April 2, 2025

Cyber Criminals Don't Wait - So Why Are You Only Testing Once a Year?

Bruce & Butler’s Matt Bruce Urges Businesses to Rethink Their Approach to Cyber Security

Cyber threats are evolving at breakneck speed, yet many businesses still treat penetration testing as a point-in-time, once-a-year exercise. That outdated mindset is leaving organisations dangerously exposed, warns Matt Bruce, a cybersecurity expert and Director at Bruce & Butler.

"Hackers don’t wait 12 months to find a weakness in your system—so why would you wait that long to check for one?" says Matt. "The reality isthat cyber threats are relentless. If you’re making frequent changes or deployments, you’re playing a risky game with your organisation’s security If your are only testing once a year."

Annual Penetration Testing Isn’t Enough

The statistics paint a worrying picture. As of 2024, nearly 21% of UK organisations report suffering a data breach at least once a month.That indicates that waiting a year between security assessments is no longer viable.

"An annual test might have worked five years ago, but today, it’s just not enough," Matt explains. "New vulnerabilities emerge daily, and every new deploy mentor major change can introduce fresh risks. If you’re not testing regularly, you’re leaving the door open for attackers." In a fast-evolving threat landscape, frequent changes demand frequent testing—waiting a year between assessments is no longer a viable option.”

How Often Should Businesses Conduct Penetration Tests?

While compliance frameworks like PCI DSS mandate annual testing (and after significant system changes), Matt argues that businesses need to go further.

"There’s no one-size-fits-all answer," he says. "Quarterly or monthly testing might be essential if you handle sensitive customer data. If you’re constantly updating software or rolling out new features, penetration testing should be baked into your development cycle."

The Risks of Infrequent Testing

Delaying penetration tests isn’t just a technical risk—it’s a business risk. Matt highlights the key dangers of a lax approach:

  • Hidden vulnerabilities – Cyber threats evolve daily; if you’re not testing frequently, you won’t know where your weaknesses are.
  •  
  • Regulatory penalties – Many industries require ongoing security assessments. Fall behind, and you could face heavy fines.
  • Customer data at risk– A single breach can destroy trust, damage.

"Think of penetration testing like a health check for your company," Matt says. "You wouldn’t ignore warning signs and skip a check-up for a year—so why take that risk with your cyber defences?"

A Wake-Up Call for Business Leaders

Matt calls on IT leaders, CISOs, and executives to take penetration testing seriously—not as a tick-box exercise, but as a critical, ongoing strategy.

"Security isn’t static. Threats evolve, technology changes, and new risks emerge all the time. The only way to stay ahead is to test regularly, identify weaknesses, and fix them before someone else exploits them," he concludes.

To learn how Bruce & Butler can help strengthen your cyber defences through frequent, proactive penetration testing, visit www.bruceandbutler.com.