When it comes to pen tests, there is a huge volume of choice out there. Whether it’s a web app or external, automated or manual, independent or non-independent, the scope can lead to great variations in cost. 

Quality pen testers may push your budget a bit more, but this cost is to cover them meticulously looking through all the nooks and crannies of your IT infrastructure to determine what could be easily exploited. 

Starting from around the £2000 mark, a pen test is a lot more affordable than most people think. And this is versus a potential fine of 2% of your annual revenue for trying to cut corners.  

The price of getting it wrong 

The right pen test could’ve saved UK-based Boomerang Video from a hefty £60K fine. The Information Commissioner’s Office (ICO) slapped them with the penalty after an investigation revealed they had failed to carry out regular pen tests which could have detected a website vulnerability. The result? A cyberattack leaking over 26,000 user’s card details.  

British Airways took an even bigger hit back in 2020. A data breach which resulted in the leaking of 400,000 customers personal and financial details went undetected for months due to an absence of robust security measures. The ICO weren’t happy, issuing a painful £20m fine to the airline, which at the time was their biggest to date. 

Companies of all sizes need to stay hot on their vulnerability assessments. Any internal system updates or introduction of new third parties requires ongoing testing. And if you’re expanding, every new employee represents an increased risk. You may have tested for one thing the first time around, but not considered novel threats or tactics as your business evolves. 

Remote and hybrid working has brought in an extra challenge to businesses. Phishing attacks are on the rise, with many opportunistic cybercriminals taking advantage of the stress and disruption the pandemic brought to many digital workspaces. Most employees had an overnight change to working from home, forgoing basic cyber and phishing awareness.  

So when considering which pen test to go for, consider: do you need every employee tested from top to bottom, or just new starters? If you’ve never carried out a phishing test for example, we’d recommend testing the entire employee cohort. 

 

The advantages of getting it right 

The pros of staying on top of your cyber hygiene are obvious. Taking the time and effort to protect all of the data moving around your business every day maintains your representation as a trusted party, and saves you from coughing up an eye-watering sum if anything were to go wrong. 

There’s a whole range of options out there, from cheaper AI-automated tests that don’t always give you full security coverage, to robust tests carried out by CREST-certified testers.  Ultimately, getting a trusted company who understands all the nuances of different types of testing is essential.  

 

Which type of test is right for you? 

An external pen test tries to find flaws in your data security by trying to break in from the outside. By probing your perimeter defences, this type of test can identify flaws such as weak passwords, unpatched software and misconfigurations. By contrast, an internal pen test assumes some degree of network access, and simulates the actions a hacker or disgruntled employee might take from inside a network. 

Often holding personal data like credit card or personal information, web and mobile applications are highly prized targets for cyberattacks. A web app pen test will look for weak points that could compromise your websites or web applications, including CRM, extranets or internal programs. Mobile app pen tests detect any susceptibilities that may have been left within the application, such as default credentials or encryption keys.  

An automated test, sometimes referred to as a vulnerability scan, can never be as thorough as a manual test. It could overlook vulnerabilities of low risk, even though risks of any size should be scrutinised. 

That’s why we’ve chosen to stick to a red team approach, which makes use of powerful automated tools but also a senior tester and ethical hacking team who can simulate a real world threat. 

It’s possible to get your pen tests through a cybersecurity company that will provide solutions to fill the gaps in your security infrastructure and potentially training for your employees. However, many companies prefer to choose an independent pen tester to review their security, much like you would choose for an MOT or NCT to take place independently from those who make a living fixing the problems they uncover.  

A bespoke pen test, led by a senior CREST-certified tester 

Starting at €1999 (£1750), we offer a bespoke service based on individual client needs, considering risks you may have already spotted yourselves. 

There’s value in consultancy, that’s why we offer a hands-on approach from initial scoping, through to the delivery of a detailed and comprehensive report. You can go away, absorb it, and share what you need with your technical team before coming back to us for any clarification. We work on a traffic light system, highlighting critical items, while also including points of advice and best practice. 

Our close-knit team enjoy being hands-on with every client, ensuring exceptional customer service at every point in the process. 

The Chief Operating Officer of one of our clients had this to say, “As a digital health company data security is paramount for our business, therefore it was important to choose the right company for our penetration testing requirements. Datavax provided an excellent service from beginning to end, responding promptly to any queries and providing thorough testing, reporting and technical follow up.” 

If you’re ready to make your business digitally secure, get in touch.