A formidable cybersecurity testing strategy helps to mitigate potential attacks if a business is to be deliberate about its mitigation practices.

It is important to note that cybersecurity testing/penetration testing is not a one-time activity, but instead should be done consistently. The following are suggested when planning for tests of security controls:

1. Resource identification, which will include hardware, software, and skilled human resources in the form of security professionals to do the testing.

2. Set up criticality/severity rating for the systems and applications protected by the controls. This includes the development of a matrix band that rates such sytems and applications as “high”, “medium” and “low” so that after testing the levels of exposure the current targeted company faces, an appreciation is well gained.

3. Appreciate the probability of a technical failure of the mechanism implementing the control. This distinction underscores that there is still the possibility of operational failure within the digital environment, which may or may not have anything to do with the test at the time done. However, such an observation acts as an influencer of where open-point vulnerabilities could spring up intentionally or otherwise.

4. Recognise that there may be a probability of misconfiguration of control, which could endanger the organisation's security. It could be a case where your new systems administrator assigned incorrect levels of privilege to different users within the organisation unintentionally but, notwithstanding, this can lead to an unintended breach with a severity level of high if not discovered, based on point number 3 above.

5. Keep in mind any other changes, upgrades, or modifications in the technical environment that may affect the control performance.

6. Difficulty and time testing a control. Within highly mission operations like a hospital you may be required to take systems into a sandbox to test live, since the team may never get that access. And setting up an offline sandbox for the hospital will not necessarily reflect the real situation of the organisation's actual security posture. A middle ground would be to have a special agreement to look at the lower peak periods and work out a compromise to test some scenarios within that low peak period, as an example. The alternatives are many, and the suggestions here are not exhaustive.

7. Impact of the test on the day-to-day business operations. Consistent with the previous point where live and offline tests are done over a week, this would definitely slow down access to human and machine resources.

After a thorough, continuous evaluation and improvement regarding the above-raised concerns, a comprehensive assessment and testing strategy can be designed and validated.

Dr Sean Thorpe, professor of cybersecurity, University of Technology, Jamaica and immediate past president, Jamaica Computer Society (JCS).