National standards on vulnerability scanning and penetration testing are defined by several organizations such as the nonprofit Center for Internet Security (CIS) and the Cybersecurity & Infrastructure Security Agency (CISA), an agency within the U.S. Department of Homeland Security. However, none of these standards are required or enforced, and organizations should determine frequency based on several factors:

  • Industry – Does your business operate in an industry that collects substantial personal data from customers, such as healthcare or financial services? Or do you have hundreds or thousands of employees whose personal information is contained in human resources files?
  • Volume of data – Does your organization process high volumes of data every day, and do you practice good data protection measures such as daily backups?
  • Risk – Is your industry a frequent target of cyberattacks?

Generally, a mid-sized company should do vulnerability scanning at least once per quarter, and a penetration test every year. That’s a starting point that will provide a roadmap to security upgrades that can be done each quarter to continuously improve the system’s safeguards. Each quarterly scan will verify the effectiveness of the improvements made since the last quarter.