a person using a laptop

How Independent Third-Party Penetration Tests Are Critical To Protecting Your Organization’s Data And Reputation

2023 was another record year for new vulnerabilities, ransomware payments, and business email compromise. This is shocking because 2022 also saw these records broken, and even some prominent Columbus and Central Ohio organizations in our backyard got hit. Risk is increasing, and that trend is going to continue.

So, How Can You Keep One Of These Events From Happening To Your Organization?

Addressing vulnerabilities and improving cyber hygiene can prevent most breaches and security events.

However, addressing network vulnerabilities is a moving target that requires constant vigilance. In 2022, 26,448 vulnerabilities were reported in the software that runs the computers you use every day (a 31% increase). That's over 55 new vulnerabilities per day. It's a full-time job keeping up.

Today, many organizations use a three-pronged approach to reduce the risk of breach:

  1. They invest in an advanced security solution that includes multiple layers of protection like MFA, event log monitoring, advanced antivirus, password management, and a least privileged model.
  2. They engage a third party, such as Affiliated, to review these vulnerabilities monthly or quarterly. Using a third party ensures the people responsible for patching and addressing the vulnerabilities are not inspecting their own work. (It's so difficult to proof your own work without missing something.)
  3. Finally, they ensure that their organization's employees are trained in cybersecurity self-defense, which involves steps users can take to protect themselves and their organization.

What Could A Third-Party Assessment Program Have?

  1. Quarterly Internal Penetration Test Find out what an attacker will get to if a user clicks a malicious link. Did a user open a door allowing the attacker to access your organization's private data? Did your firewall settings change after a project that opened a new way for hackers to get in? Our internal penetration testing team uses the same attack vectors hackers use to test your network from the inside out.
  2. Monthly External Vulnerability Scan Hackers are constantly looking for ways into networks like yours. Once they find a vulnerability, they exploit it using code that is often readily available and simple to use. Our team employs some of the same analysis methods hackers use to find chinks in your armor that could be used to break in. We are constantly evaluating new vulnerabilities. When we find one, we report it and follow up on it until it is addressed. Then, we validate it is addressed by performing a final analysis.
  3. Quarterly Internal Vulnerability Scan What if a hacker gets into your network? Could they use vulnerabilities to become an administrator or move to other computers? Hackers are constantly finding new vulnerabilities to exploit after they enter the network. We provide a fresh set of eyes reviewing the internal vulnerabilities of your network.
  4. Quarterly Identification of Personally Identifiable Information Are your employees making it easy for an attacker to perform identity theft or fraud using personal information from your employees, clients, or patients? Are they keeping information in places easy for an attacker to access? We hunt for Personally Identifiable Information and help you ensure it is locked away in vaults to reduce your exposure.
  5. Quarterly Administrative Group Analysis Hackers aren't content to just infiltrate your network. One of the first things an attacker does when they get into a network is create accounts with administrative access. We audit these groups for you for changes and help your team make sure no one is an administrator who shouldn't be.
  6. Quarterly M365 Analysis By default, one of your employees could mistakenly publish all your data online. Today, over 70% of data resides in the cloud. We provide the analysis to identify security misconfigurations that lead to breaches and offer steps that can be taken to keep users able to share your data by mistake.

Contact us here or at 614-495-9658 to learn more about the benefits and process of our independent system reviews or the types of reports we produce for our clients.