Small organisations often struggle to know where to begin when addressing their cyber security needs. One term they may have come across is ‘penetration testing’, but what exactly is it, and does it apply to you?
Find out everything you need to know about penetration testing for small businesses in this blog.
What is penetration testing?
A penetration test (sometimes known as a ‘pen test’ or ‘ethical hacking’) is a controlled form of cyber attack performed by an ethical hacker.
The goal is to discover security vulnerabilities that a criminal hacker could exploit for malicious purposes.
Penetration testers use the same methods as criminal hackers, replicating their approach as closely as possible.
By doing so, organisations can see their systems in the same way an attacker would – identifying vulnerabilities and the ways in which they are leveraged.
After the test, the ethical hacker creates a report advising the organisation on the steps it can take to improve its defences and prevent attacks.
Why penetration testing important for small businesses
Penetration tests are essential for all organisations. New vulnerabilities are always being discovered, and if your organisation doesn’t find them promptly, a cyber criminal will.
Did you know, for example, that in 2022 cyber security researchers discovered more than 25,000 CVEs (common vulnerabilities and exposures). It was the highest number ever recorded and demonstrates how increasingly difficult it is for organisations to close software flaws.
By regularly testing your systems and network, you will be able to identify and address weaknesses promptly.
It’s not simply about preventing the inconvenience of a data breach; it’s about good business sense. The cost of security incidents is spiralling, with the latest figures suggesting that organisations spend up to €4 million responding to data breaches.
This includes the costs associated with response, investigation, regulatory action and customer churn.
Indeed, security incidents can cause long-term damage that can only be prevented through careful preparation.
But penetration testing isn’t only a preventative measure. Organisations are legally required to complete regular tests if they are subject to the PCI DSS (Payment Card Industry Data Security Standard), and it’s a requirement of ISO 27001 compliance.
How does penetration testing work?
An experienced penetration tester can mimic the techniques used by criminals while ensuring that no damage is caused. Depending on the type of attack, they will look for:
Tests can also be conducted outside business hours or when networks and applications see the least usage, thus minimising the impact on everyday operations.
The penetration tester provides a report that details any identified vulnerabilities (and where possible, demonstrates proof of concept) and offers advice on how to mitigate them.
How much does penetration testing cost?
The price range for penetration testing services is vast. One organisation might charge €100, while another might bill €10,000.
But, like so many things in life, cheap does not mean best. It’s therefore essential that you research an organisation’s credentials.
A good place to start is CREST (the Council of Registered Ethical Security Testers), which verifies organisations that meet the rigorous standards it mandates. You can find a list of approved pen testers on the CREST website.
It’s also worth noting that the cost of a penetration test will usually increase when the scope of the penetration test grows. For example, a test on 20 IP addresses will be more expensive than a test on ten.
As such, it’s vital that you know what needs to be tested before you compare prices.
You can find out more about penetration testing on our website. IT Governance is a CREST-accredited provider of penetration tests, and we have a variety of fixed-price testing packages that are suitable for any organisation.
We offer on-site and remote testing to help you assess your networks in whichever way is most convenient for you.
A version of this article was originally published on 14 December 2021.