Penetration Testing for SMEs - Security for Small and Medium-sized Enterprises

Which Enterprises are Covered by the SME Scheme?

The term small and medium-sized enterprises (SMEs) is a collective term for firms: It differentiates businesses from larger companies in terms of their balance sheet total, turnover revenue and number of employees. It is, however, independent of the legal form chosen or the shareholder structure. According to the EU Commission, the following characteristics distinguish an SME company:

• It has fewer than 250 employees.
• The annual turnover is less than 50 million euros.
• The balance sheet total is no more than 43 million euros.

What is the Benefit of a Penetration Test for SMEs?

The penetration test for SMEs offers important insights for such companies. During the procedure, experts make an effort to penetrate the internal system. The result leads to important insights that help to improve IT security. This made the penetration test a useful tool for SMEs: It detects exposed vulnerabilities and helps to increase internal security.

This is how the Penetration Test for SMEs Proceeds

In the SME penetration test, the experts have to proceed differently than in a large company, for example. One of the reasons for this is that individual IT components such as the Active Directory are only used to a limited extent. In this case, an in-depth analysis would not be a sensible part of a penetration test for the SME.
It makes more sense to concentrate on the quick wins than a detailed examination of individual systems. In other words, on an overview of the general vulnerabilities of the infrastructure. Accordingly, a penetration test for the SME always addresses a broad part of the system. The advantage of such pentests is that they provide an overview of possible attack vectors. For this assessment, both automated and manual test procedures are used in the SME company.

Cyber Security Check

A cyber-security check will tell you how high the security needs are in your company. This analysis takes into account the measures already established. Such cyber security checks are specifically designed to meet the needs of SMEs and are extremely effective: they support planning and the creation of an environment in which you can manage threats and risks.

The Actual Penetration Test

The actual penetration test for the SME will help you identify the vulnerabilities in the infrastructure. Therefore, in addition to the general vulnerability scan, a network scan should also take place. Through this combination, the penetration test for the SME makes it possible to screen all areas. The result: an overview of exposed vulnerabilities that pose a risk to your internal IT environment.

The Sensitisation

Just like the penetration test for the SME, the sensitisation is tailored to the specific needs. This means: Within an awareness training, employees are informed about the relevant threats to the organisation and how attackers proceed. In this context, employees also learn how to recognise such attacks and how they should ideally react to them. This reduces the risk of excessive damage being caused by a cyber attack.

Different Strategies for Pentesting mid-sized Companies

Medium-sized companies are too often convinced that penetration testing is not profitable. The reasons for this are manifold. Often it is the conviction that the IT is not vulnerable or would not be worthwhile for an attacker. However, this is not true. Because IT security can only be guaranteed if it is professionally monitored. An SME penetration test is one such protection mechanism that prepares the company for potential attacks in the best possible way.
After all, a penetration test for the SME deals with the computer systems, the network and the web applications used. It tests these for vulnerability and identifies places that make it easier for an attacker to penetrate the system. Whether the penetration test for the SME is automated or manual depends on numerous factors.
First and foremost is usually the collection of information. This step is not mandatory, but helps to save time. This is followed by various intrusion, attack and manipulation attempts. These can be real or virtual, depending on which type of penetration test is suitable for the SME. Different strategies are suitable for this.

Strategy 1: Planned Test

If a planned penetration test takes place for the SME, the company knows that the IT service provider is launching an attack. This means the teams on both sides work together and try to identify the vulnerabilities together. This test is also called a 'daylight' test, because in each case it is known what is happening. This collaboration makes it possible to get by with very little information in advance.

Strategy 2: External Test

In an external test, the SME penetration test targets the external devices and servers. These include, for example: The domain name server, the web server, the mail server or the firewalls. The aim of the penetration test is to find out whether an external attacker can penetrate the system. If this is the case, it is also necessary to analyse how far he can gain access.

Strategy 3: Internal Test

An internal penetration test for the SME concerns all areas that lie behind the firewall. The basis of this test is the assumption that an attacker has already gained access. The question that arises at this point is what an authorised user with the usual standard rights can do. This penetration test for the SME therefore not only shows what damage an attacker could do, but also an employee.

Conclusion - Penetration Tests should also be part of IT Security for SMEs

A penetration test for the SME is an important part of internal security monitoring. The insights gained not only tell you which vulnerabilities exist in your company. Rather, the experts will show you the correct reaction behaviour and advise you on how to eliminate the security gaps found.
Even if an SME employs an IT department, the following applies: As long as your own core competencies lie in another area, an expert should take care of the penetration test for the SME. This is because working through the aftermath requires extensive expertise, which trained IT service providers have.
Which strategy and which type of penetration test is best suited for the SME depends on your own needs. For example, experts can perform the test remotely. This not only saves additional travel costs, but is also a good option if space on site is limited.
The result of the pentest is a detailed report: this shows you which security gaps exist and how you can best close them. The expert usually also supports you in the task of eliminating the vulnerabilities.