1. They ARE important
A common misconception I have heard dozens of times from different kind of small business owners is that they think they’re not important enough. This phrase I have heard many times over and over again: “Why would anyone want to hack me? I don’t have any valuable information”. WRONG. Customer information, contact information, personal details, etc are all saved in some online application. Emails containing sensitive information about deals, plans and possible details that could crack a reputation. Don’t ever think your online infrastructure is not important for a hacker. It is. Even if they don’t want your deepest secrets they will use your infrastructure to send spam, host illegal content or just to f*ck with you.
2. Most of them are less secure
Small businesses have to mostly rely on small resources. They often run their website, CRM and others on outdated vulnerable software and more often than not have a working yet not 100% correctly configured IT infrastructure. Even when software is regularly updated a good penetration test can uncover application and infrastructure synergies that make their trusted environment vulnerable, yet are not visible for the eye of an untrained person.
3. Pentests for small businesses are cheap
The cost of a pentest is largely based on the size and complexity of the infrastructure to test. The more hours a pentester spends, the more dollar bills he gets paid. Since most small businesses have smaller infrastructures …, you get the point. Now this is not really a reason for doing it but more of a reason for not not doing it. A valid point in my book.
If you own a small business you should get a pentest because you are an important target, you are probably not secure and you CAN pay for it.