Spotlight 9 March 2016 Who can you trust? Ian Glover, president of CREST, explains why penetration testing is a vital weapon in the battle against cyber crime and why you wouldn’t want just anyone trying to break into your company Sign UpGet the New Statesman's Morning Call email. Sign-up With more sophisticated cyberattacks expected from hacktivist groups, organised criminal gangs and state-sponsored cyber terrorists, it is more important than ever that companies discover where their security weaknesses are and fix them before someone else finds and exploits them. The best way to discover where vulnerabilities lie is to simulate a malicious attack, from inside or outside of the organisation, in order to see how easy it is to break into a network or computer system and steal valuable data or deny access to critical assets. This is called penetration testing, and the demand for this skilled, technical and clearly sensitive investigation and analysis has risen rapidly. While penetration testing has traditionally been associated with government organisations and large financial institutions and corporations, it is now commonplace among medium-sized companies, NGOs and the wider public sector. But this is sensitive work and companies need to be very clear who they are dealing with and have confidence in professionally qualified and skilled individuals with the appropriate processes and methodologies to protect data and integrity. It is a common misconception that the security industry is simply made up of ex-hackers – who, let’s face it, most organisations would be reluctant to trust. This is where CREST comes in. CREST was established in 2006 by the technical security industry with the support of the UK government and is the not-forprofit accreditation and certification body representing the technical information security industry. It provides internationally recognised accreditation for organisations and certification of individuals providing penetration testing, cyber incident response and threat intelligence services. All CREST member companies undergo stringent assessment every year and sign up to a strict and enforceable code of conduct; and CREST-qualified individuals have to pass the most challenging and rigorous examinations in the industry worldwide, to demonstrate knowledge, skill and competence. For example, CREST practitioner entrylevel examinations are aimed at individuals with typically 2,500 hours of relevant and frequent experience, while candidates for CREST Registered Tester examinations should have at least 6,000 hours – three years or more and, at a certified level, 10,000-plus. All these individuals have to resit the examinations every three years, which reflects the fast-moving nature of the industry. This means that organisations wishing to buy penetration testing services have the confidence that the work will be carried out by trusted companies with the appropriate policies, processes and procedures for the protection of client information, using qualified individuals with up-to-date experience and understanding of the latest vulnerabilities and techniques used by real attackers. CREST members work very closely with the UK’s critical national infrastructure providers where cyberattacks could do the most damage – from energy and utilities companies to major financial institutions. Working with the Bank of England, government and industry, CREST developed a new framework to deliver controlled, bespoke, intelligence-led cyber security tests for the UK’s most important financial institutions. The CBEST scheme is the first initiative of its type in the world to be led by a central bank. However, recent reports show that companies of all sizes are under threat from cyberattacks, so CREST also helped to develop the technical assessment and certification framework for the UK government’s cyber security standards, Cyber Essentials and Cyber Essentials Plus. These set down baseline requirements for cyber hygiene and are now mandated for some government contracts dealing with sensitive data. The penetration testing activities are also supported by similar accreditations and certifications for cyber security incident response. This helps organisations assess how prepared they are to manage a cyberattack and CREST is working with the law-enforcement agencies to provide a register, where companies can look for help in recovery following a successful attack. As we have seen, the results of a successful cyberattack can be devastating for businesses and individuals, so UK companies and the government need a professional cyber security industry they can trust and rely on. For more information, visit: www.crest-approved.org › In this week's magazine | American Psycho Subscribe For more great writing from our award-winning journalists subscribe for just £1 per month!