If anything the last two years were a wake-up call about the growing dangers of cyber-crime and hacking. Every time we turned around we heard about another major retailer getting hacked and millions of credit cards numbers stolen. Even a major movie studio got taken down temporarily. The latest new revelation of cyber-crime is of a global banking heist in the past 18 months that netted at least $300M and possibly upwards of $1B. The cyber-criminals in this case operated a very sophisticated network that sent malware and other malicious tools to various international bank employees, which when downloaded gave the attackers internal access to monitor transactions and siphon off massive amounts of money.
Unfortunately, cyber-attacks will only get more sophisticated in the years ahead. As technology continues to scale up, cyber-criminals will get more brazen and underhanded. If companies like Target, Home Depot, or Sony Pictures are vulnerable to such attacks, then small businesses have to seriously weigh the risks of culprits penetrating their sites.
To compensate and counter-act the threat of a crippling attack, it’s critical that small businesses take preventative measures to make their infrastructure cyber-strong. Adopting best practices for cyber-security within your organization will go a long ways to preventing the financial loss, brand damage, and other problems that accrue from a cyber-attack. There’s one technique in particular that every small business should seriously consider. It’s called penetration testing. In a nutshell, penetration testing is an intentional attack on a computer system that is intended to strategically identify security vulnerabilities that can potentially cripple your infrastructure. It basically answers the following question: “What is the real-world effectiveness of my existing security controls against an active, human, skilled attacker?” With this in mind, let’s explore some reasons why your small business should actively adopt penetration testing as a best practice and include it in your cyber-security protocol.
1. Small businesses are a target of cyber-criminals
There’s a host of data out there showing why small businesses are particularly vulnerable to security hacks. According to a 2012 joint study by security firm Symantec and the National Cyber Security Alliance (NCSA), 83% of small businesses do not have a formal cyber security plan, and 69% are without even an informal plan. Another report says that 62% of breaches during 2013 were at the SME level. Yet another set of data shows that companies with revenue under $100M actually cut security spending by 20% in 2014. The bottom line is that SMEs are perceived to be vulnerable due to a number of reasons such as lack of focused budget, lack of risk awareness, and lack of employee training. Not to mention, in the last few years SMEs have developed much more complex infrastructures that involve on premise, mobile and cloud and interactive connections with customers and partners, which all serve to create many more vulnerabilities.
2. Data breaches cost a lot more than a penetration test
According to the latest stats, Cybercrime and Cyberspying cost the US economy $100B a year and the global economy about $300B annually. At the individual business level, statistics show that the average cost of a hack for a U.S. business rose from $5.4 million in 2012 to $5.9 million in 2013, and the average cost for each lost or stolen record containing sensitive and confidential information increased from $188 to $201. This includes loss of business and brand damage associated with the security breach. While some firms are reluctant to post their fees for penetration testing, the price range can run anywhere from 4 to 6 digits. The point though is that it’s still a lot cheaper than the alternative of dealing with a very difficult and potentially crippling hack.
3. A Data breach could take down a small business
The effects of a data breach can be catastrophic for a small business. A serious security breach could have irrevocable consequences ranging from lost customers to brand damage, increased expenses, and decreased revenue. According to the latest information, roughly 60% of small businesses who are hacked go out of business within 6 months. Those who do manage to stay afloat have to deal with the continuing problems of a tarnished brand. Here are some stats worth noting, courtesy of this site:
86% of people were “not at all likely” or “not very likely’ to do business with an organization which had suffered a data breach involving credit or debit card details
82% were “not at all likely” or “not very likely” to do business with an organization which had suffered a data breach involving a home address
80% were “not at all likely” or “not very likely” to do business with an organization which had suffered a data breach involving a telephone number
76% were “not at all likely” or “not very likely” to do business with an organization which had suffered a data breach involving an email address
4. Penetration testing is insurance for your business
Having another set of eyes that can carefully discern the state of your security infrastructure just makes good business sense. Penetration testing provides IT with a way to find holes before a malicious source does, identifies gaps in compliance (for instance, if a certain device was not properly patched), and also verifies what configurations are already working or need to be strengthened. Moreover, it highlights the need for better employee security training and preparedness. If a penetration tester gets access to your infrastructure without anyone raising a red flag then this is obviously cause for concern. Overall, penetration testing should be considered like insurance for your business. As one source well states, “Think of a Penetration Test as an annual medical physical. Even if you believe you are healthy, your physician will run a series of tests (some old and some new) to detect dangers that have not yet developed symptoms.”