Many small and medium sized organisations face a dilemma in the world of security.
They are not of a size where they can afford skilled in-house security resources however they still have the same security issues and responsibilities to protect their customers data, the same as any much larger company.
When considering the average cost of a data breach has been calculated at over 3 million this year (https://newsroom.ibm.com/2018-07-11-IBM-Study-Hidden-Costs-of-Data-Breaches-Increase-Expenses-for-Businesses), these worrying figures can understandable incentivise a penetration test to be done. However, this can be where a problem comes in for small, start-ups and some medium sized businesses, i.e. the cost!
As an example, let’s look at a fairly small business, nearing the end of its first year of trading with around:
A CRM system holding a customer’s personal data
A Web application front end system for the customer to use for transactions.
This business and all its employees have worked incredibly hard to build their business over the last few months and are just about in profit and they have amassed around 3,000 individual’s personal information held within the CRM SQL database.
The MD (let’s call him John), has seen all the worrying propaganda about the cost of a potential breach, when considering legal counsel, reputational damage, forensic analysis of the breach and the massive overhead on the team, and is understandably concerned.
Subsequently of course this risk scores very high on the company risk register and is heavily focused on at every risk discussion they have.
If these numbers are correct and the risk of data loss was to manifest into an issue, then the business is finished.
Even if these numbers varied by plus or minus 50% then the business is still finished. John is worried and decides that a penetration test is needed.
Ok, we need a penetration test… now what?
Once the decision was made by John to go ahead and get the penetration testing done, he sourced four differing cyber security companies to scope and cost the work required.
The average was:
4 days for the web application
2 days to cover their internal network
1 day for a firewall review
Average Total = £9,500
Then John assumes he will need to remediate the findings from the pen test
Estimated at £1,500
Then a retest to make sure the remediation has secured the business.
Estimated at £1,000.
Total = £12,000
The problem here is that £12,000 is four months’ worth of profit for the business. Whilst it could be argued that these costs could have been factored into any fiscal planning, it was noted that Johns company had assumed that the software house delivering the CRM and Web application, would have covered all the security aspects.
It transpires they tested periodically during their development cycle, but never on the live infrastructure and even the software house did not have the skills in house for a full and complete security test anyway. The testing they performed was a basic vulnerability scan rather than a complete manual assessment.
John has no choice. A year one cost equivalent to four months profit they had not catered for, versus carrying a risk that they may be compromised and lose the whole business.
Partnering with smaller businesses
It is obviously incumbent on business owners to take security seriously, but they also have many other responsibilities. Security testing organisations should be encouraged to find ways to help so that smaller companies are not disadvantaged, from a security perspective, due to their size and financial positions.
To quote John, “we want a test but costs are scary and we need to be sure we are not being rinsed”.
(“rinsed “, John’s phrase, but we are using it going forward as we like it and it seems appropriate:)
We actively try to form more of a partnership with the companies we work with. From a business perspective, we see this as a key investment.
If we focus on high-quality penetration testing, specially addressing all of Johns security concerns and explaining the findings in plain English, without the scaremongering, as well as avoiding “rinsing” the company in question, then we will get return business.
The return business is of course a mark of satisfaction from our clients.
We have introduced a retainer initiative, which basically works on the principle that the company will engage Precursor Security on a retainer, with an agreed amount of days testing available to be used over that period. The cost for the three year agreement can back end the majority of the cost till the third year. This allows smaller businesses and start-ups to have a more affordable penetration test in the short term while they grow.
Other benefits for small businesses, particularly start-ups, are that the client can pull down on the days as they wish. So, should they introduce more technology or upgrades as hopefully their business grows and they need a penetration test, they have the agreement in hand to allow this to happen. Further, our clients have a security company they can trust, who they work with regularly and can get to know personally the account manager and penetration testers they will be dealing with.
At a practical level for the testing we perform, the retainer agreement also has many benefits for us as a security company, in that we get to learn more about our client’s business over time and can give additional context to any findings and remediation's recommended.
This initiative is already benefiting us as a business, in that we have clients we work with over and over again, and it seems to benefit particularly our smaller clients, as it keeps their business secure at periods in their businesses life where being secure is required to help their growth, not hinder it.