As a small business ourselves, this is a question we can really relate to. Do you really need all this penetration testing? And even if I recognize it is important, can I even afford it? The fact is, as a small business, and especially as a startup, every single dollar is accounted for. Every dollar that is not being used for operating expenses can go to advertising, which is critical to growing your small business. So, dropping thousands of unaccounted for dollars on a penetration test seems absurd. In this blog, let’s explore that issue. We will discuss why is it necessary for a small business to get a penetration test, and how much should they expect to be charged.
Why Penetration Testing is Important for a Small Business
Let’s start by addressing why it is important for a small business to have a penetration test completed. This really boils down to three things: security, compliance, and prospective customers. Let me explain.
The first, and perhaps most obvious reason to have a penetration test is for security purposes. You want to make sure that your small business is secure, and the sensitive data you collect can not be stolen by an attacker. This could be customer’s PII that would hurt your reputation if it was stolen, a trade secret on how your product is better, or something that is required to be protected like credit card information.
While the big data breaches are more likely to make the news (Equifax, Home Depot, Target, Etc.), the fact is small business are targeted far more often than large corporations. In fact, according to the Verizon 2017 Data Breach Investigation Report, 61% of all data breaches were from smaller companies, and this number is on the rise from 53% in 2016. What is even more alarming, according to a report by the SEC, over half of the small businesses that experience a data breach will be out of business within 6 months. So the bottom line is, your company is more likely to be targeted than a large company, and if you are, you can expect the cost of a breach to be between $84,000 and $148,000. This cost combined with the reputation hit may be too much for your company to handle. Therefore, from a security standpoint, the question should be posed, can you afford not to shore up your security?
In most cases, just because you are a small company, does not mean you are exempt from the compliance regulations that larger companies are required to meet. If you collect health information, credit card information, government information, personally identifiable information, or are a service provider for any company that does, you likely have compliance requirements you must meet. The good news is, as a small company, some compliance requirements are easier to meet than if you were a Fortune-500 company. For example, in PCI, it is likely as a small company you will be asked to fill out a Self-Assessment Questionnaire (SAQ) as opposed to a full audit or Report on Compliance.
Another thing to consider, even if the compliance authority isn’t asking about your compliance status now, will they in the future? As your company grows, will you be required to meet certain regulations? If so, starting now can save you thousands of dollars in the future. By putting in security best practice policies and procedures, you can ensure that as you grow, those practices are met without having to change a company culture 10 years down the road. A common example of this is removing local administrator passwords from user’s computers. If that is just the way it is when people join your company, that is way easier for them to come to terms with, than trying to take away their permissions when they have been with the company for 5 years.
Finally, penetration testing might be required for current or future clients. In many cases, if your company offers a service to a larger company, they will want to ensure your security is sound, because by using your product or service, they are putting their company and their reputation on the line. Case in point, did you know that the Target Data breach was caused by one of their third party vendors? Yep, the attackers responsible for the 2013 data breach that led to theft of 70 million customer’s personal information got into Target by hacking a small business Target used for heating and Air Conditioning Services. Yet, from the customer’s prospective, it is Target who gets the black eye, not the heating and air conditioning company. For this very reason, you will have prospective clients asking for this type of information before they use your service or product.
Additionally, when they ask, it is better to have it on hand, instead of starting the process then. This is for two reasons. First, it shows that you have a mature security program in place. Getting a penetration test because someone asks shows you are meeting a requirement, but doing penetration testing in the name of security is a much better position to be in. Second, your companies first penetration test will likely have more critical flaws and vulnerabilities than your second. Similarly, your third will have less than your second and so on. The more penetration tests or security audits you have had before a key customer is asking, the better that report will look.
Ok, now I know I need it, how much does it cost?
Although this question depends on the size of your company, and what services you need, let me do my best to give you a good idea. As a penetration tester, I would argue the most important tests for your small business to run is an external penetration test, a social engineering engagement, and an internal penetration test.
An external penetration test will answer the question “Can an attacker hack me from the Internet?” As such, a security engineer will test all the services of your company that are accessible from the Internet and try to break in. The cost for this assessment will vary primarily based on the number of hosts you have that are internet accessible, as well as a few other factors. To give you an idea though, an external penetration test of 10 IP addresses will cost you $3,250.
A social engineering assessment answers the question “Will my employees click on a link giving an attacker access?” In the majority of cases, a company will spend most of their security budget securing the perimeter of the network, but then will be breached by an attacker sending a link to someone. For a social engineering assessment, the cost is primarily based on the number of employees you want to target. I recommend doing just a small sample of your customer base (5 phone calls or vishing attacks, 5 targeted emails or spear phishing, and 25 emails in a bulk phishing attack). This will cost $3,250.
Finally an internal penetration test answers both “what can a malicious insider do to my company?” and “what can an attacker do once someone does click on that link?” As such, an internal penetration test starts a security engineer as a normal employee on the network, and they will try to escalate their permissions and gain access to sensitive information. The primary cost factor for an internal penetration test is the number of IP addresses you have within your network. A small penetration test of 100 IP addresses will cost you $5,670.
The full cost of your assessment including deliverable fees, and minus a 10% discount for selecting a holistic threat package will come to $10,953. This may be too steep for your organization, and a penetration test might be too much at this time. If that is the case, that is perfectly fine, but we hope by writing this blog you at least have a better understanding of why a penetration test is important, and you are armed with the data you need to make that decision.
Please let us know in the comments if you found this useful, or if you have anything to add to the discussion.