What Are The Risks Associated With Not Performing Physical Penetration Testing?
Many companies decide if they add some heavy-duty locks, security cameras, and an alarm system, it's enough to protect their facilities. What they don't consider are the information security risks associated with social engineering, phishing, poor authentication processes at entry points, and other less obvious access points attackers will target. Any breaches made through these attack vectors will be expensive.
The real costs of not doing physical penetration testing can be quite high. Aside from the risk of breached data from a lapse in physical security (e.g. theft of laptops, valuable papers stolen, or other asset losses), you'll want to weigh out additional costs when calculating your overall security assessment budget.
- Hefty fines and legal fees. If attackers succeed and breach your organization, if your organization is found to be non-compliant, this can be costly.
- Damage to reputation. Once the public hears about data breaches of any kind that puts PII at risk, it can put a large blight on your professional reputation or brand name.
- Impact on future profits. If you lose public trust, this will have a severe impact on future profits; not to mention it's usually costly to regain consumer confidence.
- Money associated with exploits. A big trend for attackers is to steal assets or data and then demand ransom for its exchange.
- Remediation costs. After an incident, an organization has to fix the problems. Either way, you're going to need to budget for physical security. It's better to be proactive and prevent existing problems before an incident occurs.
While the immediate costs associated with any kind of incident response are usually easy to calculate (and they can go into millions depending on the size of the data breach and if any violations of compliance, such as HIPAA, have occurred). What many organizations don't realize there are many intangible costs involved as well if good security posture is not achieved. These also should be factored into the real cost of not doing physical penetration testing.
Unfortunately, humans are the weakest link in security strategies and social engineering attacks happen more often than we'd think. People often inadvertently give out enough information for bad actors to be able to pass any validation and authentication processes through trickery by individuals with ill intent. Any information we obtain from the people we contact will be used to build a better plan as the physical penetration testing process progresses.