Why Are You Still PenTesting?


Most asset managers are now aware of the term ‘Penetration Test’ or ‘PenTest’ as it’s referred to in IT circles. The SEC recommends you do it, and investor DDQs ask if you’ve done one, so most likely, you do it. But why?

The simple answer is: if all of your data is in the cloud, you are probably not addressing your key data risk if you only focus on traditional PenTesting! So, have you tested to confirm that your cloud data is safe? If not, you should…

As companies have migrated to a remote work environment post-COVID, they have also migrated more of their IT systems and confidential data to the cloud. A seldom discussed outcome of this trend is the reduced need for physical Pentesting. In the old days, companies maintained their own servers, data centers and complex infrastructures that needed to be tested. However, in this post-COVID working environment, that’s no longer always the case.

If you are one of the many small to midsize companies that keeps all of your data in the cloud, you may be wasting your money on Pentesting. Instead, you should be thinking about repurposing that security spend on a ‘Cloud Security Assessment’, or CSA. A CSA is similar to a traditional network Pentest, except that it’s focused on the dozens, if not hundreds, of security-related settings you have in place with your cloud vendor(s) – for example, Microsoft, AWS, and Google. And, since that is now where all of your data is stored, it’s critical to make sure your cloud data is properly protected and backed up.

Per back up: spoiler alert, the cloud vendors don’t provide native long-term data back up as required by the SEC. For example, Microsoft’s 365 back up (e.g., all your OneDrive and SharePoint data) is only backed up for 93 days. If you were to delete something critical and realize that mistake 94 days later – the data would be gone forever.