Do Small Businesses Need Penetration Testing?

Posted on Monday, August 3, 2020

Cybersecurity is big business. Every year there are unprecedented levels of cyberattacks targeting large and small companies alike. If you’re a small business, you might not think you’d be high on the list for targeting. Unfortunately, that’s not always the case.

Wherever there is software and hardware, there is always a risk that someone can exploit vulnerabilities that exist within them. No organisation is exempt from this. That’s where penetration testing – a form of ethical hacking with your best interests at heart – comes in to help. So what actually is penetration testing and why is it important for small businesses?

What is penetration testing?

Penetration testing, or pen testing for short, is a simulated cyberattack against your systems. If there are any holes in the security of your network, servers or systems, chances are you’ll want to know about them before the bad guys do. Pen testing is all about looking for these weaknesses and seeing if they can be exploited so you have a chance of patching them.

Is penetration testing dangerous?

Grated, a penetration tester will probably use the same knowledge and tools that a criminal hacker would to find any vulnerabilities in your systems. It’s also their job not just to find these weaknesses, but also to try and attack them. The difference with a pen tester is it’s all done legally and with your permission, with all recommendations passed onto you.

Why is penetration testing important for small businesses?

It’s impossible to make every system 100% secure, but being aware of any known security issues will help massively reduce the risk of cyberattack. The need for penetration testing really comes down to two main factors: security and compliance.


Small businesses are high on the list of prime targets for cyberattack. With the amount of money large companies can throw at their cybersecurity, small businesses are likely to be the target-of-choice for cybercriminals. After all, it’s likely they carry similar types of sensitive data that are just as valuable to criminals, it’s just likely to be far easier to get at.


It doesn’t matter how large or small your organisation is, if you handle information such as health, credit card or legal information from your customers, you have a duty to protect it. You must always comply with government regulations. Penetration testing can help make sure your security practices are up to scratch and you are working to up-to-date regulations.

How does penetration testing work?

Here is an example of the kind of process a penetration tester might use for finding areas which could cause a security breach in your system.

1. Find and prioritise vulnerabilities in critical information systems

Starting with your critical information systems, a tester will determine any points that are particularly vulnerable to attack. A list of vulnerabilities in problem areas is then compiled. These will be ranked in order of priority (or severity) for the company to deal with. Systems with high-risk weaknesses affecting the business should always be addressed first.

2. Carry out external and internal penetration testing

Once any potential weak points are identified, a pen tester will then devise tests to attack the system to determine if these could be exploited by a cybercriminal.

External penetration testing: Think of this as testing any part of your company asset list that is visible on the internet. This might include things like your company’s website, email, or domain name servers (DNS). The goal of this test is to try to break into the system and extract valuable data.

Internal penetration testing: Think of this as testing anything that could be exploited by a malicious insider from within your firewalls. This might include assessing the damage a rogue employee could do, or test a hypothetical case in which someone’s credentials are stolen in a phishing attack.

3. Fix problem areas and repeat testing if needed

Once weak points are highlighted, it’s up to the company to patch up the holes in their security. It’s common that penetration testing will then be repeated after these fixes have been completed to see if any problems remain.

How much does penetration testing cost?

Penetration testing rarely comes cheap. The cost depends on the size of your organisation and how complex a test you need carrying out, but don’t expect to be able to get a comprehensive test from an independent company for less than a few thousand pounds.

Can you do penetration testing yourself?

In theory, it’s completely possible to do penetration testing in-house without having to involve a third party. There are a whole host of open-source penetration testing tools available that you can use to test your own networks and systems without having to start from scratch.

These tools might let you get some results yourself. However, you then need to be able to interpret your results. This is the part that is hardest to do without a professional, as false positives are not uncommon in the world of penetration testing.

Paying a professional is a cost you’ll have to weigh up against the potential losses a breach or attack in your cybersecurity could bring. And those numbers aren’t pretty. It’s a sad fact, but over 60% of small businesses that are hacked go out of business within six months.

So not being prepared against cyberattack could cost you more than it would spend in decent testing. Cybersecurity is not something anyone should be scrimping on, so try to think of penetration testing as an investment rather than an expense.


About Mustard IT, your technology partner

Mustard IT is a trusted team, experienced with the latest technology and able to explain complex issues to you in a language you’ll understand. Contact us today to find out how we can help you.