If you’ve ever engaged the services of a penetration testing company, you know they’re not cheap. In fact, it’s not unusual to feel you’ve been slapped, thrown in a bag, and hung up to dry. These types of costs can be absorbed by larger companies and enterprises, but not smaller ones, which lack the budgets to take that kind of hit.
Most small and medium businesses (SMBs) lack the funding for a five-figure report. Yet, it can be argued that these companies are more in need of this sort of professional aid. If they lack the budget for penetration testing, they also lack the budget for a large team of security experts to continually monitor and protect their assets.
So, what exactly do companies in this position do to protect themselves? Usually, they rely on the ISP that provides their ADSL or FIOS link and a couple of copies of consumer-grade AV and malware protection. I know that some companies are more thorough than this, but I’m talking about the vast majority of SMBs.
These are small businesses that take payments. It’s considered “OK” because customers use the bank-authorised applications, running on a machine protected by a consumer-grade AV product, connected to the Internet via an ADSL router that has default settings, because obviously the ISP has configured it to be safe.
This should be a cause for concern. How sure can you be that these businesses conform to regulations like those of the PCI (payment card industry), when they can’t afford the cost of a full penetration test?
Well, as of February 26, this is no longer the case. The Cyber Protection Group has announced it is offering a network penetration test and vulnerability assessment for only $2,000. This is great news for SMBs, as breaches seem to have become the norm, and the demand for network and web application security is increasing rapidly.
How can the Cyber Protection Group provide this service for a fifth of the usual going rate? Simple economics. It has lower overhead and a greater run rate. If you take a traditional penetration tester that charges $10,000 per test, it typically does one or two tests a month, which runs to twelve through twenty-four per annum, generating $120K to $240K in revenue. At the price the Cyber Protection Group is offering, it should be conducting one to three tests per week, and the rate will pick up rapidly as the demand increases. It should quickly ramp up to $8,000 and $12,000 per week and will keep its consultants busy over the course of a year, not sitting on a bench.
One potential fly in the ointment is the consultant knowledge base. Consultants who are fully engaged on customer sites may not have the time to keep their knowledge up to date on new threats and ingression testing.
So, what you get for your $2K is a standard non-exploitation test. If Cyber Protection Group finds any vulnerabilities, it will not exploit them but will give you a report and advice on remediating them. Cyber Protection Group runs the test remotely, so it avoids additional costs surrounding travel and overnight stays. Long story made short, if you have up to fifty external IP addresses and are worried about your IT security, this looks like a cost-effective offering.