There was a time when organizations that experienced data breach incidents might have been able to get away with pleading ignorance, but that time passed long ago.
Over the last several years, we’ve seen the rising tide of electronic data breaches crest, leaving countless organizations across public and private sectors scrambling to make excuses or point the finger of blame as to why they haven’t adopted and maintained sufficient IT security controls.
The confluence of regulations compelling organizations to be more vigilant, plus the availability of proactive methods for testing defenses, has effectively made ignorance of information security issues unjustifiable. When it comes to data breaches, it’s clear that the era of innocent deniability has passed.
All you need to do is pick up the morning paper to witness the fallout from latest data breach – and compromised organizations are increasingly being held liable. From class-action suits filed by angry customers to government and industry regulatory fines, the legal ramifications of data loss incidents are rapidly becoming more severe.
New data breach reporting laws have already been passed in nearly every U.S. state in response to the breaches, some of which carry specific financial penalties for organizations that experience incidents. Several states are also mulling laws that will allow companies to seek recrimination from business partners who leak or mishandle their sensitive information.
As a result, today, corporate leaders must always be prepared to answer questions about their information security posture, such as:
·"If we were targeted with an attack, would we be able to prevent it? Could we even detect it?”
·“Are our employees following email security policies and procedures?”
·“Do our defenses really work? How do we know that we’re truly secure?”
In addition to getting increased visibility into their overall security standing, organizations need a way to produce actionable data to identify and address the specific security weaknesses that can pose immediate risks to their operations. Penetration testing gives organizations this ability and is becoming the de facto method for vetting security risks
Penetration testing gives you critical insight into your organization’s real-world readiness to detect, prevent and respond to actual data theft attempts. Like other forms of security testing, penetration testing is most effective when conducted on a regular, consistent basis, since the threat environment is constantly evolving and new vulnerabilities are discovered every day. Data breaches are a 24x7 threat, and ongoing in-house testing allows you to maintain visibility into your security posture at all times.
By proactively and regularly conducting penetration tests, you practice a level of due diligence that will be increasingly required by the courts and is now mandated by industry and government regulations, including PCI, SOX, HIPPA and GLBA. Not only does penetration testing help you maintain compliance and avoid negligence, it also makes sense for the overall stability of your organization and the financial safety of your customers.
-Tom Kellermann, VP of Security Awareness