Who can you trust?

Ian Glover, president of CREST, explains why penetration testing is a vital weapon in the battle against cyber crime and why you wouldn’t want just anyone trying to break into your company.

With more sophisticated cyber attacks expected from hacktivist groups, organised criminal gangs and state-sponsored cyber terrorists, it is more important than ever that companies discover where their security weaknesses are and fix them before someone else finds and exploits them.

The best way to discover where vulnerabilities lie is to simulate a malicious attack, from inside or outside of the organisation, in order to see how easy it is to break into a network or computer system and steal valuable data. This is called penetration testing and the demand for this very skilled, technical and clearly very sensitive investigation and analysis has seen a rapid rise in demand. While penetration testing has traditionally been associated with government organisations and large financial institutions and corporations, it is now commonplace among medium sized companies, NGOs and the wider public sector.    

But this is sensitive work and companies need to be very clear who they are dealing with and have confidence in professionally qualified and skilled individuals with the appropriate processes and methodologies to protect data and integrity. It is a common misconception that the security industry is simply made up of ex-hackers, who let’s face it, most organisations would be reluctant to trust.

This is where CREST comes in.  CREST was established in 2006 with the support of the UK Government and is the not-for-profit accreditation body representing the technical information security industry. It provides internationally recognised accreditation for organisations and individuals providing penetration testing, cyber incident response and threat intelligence services. All CREST member companies undergo stringent assessment every year and sign up to a strict and enforceable code of conduct; while CREST qualified individuals have to pass the most challenging and rigorous examinations in the industry worldwide, to demonstrate knowledge, skill and competence.

For example, CREST Practitioner entry level examinations are aimed at individuals with around 2,500 hours relevant and frequent experience while candidates for CREST Registered Tester examinations should have at least 6,000 hours – three years or more.

This means that organisations wishing to buy penetration testing services have the confidence that the work will be carried out by trusted companies with the appropriate policies, processes and procedures for the protection of client information, using qualified individuals with up to date experience and understanding of the latest vulnerabilities and techniques used by real attackers. 

CREST Members work particularly closely with the UK’s critical national infrastructure providers where cyber attacks could do the most damage – from energy and utilities companies to major financial institutions. Working alongside the Bank of England, Government and industry, CREST developed a new framework to deliver controlled, bespoke, intelligence-led cyber security tests for the UK’s most important financial institutions. The CBEST scheme is the first initiative of its type in the world to be led by a central bank.

But recent reports show that companies of all sizes are under threat from cyber attacks so CREST also helped to develop the technical assessment and certification framework for the UK Government’s cyber security standards, Cyber Essentials and Cyber Essentials Plus. These set down baseline requirements for cyber hygiene and are now mandated for some government contracts dealing with sensitive data.

AS we have seen, the results of a successful cyber attack can be devastating for business and individuals, so UK companies and government need a professional cyber security industry they can trust and rely on.

Arrange a Conversation