Pen testing is a common type of cybersecurity exercise companies can use to help find and fix vulnerabilities and even train their workers. Think of it like a “pop quiz” for your business, testing out whether you are as ready for a cybersecurity incident as you think you are. It lets you put your company, your cyber security protections and even your workforce to the test — but without putting your business, its assets or its reputation at risk.

Pen testing is a safe and secure way to find out whether you’re doing things right, or if there is room for improvement. Best of all, a pen test is designed to tell you what specific improvements need to be made, test their implementation and give your business further peace of mind that they’re working. Here’s what to know.

What Is Pen Testing?

Pen testing, short for penetration testing, is a controlled cybersecurity exercise where trained professionals are hired by a business to hack into that business’s own computer systems or network. The purpose is to identify weaknesses in a business’s cybersecurity, such as:

  • Poor password security practices
  • Outdated or unpatched software exploits
  • Incorrect firewall settings or network configurations
  • Employee training or procedural weaknesses
  • Physical facilities vulnerabilities

While this may sound like a strange thing to do, there’s a good reason many businesses employ such services. From an organization’s perspective, it’s far better to have a friendly hacker with good intentions find a cybersecurity vulnerability in your defenses — and tell you about it so that you can fix it — than to have the same vulnerability discovered by a malicious attacker with bad intentions.

Pen testing also has other benefits. The types of weaknesses discovered are often difficult to spot and fix using other methods. For example, an in-house IT expert may not think to try something an external hacker would. Additionally, even when settings, training and procedures are correctly determined, it can be hard for a business to know whether they were implemented properly. In some cases, certain high-risk businesses are even required to conduct periodic pen testing to comply with government data safety or privacy regulations.

Who Performs a Pen Test?

Pen testing is typically performed by trained cybersecurity professionals who come into the exercise with little to no prior knowledge of the company or its systems. This “outsider” position mimics the situation of a real hacker, who usually starts off knowing little about the company they intend to hack. It’s also useful for exposing blind spots that may have been missed by the developers who built the company’s systems.

The professional background of pen testers can vary. Some have advanced degrees in technology fields, others are self-taught. In some cases, this type of ethical hacking can actually be performed by reformed and rehabilitated criminal hackers, who now use their expertise to help companies fix their security vulnerabilities rather than exploit them. In all cases, it’s important for a business to only work with experienced and vetted pen testing professionals to ensure a useful and safe test.

How Do Pen Tests Work?

Pen tests can be carried out a few different ways. There are:

  • Open-box pen tests, where the pen tester is provided some starter information about the company’s security and systems upfront.
  • Closed-box pen tests, also called single-blind tests, where the pen tester starts out with no insider knowledge beyond the name of the company.
  • Covert pen tests, also called double-blind tests, where the pen tester starts out with no upfront knowledge and most of the company’s own cybersecurity personnel will also be unaware the test is going to be carried out.
  • External pen tests, where the pen tester conducts the exercise remotely, either from far away or from a truck, van or office located nearby. Remote hacks like these are the most common type of real cyber attack.
  • Internal pen test, where the pen tester conducting the exercise is provided access to the company’s own internal network. This type of test can be used to simulate an employee hacking the company’s system.

All such pen tests start out with some type of information gathering phase. Then specific software, hardware or social engineering tools are utilized by the pen tester to try to penetrate the client company’s defenses. Often, the client company is looking to test the vulnerability of specific aspects of their security, so guidelines and ground rules may be agreed to in advance for the pen tester to follow.

Some pen test scenarios can get very elaborate. An outside cybersecurity expert may try to gain physical access to a client’s business by posing as a delivery person or other outside contractor. In rare cases, some organizations have even agreed to stage a controlled after-hours break-in, the point in such cases usually being to plug small inconspicuous devices into the client’s computer network. However, physical access really isn’t necessary for an effective pen test. Most can and are done completely remotely.

After a pen test is completed, the pen tester will share their findings with the client company. They will explain what vulnerabilities were found, what types of exploits were tried and how the company’s cybersecurity protections, safety procedures and team members performed. They will also make recommendations for technical upgrades and workforce education that can prevent similar hacks in the future. The pen test can even be ran again in the future to verify that improvements were implemented properly and prevented the same exploit of the system.

How Can My Business Use Pen Testing?

Today’s businesses use a variety of pen testing solutions to evaluate and secure their systems. Most likely, your company doesn’t need the high level of pen testing used by large organizations, international banks and governments. Simpler solutions are available.

Since most cyber attacks start with a phishing email — an estimated 91% — it makes sense to focus your efforts here. Phishing pen tests are a simple and cost-effective option that provides fast feedback on attack vulnerability while also quickly educating your workforce on the most pressing cyber risks.

How Do Phishing Pen Tests Work?

Phishing pen tests are a type of open-box test, either ran directly by your own internal IT department using special software or coordinated closely between your internal IT experts and an outside service provider.

These tests simulate real-world phishing emails, but without the danger of compromising your business or its computer systems. Here’s how it works. Employees will:

  • Discover the phishing pen test email in their inbox along with their regular email.
  • Be prompted to click a link or download an attachment, just like with a real phish.
  • Receive cyber risk awareness training when they interact with the pen test email.

There are a few reasons companies like these kinds of pen tests:

  • Harmless test emails – While the link or download may look like a phish, interacting with it won’t harm computers or the network.
  • Instant positive reinforcement – When an employee correctly identifies a pen testing email as a phish and reports it, they receive positive feedback right away inside their email inbox.
  • Opportunity for education – If an employee does fall for the test’s phish, they will receive a cyber education reminder offering guidance on how to identify phishing attempts and what to do when they discover one.

In short, the test is a simple, realistic drill that can greatly reduce risk. Research suggests that as little as 7% of employees can correctly identify and report a phishing attempt discovered in an office email. But with one year of training through a phishing pen testing program, awareness and reporting rates climb to an average of 60%, nearly 10x higher.

How to Run an Effective Phishing Pen Test Campaign?

Many organizations will develop their own phishing pen test campaigns themselves using special software. This means that the company’s own IT experts have a part in deciding what kinds of phishing emails to send the company’s employees. This can be helpful for understanding unique vulnerabilities as well as training.

An effective phishing pen test campaign usually has these elements:

Includes a few obvious phish

Emails with exaggerated misspellings that don’t make sense usually don’t trick most modern internet users, but it’s still good to include a few in a campaign. It builds awareness of the risk in the minds of employees while giving them easy wins when they correctly identify the phish. It can also identify employees who may need extra guidance if they are clicking on links in obviously risky emails.

Has phish modeled on real-world examples

It can be helpful when designing a phishing pen test to know what tactics and strategies real cybercriminals are using to trick email users. As a result, many IT experts start with resources like PhishTank to find examples of real-world phishing attempts. Realistic phishing test emails can then be modeled on the examples.

Creates phish customized to the recipients

The most effective phishing attempts out in the real world are customized with details that make the email appear realistic, believable and trustworthy to the intended recipient. When designing a pen test, the same idea holds true. A password reset email mentioning a piece of software the employee uses or invoice mentioning a real company vendor are more realistic.

Simulates a variety of phishing types

Real phishing emails aren’t all the same, they come in a variety of formats, with different types of content and calls to action. Some phish appear to come from a company leader or coworker, while others spoof clients, vendors and service providers. Some link to malicious websites while others include malicious file attachments. A good phishing pen test campaign can simulate a similar variety of phish, giving insight into what strengths and weaknesses the organization has.

Where to Go for More Cyber Risk Protection?

Pen testing is an interesting cyber safety tool that can give your business a unique insight into your vulnerabilities and opportunities for improvement. With the right approach, you can find and fix issues before a real hacker exploits them and prepare your workforce for real-world cyber challenges. Pen testing works best in combination with other cybersecurity strategies, including cyber insurance protection.

Because no cyber safety tool will prevent 100% of cyberattacks, hacks and data breaches, cyber insurance provides important risk management protection. Lockton Affinity’s CyberLock Defense leads the industry in its protection, with broad coverage and flexible limits tailored to suit the particular risks of your industry. Discover more benefits for your business today.

Visit CyberLockDefense.com or call us at (844) 868-7144 to get started.