When it comes to cybersecurity, large enterprise organizations typically have dedicated staff in place that is familiar with penetration testing. For small businesses, this usually isn't the case; the onus of proper cyber protection normally falls on a member of the IT or administrative team. Does this predicament sound familiar? Then this article is for you! Welcome to our short 'n' sweet guide to small business penetration testing.
Benjamin Franklin once said, "If you fail to plan, you are planning to fail!" While it didn't exist back in Mr. Franklin's day, this statement certainly holds true for cybersecurity, especially small business penetration testing.
Start Acquiring Bids Early
Here's another relevant adage from Mr. Franklin: "The early bird gets the worm." That guy was full of wise proverbs, wasn't he? In this case, pretend you're the bird, and your penetration testing report is the worm. The sooner you start preparing, the better.
Ideally, you should start the process of acquiring bids for penetration testing at least 3 months in advance of when you need the report to be ready by. Security vendors can be busy and often won't have consultants readily available. With that said, if you're a little late to the game, no need to panic — this can still be accomplished even if you have a shorter time frame.
Define Your Purpose for Penetration Testing
At the beginning of your penetration testing process, strive to define exactly why you need it done. Is it for compliance reasons? Has your client insisted on a report? Are you concerned about cybersecurity in general? Have you been hacked? Penetration testing is an expensive endeavor, so it's imperative that you clearly identify your objectives for it. In turn, this helps to shape the scope of work. Also, if you're one of the many small businesses that outsources your IT needs, ask your vendor for any pertinent network diagrams or system information; it could greatly help the penetration testing process.
Identify Your Ideal Deliverables
What deliverables do you need from the penetration test? In the majority of cases, it's a report. But does that report need to be geared towards a specific compliance need, such as a Google Vendor Security Assessment? It's crucial that you elucidate this information.
Often, vendor assessments are only interested in systems that hold client data; other assets might not be tested. If you find out that you need something more early on, you can save your small business and your penetration tester from a ton of headaches down the line.
Consider Penetration Testing Repetition
Remember that penetration testing gives you a snapshot of your systems at that exact moment. Systems inevitably change, and new vulnerabilities can appear at any time. With that said, you must consider how often you will need penetration testing to be performed. Do you prefer a one-off test? Or do you think you'll need it repeated on a regular basis? Figuring this out early on not only sets you off on the right foot but can also save you money; many penetration testing providers offer annual or repeat testing discounts.
Evaluate Potential Penetration Testing Providers
If this is your first time delving into the world of penetration testing, it can be hard to know where to begin. Start with your personal and professional network. Ask any friends, colleagues, or owners of small businesses that you know if they have experience working with any cybersecurity companies. If this doesn't yield any results, then it's time to go online.
Before you begin looking for penetration testing providers on Google, be aware: There's no shortage of companies out there! This means your search can quickly get overwhelming. Hone in your efforts by focusing on local companies, or at least those in the same region as your small business. This increases the chances that they're in the same time zone as you and have worked in your industry.
Once you've found a few promising penetration testing providers, spend some time on their websites. Read through their case studies and previous client reviews. Get a sense of their depth of knowledge regarding the technologies you use in your organization. Have they worked with other small businesses or similar companies to yours? Just as with any other product you purchase, you want to ensure that they're well-suited for your needs.
In the UK, many cybersecurity companies and penetration testing providers attain well-respected certifications such as Crest or Tigerscheme to verify their credibility. These and similar certifications have started popping up in the United States, so certainly be on the lookout as you research potential vendors.
One important note: There are several cybersecurity certifications and accreditations available. In our experience, they don't necessarily align with the skill of the consultants working on your penetration test. So don't use this as the sole determinant of which provider you choose to work with. It's vital that you consider experience in the industry of your small business just as much, if not more.
Now that you've done the due diligence, it's finally time to start reaching out to the best testing providers you identified!
Try to approach around 3 companies — this diversifies your efforts while keeping things from getting overwhelming. Keep your first call with each of them short; think of this as the first date, and you really just want to establish if you like what you initially hear from them. Be ready to discuss your previously defined scope of work, your small business's IT infrastructure, and any other information you think is relevant.
Remember: These providers are supposed to be the experts. So you should feel a sense of confidence from what they say, and they should be able to understand exactly what you require. Don't be surprised if they challenge some of your penetration testing assumptions. In fact, as far as scope goes, they should be able to lead you in the right direction.
Receiving Quotes Once a penetration testing provider has gathered all the information they need, ask to receive a quote on your project within 5 working days. And don't be afraid to apply some pressure on their response; this shows you who's prepared to go the extra mile and put the effort in early on.
If you feel that there's a lack of interest or the amount of testing they recommend isn't up to par with your standards, move on to another potential vendor.
Choose a Penetration Testing Provider
Let's say you've now received a handful of proposals back. Hopefully, the sticker shock hasn't knocked you off your seat! Select 2 or 3 of the vendors that you like the most, then schedule a follow-up call with each of them.
Scope of Work
During your follow-up call, walk through the penetration testing provider's proposal and ask any questions you may have. Make sure they've taken the time to properly understand your testing requirements and the risk profile of your small business. Are they focusing test time and resources on the components that matter most to your organization's compliance requirements? Inquire about the team that will actually be working on your penetration testing. Are they familiar with the technology you use? Don't be surprised if they're not acquainted with some of your tools, even if they are popular ones. On the bright side, pen testers are masters of adapting to whatever they are testing. But obviously, experience with your specific technologies is a bonus.
What deliverables do you want? This has probably changed a bit from your preparation phase. You should get an outline from the penetration testing provider of what the deliverable will be. Ask to see some samples so you know what to expect.
Most security vendors' reports are similar. Usually, they'll consist of an executive overview and technical details of the issues discovered. However, some reports may be easier to digest and understand than others — and that could make a large difference in who you pick to be your penetration testing provider.
Penetration test pricing is typically fixed cost, but it could vary widely in what's included. Like most things in life, the cheapest option isn't necessarily the best choice. With that said, if someone is intent on undercutting the competition or giving you the hard sell, think twice about hiring them; they may prioritize landing clients over the quality of their work.
Ask your potential testing providers to break down their costs and time dedicated to each step of the process. If this doesn't seem to add up, don't be afraid to ask for more clarification.
Note that there's usually some "wiggle room" in the cost. So if you'd like, feel free to see if there's any flexibility in the pricing agreement.
Small Business Penetration Testing Doesn't Have to Be Hard
Congratulations! If you've made it this far, that means the test itself has been organized and scheduled. There's not much else for you to do besides sit back and wait for the results. The provider may need some time to finalize the report after the test wraps up, but reach out for an update if this ends up taking a few weeks, as that isn't the industry norm.
We hope you've enjoyed this brief overview of small business penetration testing! Escaped is a penetration testing company that specializes in serving small businesses that don't have an in-house security team. If you have any questions about the penetration testing process, we'd love to help. Reach out here at any time!