By Dan Hefle, Regional Vice President, Synack

When I talk with customers about security, I can’t tell you how many times I’ve heard really smart people in organizations of varying sizes say, “We’re not a big enough company to be a target.” Unfortunately, they couldn’t be more wrong.

The truth is, bad actors know Fortune 500-sized companies are usually at least trying to protect their data. They need a back door to infiltrate a network, using code-level attacks to plant payloads for the purpose of stealing information and compromising credentials. And they target organizations of all sizes – Fortune 500 to the smallest startup – because infiltrating one organization can often give them a back door into others. That makes every organization a “big target,” especially considering the ingenious ways cybercriminals have found to access even the most well-protected data.

This is the reason SRC Technologies has forged a strategic relationship with Synack; SRC wanted to offer its clients a powerful new tool in their security toolkit – crowdsourced penetration testing. In fact, penetration testing should really be the first step when planning any well-thought-out security strategy.  Why? Because it’s our goal – together with SRC – not only to harden your critical applications and  IT infrastructure, but to make your organization an absolutely awful target.

Penetration testing isn’t new.  However, most penetration tests are conducted by machines and only a small handful of people which has relegated them to become nothing more than a compliance tool.  The reason SRC selected Synack as its penetration testing partner is because both SRC and Synack understand how cybercrime really works. We understand the scale and diversity involved in cybercrime. And we know that you need to match that scale and diversity with an adversarial viewpoint from a trusted partner that combines large-scale human ingenuity with technology to make sure your attack surface is as hardened as possible.

Synack maintains a trained, vetted, highly skilled and growing community of over 700 ethical hackers (we prefer the term “researchers”) who actually attack your organization – in a private, controlled, managed and methodical manner. Because of the extensive background checks our “Red Team” researchers have undergone, and because of the verified skill sets they bring to the table, Synack has become one of the most trusted and highly regarded penetration testing organizations in the business – some of the world’s largest brands trust us to test the security of the systems guarding their most critical information.  And it works: We find an Equifax-like breach within our customer base about every six days.

What we do differs wholeheartedly from open “bug bounty” programs in that we don’t publish your assets to a community of self-proclaimed hackers. We have carefully curated, tested, and vetted a crowd of the world’s most talented ethical hackers, and we provide a high-level, managed, and safe professional testing service that captures every keystroke our researchers make, giving your organization a record of your blind spots and vulnerabilities as well as a roadmap that details the steps our researchers took to expose them.

In cooperation with SRC, we can provide two types of penetration testing – a point-in-time test that may average 25 to 30 researchers testing the security of your systems for 250 to 300 hours over a two-week period of time, or continuous testing that involves 24x7x365 work, something that particularly large organizations guarding very sensitive financial or healthcare data, for example, might require. The important takeaway here is that we provide a safe and proven way to bring tremendous scale and diversity into your penetration testing.  Attackers are smart bad guys, and the only effective way to expose and protect yourself from them is with an army of equally smart good guys doing the same things the bad actors would do, then sharing with you what your vulnerabilities are so SRC can create a more effective security strategy for your organization.

When you’re thinking about enterprise risk management and wondering if a new way to approach penetration testing is necessary, ask yourself these three important questions:

  1. How resilient are your systems? Your organization probably has several external facing applications and IT systems – your website, for example, and maybe a mobile app or active IP addresses representing your host infrastructure. How sure are you they can’t be compromised, and if they were, what’s at stake?
  2. What is the potential impact of a breach to your business? How fast could your company recover if your organization’s most sensitive internal or customer data was stolen or exposed, and what would it cost you both monetarily and in terms of brand reputation in the meantime?
  3. Is your security strategy constantly evolving? This is where most organizations find themselves lacking. The pace of change in your security strategy must match the velocity with which advanced threats are being crafted. Enterprise organizations are often lulled into a false sense of security with a policy-based security strategy alone, forgetting that cybercriminals are people who are constantly adapting and changing to overcome the best policies out there. Does your strategy account for the human element?

The bottom line in securing your data is that there is no solution that is going to provide 100 percent protection because cybercriminals are incredibly creative, and they work hard at what they do.  This means, a determined hacker may eventually outsmart even the best technologies. With the help of a skilled security consultant and the use of Synack’s private and controlled crowdsourced penetration testing, however, you can make your environment inhospitable to hackers. To create the most advanced security strategy possible, you need to bring in good hackers to find the back doors that bad actors will find if you don’t head them off at the pass.  Then, tap into the expertise of a company like SRC that can help you create the kind of hardened environment that makes your organization an undesirable target for cybercriminals, and a safer one for you and your clients.

Want to learn more about IT security and the best ways you can protect your business? Visit the Synack page on the SRC website to learn more about penetration testing professional services, then read about SRC’s security services here. SRC has also partnered with other top-name organizations in the security field including Sophos, Qualys, Kaspersky Lab, LogRhythm, EventTracker and KnowBe4. Contact us to find out what SRC Technologies can do for you.