Chronicles of a Penetration Tester

The massive shift to a remote workforce landscape has expanded the technology perimeter for most organizations and correspondingly increased their overall exposure to the most common cybersecurity threats of 2020.

Throughout these challenging times, the team of experienced cybersecurity professionals at Schneider Downs continue to work hard every day to make our firm, clients and communities better prepared to prevent, detect and respond to modern cybersecurity threats. The graphic below highlights some key vulnerability trends in our findings.

  • Social Engineering – As you can see, user susceptibility to phishing attacks is higher than ever. Although there are likely a number contributing factors, we attribute this increase to the dangerous combination of new internal processes and individual distractions. With so many new standards of communication and remote workforce procedures, users are struggling to follow basic email security principles, which can be particularly challenging for those with high-traffic home office setups where they may experience increased interruptions and background noise.
  • Logical Access Controls – We’ve also observed a significant spike in the number of remote resources lacking the enforcement of multifactor authentication (MFA). The utilization of remote resources has understandably exploded throughout 2020, but too often these resources have been rapidly deployed without proper security configurations, like MFA, the single most effective cybersecurity control an organization can implement.
  • Data Governance – We continue to see data governance issues on the rise. As we all continue to adjust to a remote workforce landscape, increased dependence on collaboration tools like Microsoft Teams has made it easier than ever for individual users to share and manage data. However this is a double-edged sword, and has significantly contributed to the volume and variety of sensitive files stored within unstructured and often unprotected data.
  • Patch Management – On a positive note, patch management issues have declined. Don’t get me wrong, we still see our fair share of missing critical security patches, and we are far from done worrying about the zero-days of tomorrow, but it’s nice to see a more widespread adoption of effective patch management efforts. A long overdue win for the cybersecurity community.

Be sure to check out this recent recording from a speaking engagement where I discuss these trends and much more, including a deep dive into some of the most effective methods to-date, in which pentesters and threat actors alike are successfully compromising the average network.

Lastly, keep in mind that not all penetration tests are created equal. Far too often, we see organizations of all sizes and industries relying on a glorified vulnerability scan to fill the increasingly important role of a proper penetration test. I challenge us all to maintain high expectations when it comes to the methodologies, toolsets and techniques of those performing these types of highly technical consulting services. If a penetration test comes back with no significant findings, be skeptical of the tester’s capabilities. Now more than ever, it’s crucial for decision-makers to have an accurate and actionable understanding of the cybersecurity risks we all face.

For more information about penetration testing please visit our penetration testing service page or download our penetration testing service overview.  

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit or contact the team at [email protected]

In addition, our Incident Response Team is available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident.


You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
How To Scope a SOC 2 Audit
Do I Need a SOC 2 Type 1 Before a SOC 2 Type 2?
Why Do CPA Firms Perform SOC 2 Audits?
What Financial Institutions Need to Know About R-SAT
Fact or Fiction: SOC 2
Cybersecurity BY Gary Muggli
NIST Introduces NISTIR 8374 to Tackle Ransomware Risk Management
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Map of Pittsburgh Office

One PPG Place, Suite 1700
Pittsburgh, PA 15222

[email protected]
p:412.261.3644     f:412.261.4876

Map of Columbus Office

65 East State Street, Suite 2000
Columbus, OH 43215

[email protected]
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102

[email protected]

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.