A profile short of three people sitting in a row at a desk, examining the electronic tablet in the hands of the man sitting in the middle. The man in the middle has blond hair and a dark beard. He has one hand held to his chin in thought. The person on the right, a woman with long, dark hair, is turned in the blond man's direction and is speaking. The person on the left, a dark-haired man, is in the foreground and slightly out-of-focus. On the desk in front of the three people are a computer monitor, an open laptop, and some trash from a food order.
A penetration test is usually carried out by external hackers who are hired to probe for weaknesses in your business's security system. — Getty Images/Maskot

Penetration testing, or pen testing, is the process of simulating a cyberattack in a controlled, authorized environment to identify vulnerabilities in an organization’s security measures. Also known as ethical hacking, pen testing allows your business to find and repair security weak points before a bad actor can take advantage of them. Pen testing also allows your security team to practice its response to an attack: How will your company respond, recover, and implement a business continuity plan?

Most experts recommend carrying out penetration testing at least once a year. These tests help prevent growing threats such as ransomware, data loss, and different forms of social engineering attacks. They’re also part of compliance for PCI-DSS, HIPAA, and GDPR. If you’ve never done a pen test, here’s where to start.

How does penetration testing work?

Most small businesses hire an external professional to carry out penetration testing. “It’s best to have a pen test performed by someone with little-to-no prior knowledge of how the system is secured because they may be able to expose blind spots missed by the developers who built the system,” wrote Cloudflare.

The person you hire may take one of five main approaches to penetration testing:

  1. Open box: The person carrying out the sanctioned attack is given some information ahead of time regarding the information you hope to keep secure. This allows the team to test a specific aspect of your security protocols.
  2. Closed box: The sanctioned hacker is given almost no information beyond the name of the target company.
  3. Covert, or double-blind: Beyond a select few IT professionals, no one in the organization knows that penetration testing will take place. The sanctioned hacker is given a specific scope and launches an attack without the employees’ awareness. This allows the team to realistically respond and test training and other security protocols.
  4. Internal: The sanctioned hacker tries to infiltrate your company’s internal network. This approach is ideal for discovering potential insider threat.
  5. External: The sanctioned hacker focuses on your external-facing technology, such as your website or external servers.

If you’ve never had a pen test before, consult with a security professional who can tell you which one they recommend.

Pen testing may require initial upfront investment, but it is a proven way to reduce cybersecurity threats that can be far more costly in the long run.

Once your ethical hacker has performed some reconnaissance, they’ll initiate an attack to try to find a weakness in your security. “In each of these types of attacks, penetration testing typically involves some kind of brute force attack (e.g., cracking passwords or encryption keys) followed by social engineering,” wrote Nightfall AI, a cloud data loss prevention platform. “Depending on the scope of the attack, an ethical hacker may also try to cover up their tracks upon completion to avoid detection and simultaneously test the company’s monitoring systems.”

Once the test is complete, the sanctioned hacker will provide a report outlining the exploits they used, any vulnerabilities they uncovered, and details on how far they were able to infiltrate your system. Many ethical hackers will also include recommendations to patch your vulnerabilities.

[Read more: 4 Essential Cybersecurity Measures Every Small Business Should Take]

The benefits of penetration testing

Penetration testing is a proactive way of protecting your company’s valuable information. “To maintain a strong security posture and effectively manage security issues, you must understand the threats you face and regularly test for gaps in your mitigative and detective controls,” wrote Cisco.

Pen testing is an effective way to reduce the risk of a security breach. According to Gartner, organizations that practice continuous threat exposure management — which includes regular pen testing — will suffer two-thirds fewer breaches by 2026. Pen testing may require initial upfront investment, but it is a proven way to reduce cybersecurity threats that can be far more costly in the long run.

[Read more: 6 Ways to Make Your Hybrid Workforce Secure]

Likewise, pen testing is a key part of compliance. It’s a requirement for adhering to PCI DSS guidelines and strongly recommended for companies subject to HIPAA and GDPR. Pen testing can also help your business meet voluntary guidelines like ISO/IEC 27001.

CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.

CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.

Published