The pace of change within technology means that sometimes, just sometimes, the things we use are brought to market before they are perfected. Within them there are flaws, things that don’t work quite right. Yet still they come to market, and we use them and rely on them and put our trust in them. Then, being the curious creatures that we are, we start to play around with them, to use them in ways those that built them never dreamed we would. We push buttons, swipe pictures, upload information and have a – oh, I wonder what happens if I do this? – approach. We sit on the bus, or the train, or at home and we are bored. So, we have a look around. For something to do. Our reward is that things start to happen. The law of unintended consequences. From the trivial to the annoying to the potentially dangerous. Maybe we are presented with someone else’s order history, or bank details, or medical records. Now, that really shouldn’t have happened…

There is an argument for technology to be a science and follow scientific approaches. Some will argue it does; the reality would beg to differ. Testing a product costs both time and money, resources that are scarce in a world that demands products and services and demands them now. This is the core of the problem; not enough testing gets done before products go live. There, I said it.

So, a situation where a product with flaws is released into the marketplace is a fact of life. What is also a fact of life is that people have made a career and big business out of finding those flaws and then exploiting them for commercial gain. Unlike the casual, curious user, there are factories of organised groups with one aim and one aim only in mind; and that is to break a system. Once they break the system and access your data, the world is their literal oyster. From extortion, to stealing your identity, to stealing your actual money. All are within easy reach once a system is breached.

The armour in the defence against this to employ professional good guys, with the skills, knowledge and experience of the bad guys and get them to try to break your system. Ideally before you go live with it. Then, based on those findings, try to fix the breaks, close the windows, bolt the doors, and secure the system to the best of their ability to protect your users. This is called a penetration test. It is a specialism. It is in demand. It is also the right thing to do.

Penetration testers are highly qualified individuals. Often, they come with experience of walking the wrong side of the tracks. This can sit uncomfortably with some, but there is no denying that employing someone who has walked-the-walk will reap the rewards, and lead to a more secure end product if the advice is heeded.

When it comes to finding the right penetration testing company you are going to want to do your research. These companies are trusted with your crown jewels and their very reason for being is to break your systems and gain access to your most valuable assets. Choosing a company that has industry qualifications such as CHECK or CREST, that has adequate insurance, and is actually registered as a legal limited company would be the basics. At ALLOWLIST this is something that is baked into our service; we made it central to our model to provide a list of pen testing companies that are due diligence checked, ranked, rated and reviewed by real customers. There are no guarantees in life, but this at least does some of the groundwork and narrows the field.

There is no doubt in my mind that the time for change has arrived, and that rather than being seen as an annoying cost, protecting customers and their data should be seen as the number one priority of any company. The world needs more testing. We demand more testing, and we demand more secure products and services.