As the owner or manager of a small to medium-sized business (SMB) in London, it’s tempting to think that you don’t have the systems or data to attract the attention of cybercriminals. Nothing could be further from the truth. According to Verizon’s 2019 Data Breach Investigations Report, 43% of all cybercrime victims were small businesses. We know how busy you must be as the owner of an SMB but you’ve got to take your cybersecurity deadly seriously because a successful attack can be deadly for your business. However, as hackers and their threats become ever more sophisticated, there is a way you can put your digital defences to the test – to ensure your preparations are sound and your IT infrastructure secure – without inviting the cybercriminals in. And that’s with IT penetration testing which is sometimes called pen testing. But exactly what does penetration testing involve? In this article, we’re going to answer that, and another question we often hear, ‘Why is penetration testing important?
Why is penetration testing important…because it gives you peace of mind
To be brutally honest, if your current cyber-defences do not extend much beyond anti-virus software and a firewall, you’re leaving your business, IT infrastructure, data, IP and confidential customer information vulnerable. The only way to really find out how good your cyber defences are is to put them to the test as a cybercriminal would, with IT penetration testing. In this blog post, then, we’ll explain just why penetration testing is important and why you should invest in it.
Penetration testing defined
IT penetration testing is sometimes called ‘ethical hacking’ in that you employ a cybersecurity professional to use the same techniques as a cybercriminal would to attempt to break down your business’s digital defences.
‘What does penetration testing involve?’ we hear you ask. Well, you could compare the process to the way automotive manufacturers undertake extensive and realistic crash tests on their vehicles (with dummies not people!) to ensure those cars are safe prior to putting them on the open market.
Once your IT penetration testing is complete, your cybersecurity expert will provide details of the status of your digital defences. Crucially, what you’ll want to know is if they breached them, how they did so and what you can do to fix those vulnerabilities. They will, therefore, usually recommend tools and resources you could use to mitigate any cybersecurity weaknesses in your IT setup.
Why your SMB needs penetration testing
We believe that there are four key reasons small businesses, more than any other kind of enterprise, need penetration testing. Here are those reasons in more detail.
- Small businesses are big targets for cybercriminals
This isn’t simply our opinion. Research shows that over 43% of all cybersecurity attacks are aimed at small businesses. What’s more, leading business insurer, Hiscox, reports that small businesses in the UK are the target of an estimated 65,000 attempted cyber scams and hacks every day.
We believe small to medium-sized businesses are more popular with cybercriminals (and, therefore, more vulnerable to attack) for a number of reasons. These include:
- Your business doesn’t have the budget to spend significant money on the latest cybersecurity defences and tools.
- If you launch, own or manage a small business in London, chances are you’re busy and you wear a lot of hats, so cybersecurity gets overlooked on your priority list.
- Small businesses still hold data that is just as valuable to you as any large business, so you’re as likely to pay scammers to have ransomware removed, for example.
These factors all mean that you are more likely to be targeted, so penetration testing is vital to the wellbeing of your business.
- It’s less a cost on your business, more an investment in its future
Many small business owners do not implement appropriate cybersecurity measures because they feel they’re too expensive and draw cash away from their core business activities.
However, when clients ask us ‘What does penetration testing involve?’ we always reply that it’s vital to think of cybersecurity as an investment not an expense. Cybersecurity is one area of commercial life where the old adage ‘prevention is better than cure’ holds true.
If your business falls victim to a cyberattack, the true price of the damage to your operations, data, IP, private customer information and reputation could be vastly more costly than paying for sound digital defences in the first place.
The truth is that IT penetration testing is relatively inexpensive compared to the value that you will get from it. The idea is that penetration will save you money, time, headaches and heartaches in the long term. What’s more, penetration testing will help you to allocate your cyber-security budget to make the best use of your money.
- Data breaches can cost you dear so you need to be GDPR compliant
The General Data Protection Regulation (GDPR) of May 2018 means that businesses of every size and sector throughout Europe are required to better protect the data they store to better protect the privacy of the people they serve.
GDPR requires you to do more than merely change your system and provide customers with more rights over their data – you have to protect that data.
And data losses or breaches can cost your business dear. In the UK, the Information Commissioner’s Office can now issue fines of up to 4% of a company’s annual turnover or £20 million (whichever is greater) for the worst data offences.
So having IT penetration testing carried out on your digital defences will ensure you better withstand cyberattacks, reducing the danger that your business might be penalised for data loss.
- A cyberattack can prove fatal for a small business
We believe you should undergo penetration tests because the sad truth is that the majority of small to medium-sized businesses do not survive a cyberattack.
Research conducted by the National Cyber Security Alliance in 2017 (and the situation is probably much worse now) found that:
- Almost 50% of small businesses have experienced a cyber attack.
- More than 70% of attacks target small businesses.
- As many as 60% of hacked small to medium-sized businesses cease trading after six months.
These are genuinely frightening figures and show exactly how seriously you need to take your cyber defences.
Why you should only work with a network security professional
If you’re wondering how does penetration testing work and are still considering opting for it – and we recommend you do – you should go about it in two ways:
- Undertake pen tests regularly; the cyber criminals get ever more sophisticated and their cybersecurity threats evolve so your defences must do the same.
- Only employ a network security professional specifically trained and with the necessary expertise to effectively conduct IT penetration testing and other network assessments.
A network security professional will bring a number of capabilities to your penetration testing, which include:
- Data breach prevention
If your pen test expert simulates a network exploit, your systems should stay on top of the problem and the potential security risks. Think of it as being like a fire drill that ensures your business and team is well prepared before any disaster happens.
- Application security
Whenever your business implements a new application, it is important to have a professional perform a security assessment before putting the application to use throughout your business network; it prevents any inadvertent breach. This is especially important if the app’s main purpose is to handle sensitive data.
- Security control testing
A network security specialist has the knowledge and expertise to conduct proper penetration tests to ensure your controls are working across your business, from encryption processes, firewalls and data loss prevention to layered security processes and much more.
- Gap analysis maintenance
As we said above, penetration testing should never be considered a one-off, a snapshot of the situation. Rather, when you’re thinking how does penetration testing work best, you should see it as a continual process so that you can accurately ascertain how well your security model is performing. This kind of on-going commitment to cybersecurity will expose any gaps in your digital defences way beyond the date of the pen testing itself.
From compliance with GDPR to meeting specific industry requirements, such as those for the payment card industry (PCI DSS), an expert and experienced security professional will ensure your system remains compliant with the particular standards and regulations for your industry.
What results should you expect from your penetration testing
We’re often asked ‘What does penetration testing involve?’ and we always say the typical penetration testing report is comprehensive. It will include a complete review of the project, the techniques and methodologies used during the test, what security risks the test revealed and their order of risk priority, recommendations for the investment necessary for fixing the issues and suggestions for making your network and infrastructure more secure overall.
It’s likely you’ll also receive a report for your management team that explains in non-technical terms how the current risks could negatively impact business continuity and indicate the potential financial losses that may be incurred should a breach occur.
Choose peace of mind and business continuity
As we said earlier, penetration testing should not be regarded as an expense on your business but rather as an investment in its future. If you choose not to employ professional IT security experts to undertake regular pen testing and a cyber criminal succeeds in breaching your IT infrastructure and network, the sad truth is that you may end up with no business left to protect.
Bottom line: the peace of mind and business continuity professional pen testing delivers is well worth the expense.
Note though that not just any technology professional should undertake your pen testing. Because penetration testing involves the very safety and survival of your enterprise, do make sure your provider is accredited with the Council for Registered Ethical Testers or CREST. Any CREST-accredited penetration testing expert will provide you with a service that aligns with your business requirements, operations, budget and how highly you value the assets you want tested.
How does penetration testing work – ask the experts
If you’d prefer to run your business while one of our professional, independent and CREST-accredited cybersecurity partners run your pen testing, it’s time to talk to the team at London’s go to managed IT support providers (MSP), totality services.
Not only are we highly experienced and expert in cybersecurity ourselves – we’re Cyber Essentials and ISO27001 certified – we’ve earned no less than two consecutive Feefo Gold Trusted Service Awards, Five Star ratings from both Trustpilot and Google and a 98% client retention rate.
For a confidential, no obligation discussion about just what penetration testing involves for your London-based business, please feel free to give us a call.