Small and medium-sized businesses don’t have the same resources and security experience as larger corporations. Therefore, setting the scope and the budget for their security testing projects is a bigger and more complex undertaking. This blog post lists the key factors SMB leadership and IT security teams need to consider before defining the scope and budget for their penetration tests.
Defining the scope of your pentest
1. Identify your critical assets
The first step is to pinpoint your most valuable internet-facing assets. These include any sites dealing with customer data, financial information, intellectual property, critical systems, or any other type of sensitive information.
For example, an e-commerce site or a website that processes customer data (names, addresses, credit card information) requires high security. The shopping season, from Black Friday to Christmas is a particularly high-risk period for e-commerce companies. During these times, companies must ensure continuous website availability and security at the same time.
Most healthcare organizations deal with sensitive personal data so the regular testing of internet-facing assets is critical. Assets like patient portals and appointment scheduling systems can act as entry points not only for authorized users but for cybercriminals seeking access too.
In the finance, banking and insurance sectors, rigorous security testing of internet-facing infrastructure is essential to safeguard sensitive customer data, including account details, financial transactions, and personal information, from cyberattacks that could result in devastating financial losses and reputational damage.
2. Prioritize based on risk
Not all assets are equal when it comes to risk and vulnerability. Evaluate the potential impact of a breach in each system and prioritize testing based on that risk. Here’s a rough guideline:
- High priority
Any site that stores sensitive information and financial data, where a data breach could lead to financial loss and identity theft of customers. These are the most critical to protect. You can later expand the scope of your future security initiatives.
- Medium priority
Any asset where a breach could damage customer trust and disrupt business operations
- Low priority
Sites with limited access, where a breach might expose some information but it wouldn’t lead to catastrophic results.
3. Consider compliance needs
Stay informed on industry regulations or compliance requirements that dictate specific testing needs that might impact the scope of your penetration tests, depending on your industry.
Here are some examples:
In the healthcare industry, HIPAA (Health Insurance Portability and Accountability Act) requires secure storage and transmission of patient data. Regular penetration testing, bug bounty and VDP programs can help ensure compliance.
In the financial services industry, PCI DSS (Payment Card Industry Data Security Standard) mandates specific security measures for protecting cardholder data. Penetration testing helps validate these controls. Other regulations impacting the finance and banking sector, such as DORA, enforce measures to safeguard their systems against malicious manipulation, destruction, or theft of data.
In the IoT world, the UK’s new PSTI regulation mandates that Consumer IoT devices must implement a Vulnerability Disclosure Policy, from April 29, 2024. Manufacturers must establish a plan for addressing software weaknesses, enhancing the likelihood that such vulnerabilities will be properly dealt with.
4. Internal resources
The last step is to estimate your internal IT team’s bandwidth, considering whether they can handle remediation efforts identified by the pentest.
A small IT team might struggle to fix complex vulnerabilities identified during a large-scale, comprehensive pentest. Here, it is worth considering a more focused test for high-priority assets. A larger IT team with vast security expertise can handle a broader scope pentest and potentially address many of the identified vulnerabilities themselves.
Setting the budget for your penetration testing
1. Scope determines cost
The features and complexity of a project directly impact its price. A broader scope encompassing more systems and testing methodologies will cost more.
A basic penetration test might focus solely on your web application, using automated vulnerability scanners. This would be cheaper than a comprehensive test that includes internal servers, manual exploitation attempts, and simulated attacks.
2. Internal vs. external
If your IT team has qualified security professionals with pentesting experience, they might handle basic vulnerability scanning to identify potential weaknesses. However, this assumes they have the time and specialized tools for the job.
For complex pentesting involving advanced hacking techniques, social engineering, or compliance requirements, it’s best to engage a reputable external security firm. They have the experience, tools, and fresh perspective to uncover vulnerabilities your internal team might have missed.
3. Frequency
Determine how often you need penetration testing. Annual pentesting will be more expensive than a one-time engagement spread over several years. However, regular testing helps ensure your defenses stay up-to-date against evolving threats.
4. Market rates
Research average pentest costs for SMBs in your region. This can help you set a realistic budget expectation. Prices can vary depending on your location, industry, and company size. Knowing the average rates for similar businesses helps you set realistic expectations when negotiating with potential pentest providers.
One method to set an approximate budget is estimating the cost of your developers and calculating the percentage you want to spend on cybersecurity based on the risk factors in your industry. If you operate in a high-risk, trust-based industry, such as fintech or healthcare, this needs to be around 15% of your development costs. For lower-risk sectors that do not deal with sensitive customer information directly, this can be as low as 2%. You can then decide how much of your cybersecurity budget to dedicate to pentest efforts, depending on your specific needs, assets, and .
Clearly defining the scope is the first step
Even though penetration testing might seem like a burden, it’s an investment in your organization’s overall cybersecurity posture. The upfront cost may seem high, but a potential financial and reputational fallout from a data breach is significantly more expensive. Hackers can steal sensitive information, disrupt operations, and damage your brand reputation – at a cost far exceeding a pentest.
By carefully defining the scope of your penetration test, you can optimize the value you receive. Consider leveraging internal security resources for basic testing while partnering with an external firm for complex systems or specialized expertise. Researching market rates will help you set realistic budget expectations. Taking these steps demonstrates proactive security management and is the first step toward building a robust cybersecurity posture within your organization.