Penetration testing is an imposing term. A lot of small businesses don’t understand what it is, why they need it, or how much it costs. Or if they do, they understand the consequences: expensive technology investments. Consequently, penetration testing is a daunting proposition.
What many a small company doesn’t understand is that their business’ success depends on penetration testing. Penetration tests are a core part of any company’s cyber security defense. The cost, both in terms of financial and effort invested in remediation, is dwarfed by the potential business-ending consequences of a cyberattack.
In this article, I’ll explain what penetration testing is, why you need penetration tests, and what you should expect from the whole process. In this day and age, in the face of data breaches, widespread cyber attack, and the damages those cause, it’s dangerous not to implement a penetration testing process.
(NOTE: If your small business is considering a pentest, our free tool below matches you with a top-rated pentest vendor that can meet your needs and budget)
- Does a Small Business Really Need Penetration Testing?
- What's the Benefit to a Small Business?
- What Type of Small Businesses Benefit Most?
- How a Small Business Should Choose What to Test
- What Kind of Pentest is Best for a Small Business?
- How Much Does Penetration Testing for Small Business Cost?
- How Can Small Businesses Find The Right Pentest Vendor?
- What to Expect After Your Pentest
- Find the Right Pentest Provider Fast
Does a Small Business Really Need Penetration Testing?
At its highest level of abstraction, a penetration test is ethical hacking. You pay a company to act as an attacker and compromise your systems.
There are important reasons to do that. Foremost, when you pay for security professionals to attack, you aren’t left cleaning up a data breach. Instead, you mitigate it. The simulated attack exposes the same vulnerabilities a real attacker would exploit to harm your business operations and cause a data breach. At the conclusion of the test, you get a report and recommendations so you can fix vulnerabilities and keep attackers at bay.
For small businesses, the need for penetration testing has never been more critical. According to the University of Maryland, 82% of ransomware attacks hit small businesses. 60% of those businesses fold within 6 months of a cyberattack.
For small businesses, penetration testing is a core component of a cyber security program designed to harden digital assets and protect sensitive data. It’s one of many assessments you should employ to safeguard your digital assets. Those other assessments include security framework assessments, external posture reviews, web application scanning (if applicable), and third-party risk assessments.
Penetration testing differs from those because it is an active capabilities simulation instead of an evidentiary-based review. It’s an inward-focused review that raises awareness of the actual performance of your security infrastructure instead of best guesses based on an administrative review.
What’s the Benefit to a Small Business?
Better understanding your security posture is a substantial benefit that can’t be overstated. Instead of assuming you’ll weather a cyber attack and data breach well, you’ll know exactly how you perform. Additionally, you can improve your performance by knowing your weak spots and information security vulnerabilities.
Think of it this way: those vulnerabilities and issues exist whether or not you know of them. By being willfully ignorant, you’re practically guaranteeing an attacker will exploit them.
By understanding and repairing those issues, you’ll preserve uptime and protect your and your clients and/or customers’ sensitive data.
Business partners and clients also increasingly demand penetration testing as part of a comprehensive suite of information security safeguards. Third-party risk management programs focus on the availability of rich data to support a contention that your business is being operated safely. Not engaging in those exercises that are increasingly accepted as industry standards puts you at a competitive disadvantage.
Put differently: penetration testing at a minimum makes you more secure and more likely to win business in an increasingly insecure digital world.
What Type of Small Businesses Benefit Most?
Every small company benefits from penetration testing. Some companies benefit from pen testing more than others. Companies that rely on the following infrastructure will benefit significantly:
- Leveraging web-based applications to provide services,
- Companies in a highly regulated industry, where security is paramount,
- An Organization that leverages machine learning or generative AI to drive product offerings, or
- Companies that deal with large swaths of what’s generally accepted to be sensitive information.
How a Small Business Should Choose What to Test
Various scopes and testing methodologies can be employed by penetration testing. Those will, of course, depend on budgetary and infrastructure considerations.
In my mind, money is money. You have a finite quantity of it and understand how much you want to spend on a penetration test. Where your pen test is fiscally limited, you must prioritize your high-value assets, known as “crown jewels.” If you haven’t formally identified those, think about what your organization absolutely couldn’t function without.
If your penetration test isn’t fiscally constrained by budget, you’ll want to move further afield from critical to merely important systems. You’ll also want to identify what your infrastructure looks like. For example, certain vulnerabilities only apply to websites. If your web presence is just a company marketing page and not service provision, then you may want to exclude web applications from review. Ultimately, your organization needs to determine what’s important to your business.
From a methodology perspective, you have three options:
- Black box testing, which is an approach used by penetration testers to attack a system without understanding its operations.
- White box testing, which provides a comprehensive system understanding to penetration testers.
- Gray box testing, which is a mix of both black and white box and results in an architectural and operational understanding of the system.
Let’s take a look at which of these might be best suited to your business.
What Kind of Pentest is Best for a Small Business?
It depends on your goals.
If your business relies on a web application, then gray box testing is the most effective to identify weak spots and mitigate vulnerabilities. Web apps thrive on their architecture; design decisions and component interactions can severely impair that.
Where you want to simulate an external attack most closely, you’ll opt for black box testing. Vulnerabilities are discovered as the penetration tester moves through your systems, organically developing an attack pathway. If your business is extremely concerned about external attacks on your infrastructure, then black box testing is for you.
If your concern is a malicious insider or a desire to gather information about the broadest set of vulnerabilities, then a detailed understanding of your application and network design, company culture, and access tools becomes necessary information. Where you want to mitigate internal threats or better understand your overall security posture, nothing works better than white box testing.
Finally, a small business might find a PTaaS (penetration testing as a service) option to be cost-effective, giving access to more automated testing, but on a more regular basis.
How Much Does Penetration Testing for Small Business Cost?
Penetration tests are typically designed to be fixed prices based on time and materials. Commonly, penetration testing vendors charge a flat fee based on a predetermined scope. You may also be provided penetration tester hourly rates or a blended hourly rate for scope change.
Your predefined and agreed-upon penetration testing process will determine the price. The volume and types of infrastructure to be tested dictate the potential critical vulnerabilities and tools needed to penetrate your technology stack successfully.
If it’s your first test, it will likely go quickly and the penetration efforts will be very successful. Subsequent tests will likely take longer and result in less success.
Assume you’ll be paying in the low tens of thousands of dollars for penetration testing, with a likely cost under $20,000.
How Can Small Businesses Find The Right Pentest Vendor?
Finding the right penetration testing vendor for your small company can be difficult. Industry word-of-mouth recommendations are ideal: if you know someone else who had a great experience, then their vendor could be a good option for you.
Alternatively, you could ask your technology vendors for recommendations. Chances are they have one or more penetration testing or security vendor partners that can assist. Otherwise, you may need to resort to doing your own research.
Evaluating a vendor should be the easier part of your search. You’ll want an organization that can develop a scope and penetration testing plan to meet your organization’s needs. That plan should be reasonable in light of your organization’s needs, infrastructure, applications, and other potential objectives.
Your vendor should also be able to describe their closeout report. You’ll want an actionable report: it identifies the testing methodology and scope, what the vendor could compromise (or not), and vulnerability mitigation and resolution steps.
What to Expect After Your Pentest
After the conclusion of your penetration test, that closeout report will be critical. It’s effectively what you’ve paid for. You’ll possess a list of identified vulnerabilities grouped by severity with vulnerability mitigation and eradication recommendations.
That list is how you’ll develop your security remediation plan. You’ll be able to identify the cost and effort to eradicate your vulnerabilities. For those entries with extreme cost and effort, you may want to pursue mitigation: instead of eradicating the vulnerability, you apply security hardening and safeguards around it to obviate its execution.
For example, you find that you have too many administrator accounts but can’t immediately reduce the number of administrators without significantly negatively impacting business operations. Instead, you may find that you can implement multifactor authentication and long passphrases to make those accounts more resilient from compromise. That may make things a little more inconvenient, but secures those accounts well without the negative business impacts.
Penetration testing is critical for your small business. Understanding how to find a penetration testing vendor, how to use that vendor, and what to do with their results can be incredibly complicated. This article outlines at a high level some of the considerations that you can use to improve your penetration testing process for success.