Retail is arguably the leader in terms of the most financial transactions executed in an industry. With that in mind, the retail industry also makes up 8% of all data breaches. It may feel nerve-racking to both work and participate in such a risk dense environment. However, if you have the right security measures in place and remain aware of other’s security breaches and best practices you may be able to breathe a bit easier.
In general, new vulnerabilities are being found faster than they’re being remediated. So what are you doing to protect your business and customers? Encouraging your customers to pay in cash each time they enter your store is not the way to secure your business. All organizations under PCI compliance are required to pen-test their systems at least once each year. While this may be a requirement based on the industry this actually is a good protocol to hold companies accountable to their security practices. Penetration testing assists in identifying the ways in which an attacker may attempt to exploit your network – before it actually happens.
Why You Have to Pen-Test Your Environment
Under Requirement 11 of PCI-DSS compliance regulations, it boldly states how it is each entities duty to regularly test your security system and processes. The vulnerabilities in your network are constantly being discovered by bad actors. Consistently testing the security controls in your organization is more important than ever in this ever changing landscape. Let’s dive a little deeper into the PCI compliance regulations concerning pen-testing by focusing on a couple of articles.
11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network. ASVs are not required to perform internal scans.
Outside of your penetration test, running vulnerability scans across your internal environment as well as any external networks should be performed – not just once, but quarterly. At the beginning, it may seem like a nuisance as this is a task that should happen many times throughout the year. However, that feeling is sure to be fleeting as knowing and understanding your security posture consistently throughout the year will provide you far more peace of mind. Vulnerability scans not only help you to identify and prioritize the risks in your network, they are a measuring stick for showing your board or executive team the progress and value of your team.
11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification, including network- and application – layer penetration tests.
Testing your network at least once a year is something that can be scheduled routinely. It’s the remembering to test after each breach and thinking you’re untouchable by bad actors that may be harder to execute. Penetration testing allows you to mimic an attack by a bad actor in a controlled way – providing insights to your organization instead of destruction. While your vulnerability scans show you what vulnerabilities exist inside your network and, hopefully, which ones should be a priority to your team to patch; penetration testing tests the effectiveness of the patch to ensure the vulnerability has been fixed. By testing these known vulnerabilities, you can evaluate your network by safely exploiting the weak areas just as a bad actor would.
How Pen-Testing Protects You and Your Customers
Pen-testing provides you a greater knowledge of what your environment looks like and how to strategically remediate your vulnerabilities. The goal is to try to get or stay ahead of bad actors by thinking like them. Routinely evaluating the security of your IT infrastructure by vulnerability scans and penetration tests keeps you more aware of how your environment is holding up against the threats of others.
Ensuring your network is protected will also help you in the long term. Doing your due diligence of pen-testing your organization allows you to avoid fines while meeting the PCI-DSS regulatory requirements. Additionally, if your organization was breached you could face network down-time as your team works to remediate the situation. And worst case scenario, if your company was breached you’d also be dealing with the potential negative change in perception others have regarding your business. Penetration testing can stop these issues before they happen by showing your team where to patch and how important each vulnerability could be if exploited.
If you avoid your pen-tests, or don’t act on behalf of what is uncovered in a timely fashion, you could be in more trouble than you thought. Yes, we encourage you to pen-test to meet regulatory mandates– but also to use this as a means to protect yourself, your vendors and your customers.