This is how a pen test keeps your business secure

Data breaches and cyberattacks on companies have dominated the news lately. Is your IT security up to par? You can test this with a pen test. Find out why a pen test is also useful for small businesses.

“With a pen test, or ’penetration test’, you look for weaknesses in your digital systems”, says Steven Dondorp, CEO of security company Northwave. A pentester is an ethical hacker – a hacker you hire to test the digital security of your network or systems, or of specific software. They discover vulnerabilities in your system, for instance. “You can then fix those errors pre-emptively, before cybercriminals take advantage of them.” And that makes sense when you consider that, in 2021, the police received 14,000 reports of cybercrime, almost a third more than the year before. 

1. How does a pen test work?

Now you may be thinking: do me a test like that. Unfortunately, the pentest does not exist. What the test looks like (in Dutch) depends on the system you are testing, the scope of the test, and what information you, the business owner, disclose upfront. Think accounts, passwords or source code. Sometimes the pen tester searches for vulnerabilities manually. Or they conduct an in-depth investigation and run through every line of computer code. Other times, a script automatically detects weaknesses. 

2. Why is a pen test interesting for SMEs?

“It is not about whether you are big or small, but whether you work with sensitive data and IT systems”, says Dondorp. “And these days almost everyone does that.” Dondorp recommends checking on a regular basis whether those data and systems are properly protected. 

“That way, you prevent criminals from checking to see whether you are vulnerable, with consequences that we read about every day in the newspaper among business owners big and small.” Cybercriminals install malware through vulnerabilities, for example, or hold your system hostage with ransomware. If you would rather start off simply, you can start with a free cyber scan. Note: use scans only from independent, trusted parties. 

3. How much does a pen test cost?

The price of a pen test depends entirely on the scope, the depth required for testing, and the quality of the reporting on the test. “It obviously matters whether you want to do a pen test on an entire business, just part of a network, or only an application.” 

Dondorp says that a small medium-depth pen test from a smaller security company, with reporting on key issues, will cost anywhere from €900 to €1,500. In that case, the pen tester will not look at the source code in detail, but will check your system for common vulnerabilities. 

The bigger your company, and the more complex your IT systems, the more expensive the test will be. “If the test is very complex and if even the smallest error has to be found, the price for the one test can reach many tens of thousands of euros.” For a test of that kind, you should bring in a larger security company.

4. Is that not dangerous, letting a hacker loose on sensitive data?

Of course, you want to be sure that an ethical hacker will not misuse your sensitive information. That is why, according to Dondorp, it is important to have pen tests carried out only by recognised and reputable security companies. “For example, check whether the security company itself is certified to the ISO 27001 information-security standard, or is a member of the trade association Cyberveilig Nederland (Cybersecure Netherlands, in Dutch).” Since 1 April 2021, there has been a national seal of approval (in Dutch) for pen testing. 

Make sure your IT suppliers, such as your hosting company, are aware that the test is taking place. That way, you can make sure your web-hosting provider, for instance, will not block your site because they think the testing is suspicious. 

5. What happens after a pen test?

The last step is the most important: fix the vulnerabilities the pen tester has found. “The report on a good pen test always includes recommendations and suggestions for improvement”, says Dondorp. Some things you can fix yourself, for instance by making your passwords stronger. Others, such as modifications to the source code, perhaps not. 

“But with the report, the business owner can ask for targeted action from their supplier or IT partner, for example, to resolve issues.” A check-up usually follows shortly after the test. Then the pentester checks one more time to make sure the security flaws have indeed been fixed. 

If you have had your company pen tested, we would love to get in touch with you. Share your experience via kvk.cyber@kvk.nl.