Yes! The quick and simple answer is yes, but for many small business owners, it is not so simple. Penetration tests are not inexpensive. Business owners will need to weigh the cost of conducting a pen test versus the potential cost of a data breach. Plus, they will need to consider what benefits they will get out of a pen test if they are going to add it to their IT budget, especially since a penetration test is generally not a one-and-done type of test. They are recommended yearly, after network/security/server upgrades or changes, after large hiring increases or adding new locations.
This is a big question. While a penetration test is costly up front, a data breach will cost significantly more but it is not a guarantee, although they are becoming more prevalent, especially for small businesses.
Data breaches are estimated to cost $6 trillion in damages by 2021, so looking into a pen testing is wise. However, small business will need to know and analyze the cost of its most critical assets, the impact of losing those assets and the extended costs that an organization may face, such as a loss of business to determine if the upfront cost of a pen test makes sense.
Penetration testing also ensures your company meets compliance requirements. Many of the regulations, including Payment Card Industry Data Security Standard, Sarbanes-Oxley, HIPAA and 201 CMR 17.00, require an annual penetration test from a third party. If you have to follow any of these industry standards, you should determine if you need to conduct a penetration test for compliancy.
You can either determine this when you are creating the budget or at your fiscal year’s end and seeing if you have money still left. If you have money at the end of your fiscal year, it is the perfect time to conduct a penetration test. Not only will you use your current year’s budget, but the results of the pen test will help you budget more wisely going forward. A penetration test will highlight your organization’s areas of greatest weakness. These areas of weakness are where your company should increase its cybersecurity dollars because they are vulnerable to attack. Without penetration testing to guide your cybersecurity team, your company would spend more money across a wider range of security tools, possibly spending too much in one area when dollars would be better spent on something else.
Determining if pen testing is right for your small business is a very personal decision, but one that cannot be taken lightly. If you weigh your options and decide to move forward with testing, it is important to do your due diligence in choosing a provider because you will invest a significant amount of money and time on the testing. Talk to a number of cybersecurity firms, get quotes and a detailed plan before you make your decision. A cybersecurity firm should be happy to answer all of your questions and provide valuable information in your initial conversation so you know exactly what you can expect from their final report. Don’t go for the cheapest option; choose the firm that will deliver on what you are looking for and help steer in the appropriate direction.