Tight Budgets, Small Staffs Hinder Penetration Tests

Although many IT managers expect a hacker attack this year, many simply can't afford to test their networks for the weak spots attackers seek out.

Sharon Gaudin, Contributor

March 23, 2007

2 Min Read
InformationWeek logo in a gray background | InformationWeek

Ninety-five percent of IT managers say there's a decent chance their networks will be successfully hacked this year, but a lack of money and manpower keeps many managers from testing their own perimeters, according to a new survey.

According to the study out of consulting company BT INS, the number of IT professionals expecting some kind of hacker attack rose from 2005, when 92% predicted trouble within the coming year. In response to this growing concern, 79% to 86% of IT managers reported that they did conduct penetration tests to protect their wired and wireless networks, the operating systems, and applications. But the tests are done with a widely varying degree of regularity.

Why aren't they doing the tests that could show them where the weaknesses lie in their safeguards more often?

Simple: Money.

Companies that annually spend less than $100,000 on security are far less likely to regularly conduct ethical hacks, reported BT INS. For example, only 14% of these companies conduct quarterly penetration tests, which also are called ethical hacks, on wired networks and applications, while 46% to 50% of companies that spend more than $1 million on security do so.

Following along the same line, 31% to 35% of companies with small security budgets never conduct ethical hacks, while 96% of companies with large security budgets do penetration tests.

The second biggest reason that penetration tests aren't not done is that upper management doesn't see the value in them. Despite all the media attention around large break-ins and lost data, BT INS reported that managers' perception of the value of penetration testing actually has dropped since 2005. "Security professionals need to re-examine how they are presenting ethical hacking to management, perhaps with greater focus on business consequences," analysts wrote in the report.

The next biggest reason for bypassing ethical hacking is that IT just doesn't have the time, the money, or enough hands to fix the problems they might find.

"This 'excuse' is a bit like an ostrich sticking its head in the sand. Choosing not to know is a dangerous course to take," analysts reported. "Again, a head-in-the-sand approach won't cut the mustard when the CEO wants to know how customer data was stolen, or why the Web site was down for hours (or days) due to an attack. Better to know the problem -- and the cost of a fix " than to plead ignorance."

BT INS also reported that one-fifth of respondents were concerned about the safety of the hack, and less than one in 10 was worried that the results of an ethical hack could be embarrassing.

About the Author

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights