Size doesn’t matter! All businesses should maintain some sort of system or network security to thwart cybersecurity intrusions. That includes small businesses. At a minimum, small businesses should implement fundamental and basic information technology (IT) security tools to protect their IT structures. Why? Because a single hacking incident can shut down a company’s operations and cause it to lose money. Basic and fundamental IT security includes regular vulnerability scanning, but is that enough?
Typically, vulnerability scans are automated, running in the background, scanning devices connected to IT systems for any vulnerabilities. The results are reviewed by internal staff, which, in a small business, may include the business owner. Vulnerabilities include threats to system integrity, confidentiality and authentication. It’s a best practice for any and all devices connected to internal IT systems to be scanned. It’s a simple tool to protect networks and systems. Vulnerability scans run often and provide data on what system vulnerabilities exist. This provides businesses with a baseline to compare what is “normal” and what isn’t. The results make business owners aware of what vulnerabilities exist in their IT security structures. But vulnerability scans are limited because they look for security vulnerabilities in a system or network, but don’t explain how to prevent or fix them. That is the purpose of penetration testing or “pen testing.”
After the completion of a vulnerability scan, pen testing is traditionally the next step. Pen testing assesses potential damages that can result in exploiting the vulnerabilities that were reported from the vulnerability scan. Pen testing consists of an ethical hacker penetrating (hacking) a company’s IT systems to exploit vulnerabilities. An effective pen test will determine the actual chance of a vulnerability being exploited to help business owners mitigate deficiencies.
Okay. Vulnerability scanning and pen testing are good for cybersecurity, but like most businesses, speed to market is a priority and oftentimes treated as a priority over cybersecurity. So, what’s a small business with limited financial and human capital resources to do?
Vulnerability scanning is available in a variety of formats. From cloud solutions to software solutions, from free options to commercial options, vulnerability scan solutions are accessible to small businesses. Pen testing, on the other hand, is conducted by a penetration tester, typically a consultant. Buyer beware; pen testers need to be certified and experienced in pen testing. Project-based pen testing can run approximately $3,000 to $4,000 per project, and if a company changes its IT structure, another pen test will probably be needed. For a contracted pen tester or in-house staff, their salary can run approximately $100,000 annually – clearly cost prohibitive for smaller companies. But there are alternative solutions to expensive pen testing.
New schools of thought posit that pen testing is merely an expensive superficial test into addressing vulnerabilities. Why not use money wiser and smarter?
At the RSA 2018 Conference, Adrian Sanabria, former Director of Research at Savage Security, discussed his company’s solution for “immature clients” to pen testing. He stated that the “immature client” is the client being infected by malware and successful phishing attempts. An immature client is missing the basic fundamentals of a security system, and therefore a pen test is too advanced for their needs. Instead, a client should be asked provoking questions like – Is your information backed up? If you are infected by ransomware, how will you be able to access your data? How long will it take your company to be back online in the event of a cyber intrusion? What are you doing currently to mitigate risk? It’s these issues that should be addressed with clients, not necessarily pen testing. Then help businesses plug the holes.
Sanabria doesn’t believe that the pen test should be “killed,” but instead should be de-emphasized for the immature business, ask relevant questions that will really help them and offer suggestions for automated solutions that mimic pen testing. For example, a small company could release fake malware into their system and see the effects. Additionally, there are mock phishing emails that can be sent to employees (unaware of the mock emails), in order to identify those employees vulnerable to a phishing scam. There’s also a tool called Infection Monkey. Infection Monkey is released into a company’s security structure, attempts to exploit vulnerabilities and reports back the results. Infection Monkey is a free open-source solution, and a viable alternative to small businesses instead of going the traditional pen testing route.
Small businesses aren’t immune to cyber threats. The Federal Communication Commission reported that less-secure small businesses are becoming easier targets to cybercriminals. Not only that, small businesses may have regulatory obligations like PCI and HIPPA that require secure IT systems. With that, all small businesses should really implement basic fundamental protections. Vulnerability scanning and alternatives to pen testing are affordable and effective security protections available to small businesses that offer protection and advance compliance.