How often should small business cyber security be checked?
- At a minimum, most small businesses should be checking it annually.
- If your company has compliance requirements, it should be checked quarterly or even more frequently.
- If your infrastructure or software changes frequently, is complicated, or if you are a popular target for an attack, like an online retailer, checks should be run monthly.
- If you use a managed service provider (MSP) like Intrust IT, then your IT support provider should be performing the tests for you. We recommend you check that they are following best practices and ask for reports.
Best Practices for Small Businesses
Even if you work with an IT managed service provider (MSP), don’t just assume that the provider is running the security check at the right frequency. You should receive reports to show what was scanned, any issues that were discovered and what was done to resolve those issues.
Your IT managed service provider should also meet with you on a regular basis. In those meetings, your account manager should inform you about what security improvements are being made and why. Sadly, we’ve met many companies who thought this was being done but found out later that it was not.
How Do You Test Small Businesses Cyber Security?
The next question we always get is “How does a small business test their cyber security?" In most cases, small businesses need only a security assessment that consists of internal and external vulnerability scans not an expensive penetration test.
A security assessment looks at all aspects of the company’s cyber security and uses automated tools to check for things like insecure open ports on a firewall, missing software patches, bad password policies, etc.
Today’s security assessment tools are incredibly sophisticated and scan everything rapidly. Because the tools are automated, the costs have become more reasonable as well.
Once a security assessment has been done and all issues are resolved, a follow-up scan should be run. This follow-up scan will confirm all work required was completed correctly.
After those vulnerabilities are corrected, the next biggest vulnerability to address is in your user population. The cyber security threat posed by users is mitigated with security training coupled with phish-testing. Only after all of this work is complete, then it may be advisable to consider spending money to have a penetration test conducted.
Do You Need Penetration Tests for Cyber Security Screening?
Many small businesses are told by unscrupulous providers that they may need a penetration test or pen-test performed for tens of thousands of dollars. A penetration cyber security test is rarely needed for most small businesses. Instead, internal and external vulnerability scans are the best place to start.
A penetration test is where someone outside the organization finds a vulnerability in the company’s security. They then seek to exploit that vulnerability to gain access to internal systems and possibly even exfiltrate data.
If you aren’t sure when your last security assessment was conducted, then you need to contact Intrust IT today and get it scheduled ASAP!