Based on our company's experience over the past two decades, we can confirm that the cost of pen testing is always less than the cost of NOT doing pen testing.
53% of IT and cybersecurity decision-makers say breaches cost them more than $1 million in lost revenue, fines, and other expenses in 2023. This is up from 48% in 2022 and 38% in 2021.
Many of these breaches could have been avoided by doing penetration testing. How? By preventing situations like:
- A simple SQL injection vulnerability that would have been picked up during a penetration test potentially exposing millions of data points.
- Overlooked access permissions leaking sensitive data.
Compared to the massive reputational and financial damage a data breach can create, the cost of a quality penetration testing engagement, which will typically be a few thousand pounds for a single application, is an extremely good value investment.
Here are some of the reasons why the cost of NOT doing penetration testing is always higher than the cost of penetration testing.
Reputational Damage
Penetration testing is a part of basic security hygiene. Consumers, clients and, increasingly, regulators expect businesses to test their IT systems against intrusion.
Companies that fail to test their systems and suffer security breaches, whether as a result or not of the lack of testing, will face increased reputational and business damage.
In a recent report, 75% of consumers said they would be ready to cut ties with a brand that experienced a security incident.
If your organisation is considering whether pen testing is a worthwhile investment, it almost certainly is.
Overlooked Exploitation Pathways
You cannot afford to ignore the kind of exploitation pathways that penetration testing uncovers.
Even if an application or website is developed following Secure Software Development Lifecycle (S-SDLC) practices, vulnerabilities and exploitation pathways not envisioned during development might still exist.
Some of these pathways might start with seemingly low-risk vulnerabilities that, when chained together, unlock a path to serious compromise.
For example, imagine a banking web application that has a login mechanism that appears hard to break–at least at first glance.
The login mechanism for the application happens in three steps:
Step 1: The user enters their username.
Step 2: They then enter their password.
Step 3: They enter a 4-digit code sent to their mobile phone.
A valid attack path by chaining lower-risk vulnerabilities could be:
- The application discloses whether a username exists or not when the login fails. This allows us to enumerate valid usernames for step 1.
- The application has a business logic flaw that allows us to skip step 2 completely. We can enter the username and try to authenticate using only the 4-digit code without ever entering a password.
- The application has no rate limiting /lock-out policy. Therefore, we can brute force all the possible 4-digit codes, which can be done in seconds.
An attacker could follow an attack path like this to gain access to any bank account as long as they can deduce a valid username, which is relatively easy to do. This type of attack relies on the creativity and expertise of humans and wouldn't be detected by a vulnerability scan. Even the latest AI vulnerability scanners still rely on hard-coded rules and can never replicate the cognitive abilities trained humans have.
Pen testers find these unexpected user paths and try to break into an application by abusing them. Working through applications in layers, testing infrastructure and then functionality, testers join the dots between unrelated vulnerabilities, unexpected pathways, and complex exploits that, without penetration testing, will always be overlooked.
Testing your control systems against realistic exploitation paths is the only way to ensure your security posture is at an adequate level.
Compliance Failures
Penetration testing is one of the only ways to insure your organisation against compliance failures.
Some regulations, such as the Payment Card Industry Data Security Standard (PCI-DSS) and soon the Digital Operational Resilience Act (DORA), include variations of pen testing as a prescriptive requirement.
However, even when penetration testing is not a strict requirement for compliance, it can still aid compliance with regulatory frameworks such as the General Data Protection Regulation (GDPR).
42% of IT and security professionals say vulnerabilities necessary to patch for compliance are of high urgency. Penetration testing can target patch management processes.
Penetration testing makes a business less likely to:
- Expose employee or customer data that would be protected under GDPR.
- Create systematic risk in its industry as per regulations like DORA.
- Become a source of supply chain compromise.
Fines are just the tip of the iceberg when it comes to the damage that failing to test your security systems and suffering a breach, as a result, will do.
How Much to Spend on Penetration Testing
If you follow the guidelines of the Center for Internet Security (CIS), you might want to dedicate 5% of your organisation's budget to IT and 20% of that spending to security.
However, this estimate, like other IT spending estimates, is highly variable.
So, how much should you spend on a security assurance program, including penetration testing?
Contact us for an accurate assessment of your security testing needs. We are a CREST-approved penetration testing company that offers advice on sizing penetration testing budgets as part of our security testing assurance service.
