Compliance Penetration Testing

Why should I complete penetration testing if I don’t need to be compliant?

For an organisation, not yet, impacted by cybercrime, penetration testing outside of compliance may seem like an additional, unwelcome expense. In the following blog article, we explain how penetration testing is good for (and may even save) your business.

A Penetration Test (also known as ethical hacking) is an authorised hacking attempt, targeting all, or specified areas, of your organisation’s IT network infrastructure, applications and employees. The objective is to strengthen your organisation’s security defences by providing a report identifying and prioritising areas that are susceptible to compromise and advising on remediation. This allows you to understand your level of risk and focus time, effort and money into protecting the areas identified – providing a fast and cost-effective way to enhance your organisation’s security posture and defend against cyberattack.

A penetration test allows you to understand your level of risk and focus time, effort and money into protecting the areas identified.

We could give many reasons why you should conduct penetration testing outside of a compliance requirement, but here are our top 3.

1. Protection from the growing threat of cyberattacks

Cybercrime has risen exponentially, with cybersecurity breaches regularly making national (and even international) news, often the result of a targeted cyberattack. What is less well publicised are the more pervasive, lower profile breaches (often in-passing, opportunistic in nature) which are increasingly impacting small and medium-sized organisations.

For organisations that are yet to adopt a proactive approach to cybersecurity, complacency can be disastrous. Perhaps they are a mid-sized manufacturing, transport or construction business and think they’re not an attractive enough target for a cybercriminal. Think again. With the increase in automated cyberattacks (targeting all and any), and the prevalence of Business Email Compromise attacks which can gain a foothold into an organisation via a less well guarded supplier, you can no longer hope that cybercriminals won’t take an interest in your business.

The cost and inconvenience of recovering from a cyberattack is high (currently averaging US$3.86 million1). In addition to the cost and lost time fixing the damage to your systems and data, plus any potential fines, there is also damage to your organisation’s reputation that can set you back years. Many organisations simply cannot foot the bill and the business is bankrupt.

Penetration testing can markedly reduce the risk of a breach.

2. Your organisation already has a compliance requirement (that you didn’t know about)

It’s not uncommon for organisations seeking penetration testing services to discover that they already had a compliance requirement. For example, if your organisation processes, stores or transmits credit card data, you need to comply with the PCI DSS standard  or risk being fined if your organisation is hacked and customer credit card data is stolen.

And from February 2018, the amended Australian privacy act made the disclosure of cyber breaches to regulators and shareholders mandatory. The penalty for not doing so can be up to $1.8 million for organisations, plus additional fines of up to $360,000 for each board member.

Your trusted information security partner can inform you of any compliance requirements – and work with you to ensure you achieve and maintain compliance.

3. Business readiness

It’s likely that the requirement to meet a cybersecurity compliance standard will become more common in the future, as a result of ever-evolving compliance benchmarks. You may find that the tender you’d like to pitch for or the large client your organisation has just won may require you to meet an information security management compliance standard, such as PCI DSS  or ISO 27001  to be one of their preferred suppliers.

Penetration testing will help your organisation to plan and improve its cybersecurity and it may then be quicker, easier and less costly to achieve compliance, when required.



We recommend working with a certified cybersecurity provider to conduct a risk assessment to determine your organisation’s level of risk. You may be surprised at the level of risk your organisation is currently exposed to and may even discover a compliance requirement needing urgent attention.

You can then develop your cybersecurity program and employ an agile approach, using the tools at your IT department’s disposal and your provider’s (such as vulnerability assessments and penetration testing) to measure and evolve the security of your networks and applications to maintain a strong defence against cyberattacks.

We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >>  In this free guide we answer the questions commonly asked by first-time penetration testing buyers and provide guidance to help you achieve a successful penetration testing experience.

Penetration Testing Complete Guide

Questions & More Information 

Do you have a question about penetration testing? Contact Us today to speak to one of Shearwater’s certified Ethical Hackers. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation.


1. 2018 Cost of a Data Breach Study: Australia, Ponemon Institute LLC, July 2018