CYBER RISKS & LIABILITIES – Penetration Testing Explained

Image

Keeping workplace technology up and running is vital to any organization’s success. While this task seems feasible, it’s growing harder and harder each year as cybercriminals expand their reach.  It’s not enough to simply protect workplace technology with software and security protocols. It’s also critical for your organization to test the overall effectiveness of these protocols on a regular basis. That’s where penetration testing can help.

Essentially, penetration testing consists of an IT professional mimicking the actions of a malicious cybercriminal to determine whether an organization’s workplace technology possesses any vulnerabilities and can withstand their attack efforts. Conducting a penetration test can help your organization review the effectiveness of workplace cybersecurity measures, identify the most likely avenues for a cyberattack and better understand potential weaknesses.

Review this guidance to learn more about what penetration testing is, the benefits of such testing and best practices for carrying out a successful test within your organization.

What Is Penetration Testing?


Put simply, penetration testing refers to the simulation of an actual cyberattack to analyze an organization’s cybersecurity strengths and weaknesses. This testing usually targets a specific type of workplace technology, such as the organization’s network(s), website, applications, software, security systems or physical assets (e.g., computers and smart devices). Penetration testing can leverage various attack methods, including malware, social engineering, password cracking and network hacking, among others. Generally speaking, penetration testing is often performed by a professional from a contracted IT firm who is not associated with the organization being assessed in any way. This helps the cyberattack simulation seem as authentic as possible. Penetration testing is typically either external or internal in nature. The primary differences between these forms of testing are as follows:

  • External penetration testing requires the IT expert to attack an organization’s external-facing workplace technology from an outside perspective. In most cases, the IT professional won’t even be permitted to enter the organization’s physical establishment during external penetration testing. Rather, they must execute the cyberattack remotely—often from a vehicle or building nearby—to imitate the methods of an actual cybercriminal.
  • Internal penetration testing allows the IT expert to attack an organization’s internal-facing workplace technology from an inside perspective. This form of testing can help the organization understand the amount of damage that an aggrieved employee could potentially inflict through a cyberattack. 

In addition to these testing formats, there are also two distinct types of penetration tests. How much information an organization provides the IT professional prior to the cyberattack simulation will determine the penetration test type. Specifically:

  • An open-box test occurs when the IT expert is given some details regarding the organization’s workplace technology or cybersecurity protocols before launching the attack.
  • A closed-box test occurs when the IT expert is provided with no details other than the organization’s name before conducting the attack.

Ultimately, the penetration testing format and type should be selected based on the particular workplace technology elements or cybersecurity measures that an organization is looking to evaluate.


Benefits of Penetration Testing

Penetration testing can offer numerous advantages to your organization, including:

  • Improved cybersecurity evaluations—By simulating realistic cyberattack situations, penetration testing can help your organization more accurately evaluate its varying security strengths and weaknesses—as well as reveal the true costs and of any security concerns.
  • Greater detection of potential vulnerabilities—If any of your workplace technology or other cybersecurity protocols fail during a penetration test, you will have a clearer picture of where your organization is most vulnerable. You can then use this information to rectify any security gaps or invest further in certain cyber initiatives.
  • Increased compliance capabilities—In some sectors, organizations are legally required to engage in penetration testing. For example, the Payment Card Industry Data Security Standard calls for organizations that accept or process payment transactions to execute routine penetration tests. As such, conducting these tests may help your organization remain compliant and uphold sector-specific expectations.
  • Bolstered cybersecurity awareness—Mimicking real-life cyberattack circumstances will highlight the value of having effective prevention measures in place for your employees, thus encouraging them to prioritize workplace cybersecurity protocols.

Penetration Testing Best Practices

Consider these top tips for executing a successful penetration test within your organization:

  • Establish goals. It’s crucial for you to decide what your organization’s goals are regarding the penetration test. In particular, be sure to ask:
  • What is my organization looking to gain or better understand from penetration testing?
  • Which cybersecurity threats and trends are currently most prevalent within my organization or industry? How can these threats and trends be applied to the penetration test?
  • What specific workplace technology elements or cybersecurity protocols will the penetration test target?
  • Select a trusted IT professional. Consult an experienced IT expert to assist your organization with the penetration test. Make sure to share your organization’s goals with the IT professional to help them understand how to best execute the test.
  • Have a plan. Before beginning the penetration test, work with the IT expert to create an appropriate plan. This plan should outline:
  • The general testing timeframe
  • Who will be made aware of the test
  • The test type and format
  • Which regulatory requirements (if any) must be satisfied through the test
  • The boundaries of the test (e.g., which cyberattack simulations can be utilized and what workplace technology can be targeted)
  • Document and review the results. Take detailed notes as the penetration test occurs and review test results with the IT expert. Look closely at which cybersecurity tactics were successful during the attack simulation and which measures fell short, as well as the consequences of these shortcomings. Ask the IT professional for suggestions on how to rectify security gaps properly.
  • Make changes as needed. Based on penetration test results, make any necessary adjustments to workplace technology or cybersecurity protocols. This may entail updating security software or revising workplace policies.
  • Follow a schedule. Conduct penetration testing at least once every year, as well as after implementing any new workplace technology.

If you are a Risk Manager or Principal of a PEO and want to learn how you could help protect your client company’s interests through our affordable Master Cyber Liability program, eMail James Buscarini, Fl License #A036520 at jbuscarini@libertateins.com to find out more. The Master Cyber program is written through Axis, an A rated carrier, 250K in coverage, no underwriting, and a revenue generator!

10 Workplace Safety Considerations for Small Business Owners

Image

Content utilized to create this post was from Forbes Magazine’s Human Resources Council (includes Megan Leasher, Nicole Smartt Serres, Sameer Penakalapati, Tracy Cote, Chris Stanzione, Subhashree Chaudhuri, Courtney Peterson, Tina R. Walker, Kristin Fowler & Madhukar. Govindaraju)

The vaccines have arrived and the numbers are trending up, down and all around depending on what network your watching and who you are speaking with. The fact is small, midsize and enterprise level businesses are considering what approach they should take for getting their staff back to work in an office environment. The majority of small and mid-sized employers are looking at using a blended approach, meaning they plan on implementing more work from home flexibility with their existing in office staff. 59% of those that are working from home support a work schedule that allows working from the office and at home. We wanted to provide 10 impactful considerations for employers as they forge forward.

TEN WAYS TO CREATE A SAFE WORK ENVIRONMENT


  1. There is no one-size-fits-all approach

Have a plan that fits your cultural goals and direction. Your plan should be a blend of meeting all safety & risk management guidelines from a legal perspective along with proper consideration for what the organization and its people need.

2. Communication is not a one way street

Involve trusted staff to carry the message of your risk & safety policies. Encourage employee participation in the development process. When your employees feel that their input is valued your office will be engaged in carrying your message. Design the process to be sustainable at all levels of your organization.

3. Proper work-life balance impacts mental health

Employees may be asked to get used to another new normal. Whether that means coming back into the office on a more regular basis or permanently, try and remember that by and large employee mental wellness suffered throughout the pandemic. As you take steps to protect the safety and health of your workforce, do not overlook mental health and wellness. Everybody has unique circumstances that may adversely impact their mental well being so little adjustments like extending flexible work hours can go a long way to employee satisfaction.

4. Play by the same set of rules – that means everybody

It is easy to become disregardful of even the most sensible of guidelines that have been established for the greater good of the group. Implementing common-sense guidelines supported by your state or OSHA need to be followed by everybody. Consistency is the key for resonating the message. Send out reminders as often as necessary and echo your message firmly. Somebody who refuses to abide by clearly defined rules may need to be sent home. Be relentless about making sure everybody is playing by the same set up rules.

5. Be mindful of each other’s responsibilities

Small to mid-sized businesses need to be aware of the risk and safety management responsibilities and the varying degrees the employer and the employee are responsible for. When it comes to providing a safe working environment, provide safety options, consider alternative ways of doing a job safely, and engage employees in a mutually agreeable way. Remaining open-minded and reserving judgement is crucial as well.


6. Tap into available consultative and training resources

Shameless self-promotion is coming in five, four, three, two and one; do you have access to safety and health resources through an agency, consultant or expert… such as a Libertate Insurance for example? Inquire about the available voluminous resources that your reliable partners posses when it comes to evolving environments, laws and compliance requirements! Leverage your partnerships especially those involved in your firm’s best interest and you will be amazed at what “we”, I mean they will be able to help you with.

7. Put safety policies front and center

Do you remind employees about the ongoing safety and mask campaign? Chances are safety policies are not necessarily the primary thought running through your employees minds while racing from desk to printer and back. Your firm’s culture needs to foster regular engagement to the point it becomes second nature. Emotional intelligence goes a long way in the delivery of your message. Remind employees of the care and concern leadership has for their well being, it will be appreciated.

8. Make health and safety part of your organization’s culture

It is all of our responsibility to protect each other and minimize risks. When you see something, say something. Avoid expecting somebody else to see and say something. Every member of the organization can play an active role and should.

9. Do they understand your expectations

If you create a health and safety culture with team members that own the message and every member of the organization is singing the same safety tune, you have won the expectation battle. Do not allow the loose ends or the uninformed be the squeaky wheel. Be consistent, be vigilant and be clear about what is expected.

10. Get creative about getting input from office and field staff

Companies have implemented daily check-ins, reporting processes and employee task forces to encourage information about risk and safety to flow in daily. Create a safety game, make sure managers are listening, remember one voice and one message. Make safety and risk management happen.

Challenges or opportunities for brokers placing cyber risk

Content used to write this post was originally written by NU Property Casualty 360’s Managing Editor, Ms. Heather A. Turner

According to a Guidewire report the numbers for cybercrime in 2020, have almost doubled! In addition to an increase in attacks and breaches are the related budgetary allocations being made by small to mid-sized businesses for cyber insurance over the next 2 years. Ramping up cyber sturdy tools and in an effort to prevent cyber attacks are a necessary play in prevention for the ever evolving cyber market and being fought across the property and casualty landscape.


According to a report published by CyberCube, a data-driven cyber analytics company for the insurance industry, the growing cyber market is creating unique opportunities for brokers to set themselves apart from their competitors. By marrying their existing areas of expertise with their new found and or improved fundamental comprehension of insurable cyber risk and exposure, brokers can show and or remind buyers and prospects alike why they are indispensable.

The following list was created by CyberCube to further explore examples of challenges and opportunities brokers face in the cyber market today.

Click here to read the detail following Opportunities 1-4 written by Heather A. Turner, of NU Property Casualty 360. You must register for free account.

  • Opportunity No. 1: Brokers are trusted advisors
  • Opportunity No. 2: Brokers can add value by mapping exposure to coverages and policy terms.
  • Opportunity No. 3: Getting a “yes” from insurers.
  • Opportunity No.4: Standalone cyber is just one aspect of a well rounded insurance program.