We’ve all seen the headlines about hackers stealing credit card data from online retailers and cyber attacks bringing down online service providers for 24 hours.

These headlines rattle corporate nerves. Are we at risk? Is our IT department doing something to avoid this? Has our IT outsourcing partner taken the necessary measures? Unfortunately, it often stops there as other urgent issues take precedence – this happens repeatedly until the company is forced to do something about it.

Small to medium-sized enterprises often think that they are under the radar and that they are too small to be attacked. Unfortunately, the opposite may be true. SMEs make ideal targets because unlike most large companies, they tend to lack the proper infrastructure to protect themselves against cyber attacks. Moreover, cyber criminals are not only attacking companies in the business-to-consumer space but also SMEs working with larger companies to reach the latter via the smaller service providers. Attackers expect that the smaller companies may be easier to penetrate.

Companies rely heavily on their computer systems to carry out their day-to-day business. A growing number of internal applications are nowadays using web-enabled technologies (back office applications, customer support applications) and the number of externally-facing web-enabled systems is always increasing (online banking, online shops, client service platforms, online booking). Even though a company may have minimal online presence, considering the surge in web-related incidents and the resultant risks, such as reputational risks, web application security on every online presence should not be overlooked.

Some companies enlist outside experts to assess their information security for potential problems, particularly if they want to test the safety of their networks. Such experts employ ethical hacking to penetrate a company’s network and pinpoint vulnerabilities, which could be anything from design flaws to weaknesses in administrative, physical or technical controls.

The malicious source of these attacks can be either external, such as a hacker connecting from outside the company’s network perimeter, or internal, such as a disgruntled employee wishing to sabotage the organisation’s IT system. Companies should not focus solely on carrying out external penetration tests but should also consider the execution of internal penetration tests to cater for internal threats.

In addition, penetration testing should not focus solely on the network layer. It has become increasingly common for attackers to initiate attacks through the application layer – hence the importance to conduct intrusion testing at the application layer as well, such as web application security assessment.

Used properly, penetration testing can act as a business enabler, for instance by providing a reasonable level of assurance to an organisation that intends to provide online services to its customers. It also ensures that compliance objectives are met as well as helping the organisation to secure its IT systems.

For more information on what the Key IT Group can do for you, call on 2010 3500 or e-mail services@key.com.mt

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.