Do Small Businesses Really Need Penetration Testing?

Cyber Security

Many small businesses are probably thinking the same thing, do we really need penetration testing? But also, if the need is obvious, is it something that we can really afford? For most small businesses every single pound is accounted for, and anything left over after operational cost can go on advertising, which is often vital for business growth. It may be difficult to see a penetration test as truly essential with so many other factors to take into account. In this article, we will look at why penetration testing is so important for small businesses, and the potential benefits it can bring.   

Why is it important for small businesses.

Essentially the importance of penetration testing boils down to three aspects: security, compliance and prospective clients.


Perhaps the most obvious reason that a company needs a penetration test is for security. It’s important to know that your small business is secure, and any sensitive data is not at risk from cybercriminals. This could be a customer’s PII or a trade secret behind your latest product, or credit card information.

Large scale data breaches are more likely to make headline news, but the truth is that small companies are targetted far more than larger businesses. According to Verizon’s 2017 Data Breach Investigation Report, 61% of all data breaches came from small businesses, a rise from 53% in 2016.   

If that’s not alarming enough, a report by the SEC states that half of all businesses that experience a data breach will be out of business within 6 months. The cost of a data breach can typically be between $84,000 and $148,000, but this combined with bruised reputation will too much for many companies to handle.


In most cases, small businesses are not exempt from the same compliance regulations as larger companies. If you collect health information, government information, credit card information, among many more, you are likely compelled to meet compliance regulations set out by governments. On the plus side, compliance requirements are much easier to meet than for an enormous company.  

Another thing to remember is that your compliance requirements are likely to change over time. As the company grows you will typically need to meet different, and perhaps tougher regulations. It’s important to have the security best practice policies and procedures in place now so that you can expand freely in the future. Otherwise, you may well have to play catch up with something that could have been in place a long time ago   


Penetration testing is also important when considering current or future clients. If larger companies put their faith, and money, in you, they need to be sure that security systems are in place from your end also. By using your company they are putting their own reputation on the line.

An interesting fact here. The Target data breach in 2013, which led to the theft of 70 million customer’s information, was in fact caused by a third party vendor, and not by Target itself. A much smaller company that Target used for heating and air conditioning services was the target, but we as consumers never heard that. What almost everybody saw was that Target had been hacked, and it was Target that lost the data. The public damage to reputation was aimed at Target, even though it wasn’t their security that failed.

It’s also important to have it prepared when dealing with larger companies. If you have to start the process from the point that they inform you it is needed, you run the risk of not only losing time but also coming across a little amateurish because you didn’t prepare well enough. By having everything prepared in advance it shows you have a mature security system. It is also worth remembering that with each penetration test it will hopefully reveal fewer and fewer flaws as your system is brought up to the correct level. The more penetration tests that are carried out and the better your system is before a key customer asks, the better.   

How much does it all cost?

This question, of course, depends on the size of your company and exactly what services are required. The most important tests for a small business are normally external penetration tests, a social engineering engagement, and an internal penetration test.

External Penetration Test

This should be able to answer the question, “can we be hacked from the internet?”. A security engineer will test all the services of your company that can be accessed from the internet and try to break into the system. The cost of this kind of test is primarily based on how many hosts that have internet accessibility, as well as a few other factors. But a rough idea would be $3,250 for 10 IP addresses.

Social engineering assessment

This is looking at whether your employees would click on a link that gives attackers access. Most companies will spend the majority of their security budget on a strong perimeter fence but will often overlook this area. For this kind of assessment, the cost is primarily based on the number of employees you want to target. We would recommend a small batch of your customer base (5 phone calls or vishing attacks, 5 targeted emails or spear phishing, and 25 emails in a bulk phishing attack). In total this should cost around $3,250.

Internal penetration test

This kind of test is trying to answer two things. “What can an intruder do to the business?” and “what can an attacker do once someone does click on that link?”. An internal penetration test typically involves a security engineer acting like a normal employee on your network. Gradually they will look to escalate their permissions and gain access to sensitive data. The cost of this is primarily around the number of IP addresses that you have on the network. A small test like this, with 100 IP addresses, will cost in the region of $5,670.

The full cost of something like this, minus a 10% discount should you use a holistic package, comes to around $10,953. This might seem like far too much for your business right now, but we hope that this information has at least provided you with clear information of exactly why, and how penetration testing can help your business. 

Computers in the City, your IT partner

Computers in the City is London’s longest-standing IT partner. With over 20 years’ experience, we can assist you to meet your IT support, consulting and cloud computing needs. We’re proud to be local, offering 24-hour support in straightforward language that takes the stress out of IT support.