How to get stakeholder ‘buy in’ for regular penetration testing

frustrated man with several binders in front of him

Yet another massive breach was confirmed last week, after 2.2 million patient and employee private records at cancer treatment provider 21st Century Oncology Holdings were found to be accessible to unauthorized third-parties.

Patients’ names, Social Security numbers, physicians’ names, diagnoses and treatment information, as well as insurance records could now all be in the clutches of unauthorized individuals. Ouch.

The FBI made the organization aware of the breach back in November 2015, but reportedly requested that the breach be kept quiet “until an investigation into the incident was complete”.

Think of all the additional work this breach must require from this organization: alerting and reassuring patients and employees, fielding difficult press questions, working with the authorities to nab the fraudsters, forking out unplanned budget to sanitize the network, etc etc etc.

On top of all that, it is probably a safe bet to say this breach (and the legal requirement to disclose this information publicly) contributed to 21st Century Oncology withdrawing its $100 million dollar IPO in early January.

And sadly, this is not the first security breach that 21st Century Oncology suffered. Back in 2013, the company was reportedly the victim of an insider job, allegedly linked to a tax refund fraud scheme.

This has all the hallmarks of a security nightmare, one that might have been avoided had the health care corporation undertaken regular penetrations tests.

“At TBG we are often asked to perform penetration tests against our customers.” explains TBG Security’s Senior Security Engineer, Ryan Hays. “We employ the same tactics, techniques, and procedures employed by real-world attackers to reveal flaws that could lead to wide scale data leakage, such as what we see in the 21st Century Oncology case. The job is to uncover all the security flaws before the bad guys do.”

We recently discussed the value of a penetration test (see Penetration testing: Don’t caught with your pants down).

Once an organization has completed one lot of penetration tests to identify vulnerabilities which pose an unacceptable level of risk, budget holders might think it’s done and dusted and actually refuse to invest in regular testing.

But, as we all know, networks, technologies, and threats are not static. As they evolve, your risk level fluctuates. Stakeholders can only make an informed judgement call if they understand the risks.

Arguing for the need for regular penetration testing can be the bane of many a typical security administrator’s life. While some admins out there have stakeholder buy in, many do not. They must beg and pray that they might get the appropriate support to fund to test the network on a set schedule.

Let’s put this another way. Remember this quote?

“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns – the ones we don’t know we don’t know… it is the latter category that tend to be the difficult ones.” Donald Rumsfeld, 2002

Penetration testing reveals both known unknowns and unknown unknowns, which is why this statement made by the then US Security secretary of defense is perfectly applicable. It sums up why a company ought to consider regular penetration tests on its systems.

Now, most executives do not want to bogged down in the technicalities. So talk their language and make a business case for regularly reviewing of your security posture.

This would include things like cost-benefit analyses, high-level risk assessments, and liability concerns.

The senior executives and board members are the people who’ll ultimately be responsible for not having appropriate security in place to protect the company’s assets. They may also face litigation from parties that trusted them to keep their private information private.

Regular penetration testing will allow for informed decision making when it comes to security. It exists to lower the exposure to security threats.

Ultimately, it is wise to learn from the mistakes of others. Let security horror stories, such as the nightmare that 21st Century Oncology has been dealing with since last November, serve the greater purpose of helping others better ensure their business continuity.

Want help building a strong case for regular penetration testing? Get in contact with us. We know this stuff inside out, pride ourselves on being no-nonsense, and will provide honest and accurate testing recommendations tailored specifically to your organization.

Previous ArticlePenetration testing: Don’t caught with your pants down Next ArticleThe PEBCAK scenario: securing systems against non-malicious employees