A true penetration test involves highly skilled good guy “hackers”, attempting to break into your networks and computer systems, mimicking the tools and techniques used by real-world attackers.  We provide this service by doing deep reconnaissance against your business and computer systems, and then leveraging software bugs, misconfigurations, and human weaknesses to see how far we can advance into your network to take control of systems or steal confidential data.  We will then summarize our findings and provide practical recommendations on how you might go about fixing the issues before they are exploited by bad guys.

A properly executed penetration test is a key component of a mature cybersecurity program.  Many insurance providers, customers, and regulatory compliance frameworks require frequent recurring penetration testing.  Mature security programs conduct penetration tests at least annually.

Unfortunately, there are cybersecurity services being marketed as penetration tests that include much less rigor.  Its important to understand what your vendor is actually providing.  We often see “penetration test” reports from other security vendors that are little more than basic automated vulnerability scans and canned reports.  The customer believes they are getting a thorough test, but in reality very little has been done to identify the problem areas that real attackers will target, leaving the customer unprepared and with a false sense of security.

There are many excellent tools that will help protect your business including anti-malware, EDR, firewalls, intrusion detection, mail filters, web filters, multi-factor authentication systems, and many more.  Despite the marketing claims of many software companies, simply buying a new security tool is not a solid approach to improving cybersecurity.  Instead, you must develop an overall information security program that identifies the risks specific to your business, the impact that might occur if different areas of your business were attacked, and the budget you have to work with.  With this information you can begin to add the most appropriate tools, processes, and professionals that will actually have the most impact, improving the security of your business and reducing the likelihood of a high-impact incident.

We can help walk you through the process of building and managing an information security program that is custom-fit to your business needs.

Designing and managing a cybersecurity program can be an overwhelming task.  Attackers evolve their tactics quickly, requiring ongoing education and training to know how to best protect critical data. Technical skills fade quickly and new tools and techniques are constantly being developed. New privacy and data breach laws are being implemented around the world.  Industry frameworks and compliance reporting rules change every few months.  Auditors change their focus and expectations without warning.  All of this combined can leave the average business poorly prepared, confused, and frustrated if they do not have an experienced cybersecurity leader providing direction.

Unfortunately, talented cybersecurity management (usually referred to as a CISO, or Chief Information Security Officer) is in short supply and can be extremely expensive to attract and retain.  Technical information security analysts can (and should) be hired to operate tools and provide employee support, but they often lack the experience or knowledge to design and manage the overarching security program.  This can leave many businesses in a very awkward position of desiring to build an effective and maturing information security program, but without anybody who has the skills and experience to execute.

We offer fractional/contracted CISO services to fill this gap.  With our extensive experience building, executing, and improving information security programs for a companies across many industries and different sizes; we can provide your company with the leadership and direction you desire without the financial burden of a full-time CISO’s executive salary.  We help identify the risks and priorities for your business, design a program and controls that best support your goals, and provide your IT analysts and managers with the guidance and direction needed to keep your cybersecurity program moving forward and maturing.

There are many cybersecurity laws and requirements that might apply to your business and new ones are being drafted regularly.  Their relevance will depend upon the locations where you and your customers are located, the type of transactions you are involved in, and the size and legal structure of your business.  Here is a basic summary of common regulatory requirements and frameworks:

• GDPR – The General Data Protection Regulation primarily applies to businesses that process personal data of individuals in the European Union, regardless of where the business is located, including those operating in the United States. U.S. businesses that offer goods or services to EU residents or monitor their behavior must comply with GDPR. Key requirements include obtaining explicit consent for data collection, ensuring data protection by design, allowing individuals to access and control their data, and reporting data breaches within 72 hours. Non-compliance can result in significant penalties, with fines up to €20 million or 4% of global annual revenue, whichever is higher. https://gdpr-info.eu/
• CCPA – The California Consumer Privacy Act applies to for-profit businesses operating in the U.S. that meet certain thresholds (e.g., annual gross revenues over $25 million, handling data of 100,000 or more California residents, or deriving 50% or more of annual revenue from selling personal information). Key requirements include providing consumers with the right to know what personal data is collected, the right to opt-out of the sale of their data, the right to request deletion of data, and protections against discrimination for exercising these rights. Non-compliance can lead to civil penalties, with fines of up to $7,500 per intentional violation and $2,500 per unintentional violation, plus private lawsuits for certain data breaches. https://oag.ca.gov/privacy/ccpa
• SOX – The Sarbanes Oxley Act applies to businesses with publicly traded stock, those private businesses preparing to go public, and accounting firms that audit publicly traded companies.  The spirit of SOX is to protect shareholders by ensuring that the financial reports of these public companies are timely and accurate.  SOX has wide-reaching and significant impact to the accounting and financial reporting procedures for the affected companies.  Because virtually all financial systems run on computer software, those applications and the underlying computer systems and their supporting network systems all fall under SOX requirements as well.  This places a large burden on the IT departments of publicly traded companies, requiring stringent IT security controls with substantial recording keeping and internal audit evidence to prove that the systems are protected and operating as expected.  SOX companies undergo external audits to certify their financial statements and these audits include extensive review of relevant IT system control design and execution.  SOX auditors have some latitude and can vary in what they might focus on or how deep they might dig in any given audit.  These focus areas change over time often with little or no warning, leaving IT analysts and managers feeling unprepared and frustrated.  Penalties for SOX violations vary, with the most severe being $5-million dollar fines and 20-year jail terms for executives who falsely certify known deficiencies. https://www.congress.gov/bill/107th-congress/house-bill/3763
• PCI-DSS – The Payment Card Industry Data Security Standard applies to businesses that process, store, or transmit credit card information in the U.S. Its key requirements include maintaining a secure network with firewalls, encrypting stored cardholder data, implementing strong access control measures, regularly monitoring and testing networks, and developing an information security policy. Businesses must ensure the protection of cardholder data and perform regular security assessments. Non-compliance can result in significant penalties, including fines ranging from $5,000 to $100,000 per month, legal liabilities, increased transaction fees, and the potential loss of credit card processing privileges, which could harm a business’s ability to operate.  https://www.pcisecuritystandards.org/
• HIPAA – The Health Insurance Portability and Accountability Act requires businesses handling protected health information (PHI), including healthcare providers, insurers, and their service partners, to implement strict IT security measures. These include administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of PHI. Key IT requirements include encrypting electronic PHI (ePHI), controlling access through authentication and authorization, monitoring and auditing access to PHI, implementing secure data transmission protocols, and ensuring secure backup and recovery processes. Failure to comply with HIPAA can lead to severe penalties, including fines ranging from $100 to $50,000 per violation, with a maximum annual penalty of $1.5 million, and potential criminal charges that can result in imprisonment for willful negligence. https://www.hhs.gov/hipaa/index.html
• SOC – System and Organization Controls (SOC) reporting is a set of standards developed by the American Institute of CPAs (AICPA) to assess and report on the internal controls of service organizations, particularly regarding data security, confidentiality, and privacy. For most businesses in the U.S., SOC reports are essential to demonstrate compliance and trust in handling sensitive data. SOC 2 reports require businesses to implement strong controls over data protection, regular monitoring, and comprehensive incident response procedures. While SOC reports are not legally mandated, failure to meet client expectations for security controls or non-compliance with contractual obligations can result in reputational damage, loss of business, or contractual penalties.  https://www.aicpa-cima.com/resources/landing/system-and-organization-controls-soc-suite-of-services
• ISO 27001 is an international standard for information security management, designed to help businesses establish, implement, maintain, and continually improve an Information Security Management System (ISMS). Its purpose is to ensure organizations systematically manage sensitive information, addressing risks to the confidentiality, integrity, and availability of data. Key requirements include conducting risk assessments, implementing security controls, ensuring compliance with legal and regulatory requirements, monitoring and reviewing the ISMS regularly, and continually improving it. While ISO 27001 certification is not legally mandated in the U.S., it is often required by clients and partners to demonstrate commitment to information security. Non-compliance does not carry legal penalties, but failure to maintain an ISMS may result in reputational damage, loss of contracts, and increased vulnerability to data breaches, which can lead to financial losses and regulatory fines under other legal frameworks like GDPR or HIPAA.