[BreachExchange] Why Your Small Business Needs Penetration Testing

Audrey McNeil audrey at riskbasedsecurity.com
Mon Jan 16 19:02:05 EST 2017 

http://www.noobpreneur.com/2017/01/13/why-your-small-
business-needs-penetration-testing/

When the concept of penetration testing is first pitched to a small
business it can seem like a joke. The proposal generally goes that you are
going to have to pay a hacker to break down your cyber defences and get
into your system. On the surface it doesn’t look like an especially
attractive proposal, but it’s actually a hugely valuable operation that can
ultimately save your business time and money.

So how can having your system hacked help you? Well, with ‘ethical hacking’
(a penetration test) it is a controlled hack carried out by a cyber
security professional. They will utilise the same techniques that a
malicious hacker uses. This gives you the opportunity to see how a hacker
would defeat your defences without having to worry that your money or data
will be taken and used. Penetration tests can therefore allow you to better
prepare your business for a real hack.

This is especially important for small businesses that are likely to have
weaker cyber security and less leeway for downtime. So if you’re a small
business or start-up this can be the perfect solution for you. Here are six
important reasons that your small business needs penetration testing.

To show your team a hack can happen to anyone

One of the biggest cyber security problems for many small businesses is
complacency. Some simply think that a hack will never happen to them so
there is no need to be concerned about it. Unfortunately it’s the case that
any business that holds customer details, money or other sensitive data is
at risk of being hacked. Complacency can make you hugely vulnerable.

Many small businesses fall into bad practices like everyone having the same
weak password to log into the system. Not only does that make it
exceptionally easy for someone to get into your system, it can make it very
difficult to detect as details and records can be stolen without your
knowledge. Then it’s not possible to do anything until it’s too late. A
penetration test can have the benefit of showing your team that they need
to be vigilant and consider the potential for the business to be hacked at
any time.

To uncover vulnerabilities in the system

Perhaps the most obvious benefit of having a cyber security professional
hack into your system is that it can show you where your weaknesses are.
Instead of having those weaknesses exploited by a hacker, you have someone
show you exactly how they were able to defeat your defences. This gives you
the chance to rectify those issues to stop the danger of a future attack.

To highlight blind spots in your cyber security team

You may have the upmost confidence in your cyber defences and believe that
your IT department are excellent at their job. This may well be true – but
even the most experienced and talented cyber security team have been undone
by hackers. This is often because of blind spots that they have overlooked.

Unfortunately preparing for a malicious hack can be very challenging
because hackers will try multiple different methods to get into your
system. So if you have just one weakness, it can be exploited. The
penetration brings an outside perspective to the business – it may even
reveal certain aspects of cyber defence that you team hasn’t thought of.

To test the response from your team to the attack

It’s not just the actual defences that are challenged by the penetration
test. One of the other major benefits of this form of testing is that your
staff will believe that the attack is a genuine hack. Make sure that only
very specific people in high positions know that the attack is only
simulated. It’s important that the IT department doesn’t know that the
attack isn’t real. This will show you how they would respond to a real
attack. If the response is positive and decisive, this shows that your team
is doing well. But if there is a lot of confusion and panic it could
indicate that your team need to have better systems in place to deal with
attacks.

To prevent the expense of system downtime

If a real attack occurs it could take your system offline or leave you
having to spend a significant amount of time dealing with your IT
infrastructure. Is your business prepared to deal with this downtime? Ask
yourself how much time your business could afford to lose before it began
to affect your profits and ability to run successfully. Penetration testing
gives you the chance to sort out of these problems before a real hack
occurs and causes downtime on your system.

To reveal areas in which your staff need training

Good penetration testing tries to use a variety of different techniques to
defeat your system – this could involve using phishing email to attempt to
steal employee passwords. If any of your staff fall for these emails this
can show you that you need to provide them with training to know how to
spot a genuine email from a fake one.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170116/f4706a9f/attachment.html>

More information about the BreachExchange mailing list