Tom Shanley, SVP of Technology Services for SmartSource    

In small to medium-sized businesses, wearing multiple hats is commonplace. Often, the individuals tasked with managing Information Technology and Security have other responsibilities, and understanding how to protect company data can be a challenge. 

Imagine you are an office manager, tasked with controlling costs around your organization’s information technology because you once fixed the toaster in the company breakroom. Your boss, in a semi-panic stemming from a recent cybersecurity article, comes to you demanding the need for a security audit. Chances are you will not know where to begin. To start, let us examine the two most common security assessments performed for small businesses and how they differ.  

Vulnerability Assessments 

Vulnerability Assessments are used to identify potentially exploitable vulnerabilities, referred to as “attack vectors,” in your network. These assessments focus on internal and external attack vectors, such as a company’s email system, firewalls, servers, and endpoints. Ideally, vulnerability assessments should be run quarterly to ensure any remediation steps taken in the prior quarter have been addressed. Once a vulnerability assessment is completed, a report is generated, highlighting all areas of weakness and the steps needed to harden a company’s security posture. 

Penetration Tests 

Penetration Tests, which are often confused with vulnerability assessments, take things a step further by identifying vulnerabilities and actively exploiting them to show the true scope of damage that can occur when a company’s attack vectors aren’t hardened. Penetration tests are more costly than vulnerability assessments and have a more significant impact on company operations. As a result, penetration tests generally cost far more than a vulnerability assessment and typically only need to be run once per year. 

Whether your business is small or large, a best practice for maintaining a high level of security is to run vulnerability assessments quarterly and penetration tests annually. Vulnerability assessments are an ongoing measure taken to ensure a secure network continually. In contrast, a penetration test is akin to a final exam, wherein steps to remediate vulnerabilities are proven effective. 

Regardless of the security assessments/tests selected, having these initiatives managed through a third-party IT Security consultant is essential. Failure to do so creates a conflict of interest wherein an internal IT team should not be tasked with verifying how well they’re keeping the company’s network secure. There is a saying in Information Technology: “Who watches the watchers?” You never want your IT team to be the end-all-be-all when it comes to verifying the effectiveness of your security posture. That should be assessed and confirmed by an outside entity, which performs the assessments and helps internal IT teams remediate identified vulnerabilities. 

Vulnerability Assessments and Penetration Tests should be a staple of your Information Security practices, providing peace of mind in an increasingly volatile IT landscape.