Penetration Testing, or Pen Testing, is a form of ethical hacking in which a cybersecurity expert simulates a cyberattack on a system or network. As the name suggests, Pen Tests are performed to evaluate just how deep bad actors could potentially get into your system or what damage they could cause. Pen Tests are essential for any business that depends on technology to operate (so pretty much every single business out there).
Larger businesses generally understand Penetration Tests are essential to their cybersecurity strategy and readily incorporate Pen Test cost into their yearly technology budgets. Smaller businesses often do not allot for this expense in their annual budget and might even forego Pen Testing all together. Bad idea.
Make no mistake, even for small organizations, the Pen Test cost is miniscule compared to the short and long-term price tags associated with hacks, security and data breaches, malware, Distributed Denial of Service (DDoS) attacks and a myriad of other cyber threats.
Conservatively estimated, the average business loses $100K per ransomware incident; the downtime associated with DDOS attacks can cost businesses between $900-$1,700 per minute. A big pill to swallow, even for the mightiest of enterprises. Now just think about the perhaps unsurvivable hit a small business might experience.
Unlike many in my industry, I loathe leveraging cybersecurity scare tactics to enhance my business’ sales. I really do. Just like I would tell you to drive a 4×4 truck with snow tires if you were heading up into the mountain in winter, I also implore you to take precautionary measures to safely navigate the often treacherous roads of cyber technology.
Let’s take that truck analogy a little further when considering the cost of a penetration test.
Just as a new truck may have a list price of say $30K, adding options like a twin turbocharged engine, dynamic suspension, leather seats and entertainment packages can easily double that sticker price.
Given that most people sell their new vehicles within five years, why do so many add on these pricey options? Simple. People spend a significant part of their day in their vehicle, so the added expense of the upgrades are offset by the sustained, enhanced user experience. These truck buyers also understand the importance of securing the functionality and performance they want and expect from the start, so they will have no regrets down the road.
These same principles apply to Pen Testing. When purchasing a Pen Test, you want to be certain you are getting the right solution that identifies the issues that may affect the cybersecurity of your organization and is the first step toward mitigating risks.
Choosing the right approach and components are as important for a penetration test as those optional packages are to the owner of that truck. A pen test reveals risk exposures that drive priorities in resources and funding.
But how do you know what to include in your Pen Test?
Some of the most common factors to consider when selecting options and scoping a penetration test include:
Should your test include both external AND internal systems?
Are there applications included in the scope?
Do your need a sampling scheme for end-points?
Do your testing needs involve regulatory compliance?
Are your systems on premise or in the cloud?
Do you want to include password cracking in the scope?
Do you want to include phishing in the test?
Do you want to test your physical security?
Like I mentioned, we will delve deeper into the need for Pen Tests in the coming weeks –and I assure you, you will find it interesting! In the meantime, let’s give you a head start into budgeting and planning.
Here are some ballpark starting points for Pen Testing (not unlike the base price of that truck):
$7,500 – Small Business (0-150 Employees)
$12,500 – Medium Business (150-500 Employees)
$20,000 – Mid-Size Business (500-2,500 Employees)
$30,000 – Large Business (2,500-5,000 Employees)
$75,000 – XL Business (5,000-10,000+ Employees)
In addition to the organizations size and Pen Test options, the complexity of the technology landscape will affect the price; more points of entry may demand more complicated and comprehensive testing.
Reinforcing and securing your technology has never been more important – and the failure to do so, never more costly. Invest in the safety of your data and technology like your organization’s life depends on it. Because it does.
Want to schedule a Penetration Test or discuss your technology solutions with Stig Ravdal? Click here to schedule a call.
Stig Ravdal is the President & Founder of Ravdal, Inc., a leading cybersecurity company. He is an expert in the fields of cybersecurity strategy and technology solutions, and is available for speaking engagements.