Every day, the media relays a new story about a cybersecurity breach, ransomware attack or phishing scam costing businesses millions of dollars and hard-earned credibility. Cyber threats and criminal tactics are constantly changing, making it difficult for businesses to stay ahead.
Fortunately, there are solutions that help companies protect against threats and take action before damage can be done. Robust security software is a must for any company, but the evolving nature of cybersecurity threats calls for an extra layer of safeguards, namely vulnerability scans and penetration testing (pen tests).
What Are They?
Vulnerability Scans and Penetration Tests are proactive solutions that can help pinpoint cybersecurity problems and empower companies to take proactive steps to protect their business IT … and their bottom line.
Vulnerability Scans – Routine automated scans that search for weak points in a business’ network that could be exploited by cybercriminals. The process happens instantaneously and provides real-time insight and awareness about potential flaws and cybersecurity risks.
Penetration Test – A manual security test where technology experts attempt to hack into a business’ computer network to find vulnerabilities. The test mimics an actual hacking attempt to determine if a cybercriminal could penetrate the network and cause damage. Because pen testers have zero prior access to passwords or the company’s network, they can expose issues beyond the scope of vulnerability scans.
Vulnerability Scans vs. Penetration Testing
|
Feature |
Vulnerability Scan |
Penetration Test |
|
Frequency |
Ongoing, continuous scanning |
Moment in time, typically every 1 to 3 years |
|
Scope |
Scans the network for vulnerabilities |
Deeper scan/test that attempts to trick users or break into the network by any means available |
|
Cost |
A monthly, ongoing cost, typically based on the number of IPs the company uses (e.g., $1,000/month for 200 internal IPs and 1 external IP) |
One-time fee with higher cost (e.g., $30,000+ per test) |
|
Access Level |
The security solution is integrated with the company’s network, providing access to conduct ongoing scans |
No prior access; testers must find a way to hack into the system |
|
Execution |
Can be done by MSP (managed service provider) the company already works with |
Should be done by a third-party, independent group |
|
Reporting |
Real-time information and alerts, quarterly reports |
Report after the test is completed |
|
Purpose |
Ongoing monitoring, real-time feedback on security issues and improvements |
Deep dive audit, identifies vulnerabilities at a specific point in time |
|
Regulatory Status |
Not always regulated or required, but is starting to be asked for in some compliance standards (i.e., CMMC) and insurance policies |
Typically required by auditors, especially in health care and finance |
What Should Companies Do?
Ideally, both. Penetration tests and vulnerability scans can work together to provide a robust layer of protection for businesses.
“Pen tests poke holes in your network at a specific point in time,” said Chris Miller, ATB vice president of sales and marketing. “A pen test is like a deep-dive audit, while a vulnerability scan is more like reconciling the books each month.”
In reality, many companies go three-to-five years without doing a pen test due to the expense or never conduct one at all.
“A lot can change security-wise in that time frame,” Miller said. “Ongoing vulnerability scans can help mitigate risks in between pen testing.”
Ready to strengthen your cybersecurity? At ATB Technologies, we help SMBs find and deploy cybersecurity solutions to protect against theft, damage and downtime. Our team of IT experts can help evaluate your cybersecurity posture and find solutions that make sense for you. 👉 Schedule a free consultation today at atb-tech.com/contact-us to find out more.