Questions that were ignored in many companies until recently are now being asked much more often and responsible managers are becoming more interested in the issue. One of the reasons is Russia’s war against Ukraine.
“Management is becoming more interested in penetration testing, even if they are not victims of attacks themselves,” confirms Josef Havel, senior security analyst at IT company Integra EMEA. He adds that asking about the meaningfulness of testing is similar to taking care of one’s own health. “If a person has a good lifestyle – securing the company’s IT infrastructure, plus they play sports – they test information technology, and often they will never know if a virus or bacteria attacked them because the disease had no chance to manifest itself,” he gives an example.
The specific cost of a penetration test depends on each company’s needs. But model examples can be given. A typical assignment for a company with 50-250 employees looks something like this: an infrastructure penetration test (8 mandays, i.e. CZK 100k), two custom-developed web applications, one of which is an internal information system (10 MD, CZK 125k) and the other is a smaller one used by clients (5 MD, CZK 62.5k), plus a phishing test twice a year, i.e. twice three mandays for CZK 75k. The total amount is CZK 362.5 thousand, and the testing should be repeated every year.
“The real damage corresponds to at least the amount of the ransom, which means millions of crowns or more for the company,” Josef Havel answers the question whether such an investment is worthwhile. He adds that additional costs in the event of a hacker attack include the inability of the company to provide its services until the functionality of its information technology is restored and the departure of clients. Total damages thus always amount to units of up to tens of millions of crowns, not to mention the ruined reputation.
Even a pronounced “small” company should not underestimate pentests. “Even such a company can work with data worth hundreds of millions of crowns – for example, know-how, data on clients or the threat of possible sanctions,” says Integra’s expert.
Penetration testing basically examines three areas of corporate vulnerability: APIs and web or mobile applications, infrastructure and the cloud, and thirdly, weaknesses on the employee side examined by social engineering methods.