How Often Should my Institution Get a Penetration Test?

Note from the Editor: This blog is the final installment of an 8-part blog series entitled, “Everything you need to know about an External Penetration Test.” To read series from the beginning, please start at “What is an External Penetration Test?”

There is no right or wrong answer to this question. We recommend an annual security assessment that includes penetration testing. There are also actions you can take throughout the year to help secure your institution. And, there are several factors to consider.

Penetration Test Frequency Drivers

Compliance 

With each different compliance driver comes a different timing requirement. For instance, PCI requires annual penetration testing and quarterly vulnerability scanning. You or your compliance team should thoroughly review your compliance requirements to make sure your current testing schedule matches up.

Organizational Drivers 

There are many different reasons that could determine the need for penetration tests. For example, if you had a required annual penetration test and then go through an architectural overhaul three months later, we would highly recommend getting another penetration test. Or maybe you’ve got trustees that want to see documentation that you’re performing security testing on an ongoing basis.

Feasibility 

In a perfect world, we would be able to constantly conduct security assessments. Seeking out and detecting vulnerabilities in real time. This just isn’t possible due to time, scheduling, and budgetary constraints. You need to determine with the resources you have and your security budget, how often a penetration test makes sense for your organization. It’s important to take into account for how long it takes for your security and IT teams to address the findings from previous assessments.

As constant penetration testing is most likely out of the question, there are a few things that can be done to continue to help you monitor your network and help protect your assets:

  1. Vulnerability Scanning – This can be done more frequently than a standard penetration test and can assist in identifying and eradicating known vulnerabilities that could be lurking on your network. Quarterly scans can be cost effective and get rid of the “low-hanging fruit”.
  2. Security Awareness Training – As we have discussed previously, your external perimeter could be perfectly secure, but one employee can click a malicious link and that all goes out of the window. By constantly keeping your employees engaged and security aware, you can help prevent your company from falling victim to a hack.

While all institutions are different, we recommend that your school lay out a strategic security plan.

Using the factors above, part of that plan should be a security assessment schedule to help calculate your risks. And help inform your resource allocations for other security tools and activities. At the end of the day, any penetration testing is better than nothing. And will ultimately help your higher education institutions become more secure than it otherwise would have been.

Schedule a call today to get started with an external penetration test for your higher ed institution.

About the Author:

Kyle Bork is the Director of Business Development for SIG Cyber. He has a background in technical project management and customer service. Kyle has a BA in finance from the University of North Carolina at Wilmington.


Have Questions?
We look forward to hearing from you.