Cyber protection — Why and how to “pen test” your systems

The global cost of cybercrime is expected to soar in coming years, and nonprofits are far from immune to the threat. The rising role of technology, especially in an age of increased remote work, leaves organizations of all kinds vulnerable to data-related crime.

You may take some comfort in the controls you’ve implemented, but will they actually work with future cyberintruders? Penetration (pen) testing can help you preempt intrusions and attacks by identifying weaknesses so you can proactively address them.

Need for testing

According to the Identity Theft Resource Center, more than 350 million people were victimized as a result of data breaches at nonprofits in 2023. That shouldn’t be a huge surprise. Many nonprofits lack the staff and other resources to establish and monitor cybersecurity measures that are required to protect sensitive data, such as banking passwords and donors’ credit card information. This makes nonprofits an appealing target for criminals.

Even if you have dedicated IT staffers, they simply can’t monitor every area of your organization that may pose a risk. Pen testing is designed to find vulnerabilities that might otherwise go unnoticed until a breach occurs. Further, cyberinsurance providers and other stakeholders increasingly are demanding such testing. Pen testing can help you demonstrate that your organization takes data security seriously.

Although pen testing can be expensive, the costs of a data breach could prove devastating for your organization. The IBM “Cost of a Data Breach Report 2023” found that the global average cost of a data breach in 2023 was $4.45 million, a 15% jump since 2020. Costs could include those related to:

  • Downtime,
  • Ransom demands,
  • Regulatory fines and penalties,
  • Litigation,
  • Forensic investigation,
  • Remedial measures, and
  • Crisis management.

Also, reputational damage could undermine your future support from funders, members and the general public.

Taking the test

Pen testing provides a comprehensive assessment of the effectiveness of your overall cybersecurity program and specific controls. It examines not only your technological vulnerabilities but also those related to your people, facilities, policies, processes and procedures. Testers can find gaps or misconfigured settings that criminals could leverage.

If you engage testers, they’ll replicate a third-party cyberattack, targeting your users, systems and network to attempt to gain unauthorized access to sensitive data. They generally start by scrutinizing your network and systems for potential openings and then try to exploit those openings to achieve unauthorized access. They then use tools and techniques real criminals might use to penetrate your organization’s defenses by, for example, trying to crack employee passwords or using social engineering methods such as phishing. They might focus on all of your networks and systems or just those that are public facing (for example, through your website or email). Their simulated attacks may be scheduled or unannounced.

Pen testing often is categorized by color. With white box testing, testers have full access to your systems and networks upfront, including login credentials, source code and architecture. White box testing can be more affordable, but it’s also less comprehensive than black box testing, where testers possess no advance knowledge. One of the downsides of black block testing is that testers who don’t penetrate external perimeters can’t test internal protections.

Grey box testing is a hybrid approach. Testers start with some understanding of your systems and networks, but don’t have full access. Grey box testing can be more realistic because hackers generally don’t go in blind. They’ve typically already obtained some information through online surveillance.

Make it routine

Pen testing is best done on a regular basis rather than as a one-off event. Technology is constantly evolving, as are cybercriminals’ schemes. Plan on having testing done at least annually, or more often if you’ve put new controls in place in response to a testing report.