Pentesting Part 3: It Could Happen to You

It Couldn’t Happen to Me…

In the holiday classic A Christmas Story the main character’s mother asks him what he would like for Christmas. He replies, “I want an official Red Ryder, carbine action, two-hundred shot range model air rifle!”

His mother replies, “No, you’ll shoot your eye out.” That phrase is uttered throughout the entire film when different characters—including Santa Claus—ask Ralphie what he wants for Christmas. Ralphie, with fantasies of saving his family from robbers, dismisses the idea that he could hurt himself with his air rifle. He probably thought “other kids might shoot their eye out, but that could never happen to me.” Near the end of the film on Christmas morning, Ralphie’s dad surprises him with his dream air rifle. Running out the door, Ralphie takes aim at a metal sign in the backyard and pulls the trigger. The BB strikes the sign and ricochets back to hit Ralphie’s glasses. Had his glasses not been there the BB would have hit his eye.

Ralphie’s mindset is one that many small businesses have in regards to a data breach; data breaches do happen, they just happen to other people—never me. Like Ralphie, small businesses may be aware of and even understand the risk of a data breach, but they fail to take action and find where they are most vulnerable with a penetration test (pentest). Some small businesses might neglect to perform a pentest because of their false sense of security, while others avoid doing so because of a perceived lack of funds or time. Still others may think that they are not vulnerable to attacks because of the size of their business.

Schneier’s Two Reasons for Pentesting

In his blog post titled “Is Penetration Testing Worth It?” security expert Bruce Schneier discusses pentesting and gives two simple reasons businesses (small and large) should pentest.

“There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you’re going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I’m going to save you a lot of money by giving you this free penetration test: You’re vulnerable.
Now, go do something useful about it.”

His reasoning is simple: vulnerabilities exist in all networks. However, if you require more convincing, below are four compelling reasons small businesses should pentest.

Reason #1: Small Businesses Are a Target

Some small businesses may feel that because they are small they are safe behind a wall of anonymity. This could not be further from the truth. 70% of cybercrimes that resulted in data breaches targeted small business. Why? It may be that attackers are lazy and attacking a small business that doesn’t have any security or has weak security measures is easier and results in quick cash than attacking a large company. Either way, this statistic helps demonstrate why small businesses should take pentesting seriously.

Reason #2: A Data Breach Costs More Than a Pentest

US businesses pay on average $5.4 million per breach, which comes out to $188 per stolen record. A small business would be financially devastated if they lost millions in data theft and fines. The cost of a pentest is much less than the cost of a data breach.

Reason #3: A Data Breach Could Drown a Small Business

About 60% of small businesses that suffer a data breach close within six months after a breach (according to a study by PCWorld). A large business that suffers a data breach will lose millions of dollars, but given time given time they can continue to stay in business and slowly recover. However, that same data breach could take down a small business.

Reason # 4: Tarnished Brand Reputation

If a small business happened to stay afloat after a data breach, they would still have to deal with the perception and mistrust from potential customers and partners.
A recent study shows that:

  • 86% of people were “not at all likely” or “not very likely’ to do business with an organization which had suffered a data breach involving credit or debit card details
  • 82% were “not at all likely” or “not very likely” to do business with an organization which had suffered a data breach involving a home address
  • 80% were “not at all likely” or “not very likely” to do business with an organization which had suffered a data breach involving a telephone number
  • 76% were “not at all likely” or “not very likely” to do business with an organization which had suffered a data breach involving an email address

Pentesting: One Step Closer to Being More Secure

Just as with Ralphie and his air rifle, the risk is exists. Ralphie almost lost an eye, but fortunately came out of the situation relatively unhurt. The risks for a small business are greater, and suffering a data breach could mean the loss of livelihood for yourself and those who work for you. There are, of course, many more reasons to do pentesting, but these four reasons should be more than enough to convince any small businesses to find out where vulnerabilities exist in their network and make their network more secure. Pentesting is among the the first steps small businesses need to take to protect themselves from these inevitable attacks. One data breach is all it could take to take down a small business.

Part 4: Considerations for Choosing a Pentesting Provider

In next week’s post we’ll discuss considerations for selecting a pentesting provider.