I think I should be the person who decides that my systems are secure. I DO NOT WANT un-autherised people hacking my accounts. Even if they have no malicious intent. It's like pooping through my letterbox, I did not ask for it and DO NOT WANT IT !
As others have said, I think you've missed the point.
Companies who are victim of cyber attacks (the big ones recently are Yahoo, Sony, Talk Talk, etc...) lose tens of millions of pounds as a result.
Often customer details are stolen and put online, or financial data stolen, product designs, emails intercepted (sometimes covertly), websites redirected, servers encrypted meaning that ALL data is effectively lost.
Sometimes these incidents are accompanied with threatening tweets/emails/calls or messages somewhere. There are often demands for money. All the while the business or organisation can't operate, often this means that hundreds of staff members jobs can't be performed, share prices go down, publicity damages their reputation, the UK business market becomes less attractive as some larger organisations lose confidence and go elsewhere.
Companies often employ external penetration testers. More secure businesses will also employ people to try to physically get in... e.g. A man with a high vis and a bogus lanyard will walk up to a door and say "Sorry mate, forgot my entry card". Then get in and just see where they can get to.
It's a fantastic way of truly testing your security and the awareness of staff. Same for the IT and network infrastructure. Penetration testers will then complete a report saying what they found and the weaknesses to patch up and will help the company secure themselves better.
That can only be a positive thing. It's better usually for an external business to come in and test the network, as their own staff are quite often blind to the weaknesses or too focussed on one area. Whereas independent contractors are completely fresh, have no bias, and will come back with a more balanced report.
