Penetration Testing 101 – What you Need to Know about Proofing your Business’ Online Security

Hackers LOVE small businesses.

Larger companies have systems in place to protect their data, but startup founders have the attitude, “We are too small for a hacker to be bothered with.” Not so.

Hackers love startups because they may be contractors for larger companies and if the hacker can steal the startup’s credentials, they may be able to harvest more data from the larger business.

Hackers love any business that holds customers’ confidential data. One or two person operations will typically have less stringent data protections in place.

Protect Your Data from Day 1

Your data is valuable whether you have one client or one thousand. Hackers know more about stealing your data than you could ever dream of: It’s what they do for kicks and money every minute of the day. You have other aspects of your business to think about, so you might have left backdoors open that hackers can use to get into your system.

  • Regular daily backups of your website and onsite data are essential. Use encrypted cloud services as well as on-premises hard disks to back up crucial data, but ensure your local backups are encrypted.
  • Forget Bring Your Own Device (BYOD). Keep your work and personal phones separate, and insist on employees doing the same. It will cost you less to provide everyone with a tablet or phone for business than to fix problems caused by people losing unencrypted data on their personal phones or from a virus in an app such as Virtual Girlfriend.
  • Stress the importance of security to everyone in your company, and set an example yourself. Change passwords every week and forbid anyone sharing them or writing them down on sticky notes.
  • Check data logs every few days because it’s essential to be on top of any problem as soon as possible.

Penetration Testing

You should prioritise data protection before you even start looking for clients. Put systems into place that your future employees can use as easily as they use a pencil and paper.

You can ask the local computer whizz kid to test out your security, but how do you know he won’t sell all or part of what he finds to hacker groups he is a member of? Penetration testing is a serious business and you should only ever employ a reputable cybersecurity company that specialises in pen testing because those companies are the only ones you can trust to access your website, sales, and client data.

Different Types of Penetration Testing

Any company you engage to reduce your vulnerability to hacking will conduct a gap analysis. They will talk to you, look at where you are now, and work out what you need to do to get to where you need to be.

  1. Remote Web Application Penetration Testing

This is the base level penetration testing that you should be looking at. Your chosen cyber consultants will delegate an employee to investigate your web server for common security concerns, including the Open Web Application Security Project (OWASP) top 10 security risks. Industry partners may ask for evidence that you are protected against the common attack types identified in the OWASP Top 10 project. These include SQL injection, badly configured access controls, and infrequent data logging.

  1. Network and Infrastructure Pen Testing

Your security company will investigate your network and infrastructure for vulnerabilities. This will include checking you have installed all updates.

  1. Mobile Application Pen Testing

If you have mobile apps these are often inadequately secured. Security vulnerabilities may arise when coding failed to prioritise reducing the risk of hacking. To fix vulnerability issues you need someone to tell you they exist and how to fix them: This is not up-to-date knowledge that most CEOs have at their fingertips.

  1. Social Engineering Prevention Services

How trusting are your employees? What would they give away to an online ‘friend’ that could be used against you? Nobody is going to share their secure password, but they might inadvertently give away details such as on-site security details, backup schedules and cloud services you use.

A hacker could synthesise a picture of your vulnerabilities by talking to different employees and putting together the different things they share.

Security awareness is a habit every employee must share. Your overall security is only as good as your least-aware staff member’s.

This service can be delivered using virtually or on-site, with on-site training having a higher cost but also being more effective at mitigating risks.

  1. Red Team Security Testing

This is the ultimate in cyber protection. Your penetration testing consultants agree scenarios with you and then try to break into your protected systems. You get a report that tells you how they managed to break in with help in fixing the issues that let them in. Red team testing may be virtual or could be on-site, perhaps simulating a disgruntled employee.


Cyber-proofing your business is not optional. Rather, it is essential before you start doing business, just like a soldier puts on body armour before anyone starts shooting. You need to be prepared and to the highest level.

How much would a data hack cost you? A few thousand to prevent hackers from destroying your business is worth it to most founders.