Penetration testing 101 – A guide for UK business

How much would you bet that your business is 100% secure – £10, £1,000, £10,000,000? You could be betting your company’s very existence and your house if you have personal loans out against it.

Why would a sane business owner knowingly take a risk like that? The answer is in that word, ‘Knowingly’.

Risk analysis

Risks don’t go away because you have not assessed them.

There are two components to any risk; the probability of an event happening, and the consequences of that event.


You will suffer a data breach; it’s just a matter of when, and how severe it will be.

“75% of large businesses and 30% of small business suffered staff-related breaches UK Government press release And that’s just staff-related breaches.


The consequences of a data loss are catastrophic. Even discounting business-destroying GDPR fines, there is the loss of reputation, and that alone would mean many customers losing their trust in you. If people no longer trust you, they won’t buy. Hello Mr. Liquidator.

Minimising your risk

You can do it yourself or call in professionals.

DIY cybersecurity

Your first stop should be the UK government site, where you will find detailed and free advice to secure your information systems and train employees.

Screenshot source (free PDF download)

The management of your cybersecurity is crucial to the continuing existence of your business. It must be an executive-level responsibility. Decisions and policies need to be set at the top if your employees are to take the issues seriously.

Screenshot source (downloadable free PDF)

The National Cyber Security Centre (NCSC) has many resources, all of which you can download without charge. There’s a lot to take in, but protecting your business is as important as marketing and sales: Prioritise security.

What is the cost of a senior executive devoting a month to securing your cybersecurity?

(Annual salary + pension and other benefits)/12

Amateur cybersecurity

You will find freelancers who will attempt to hack your company’s defences, but are you seriously going to have much confidence in someone working for £5 an hour? If your freelancer gets in, they could destroy or otherwise compromise your data. You could be inviting someone into your network who will lock up your data and hold you to ransom. No, don’t go there.

Professional cybersecurity

DIY cybersecurity is far from free if it requires a highly-paid executive and managers to put into place. It often makes more sense to outsource the entire process to a specialist UK penetration testing company because the cost will be lower, the process will be faster, and there will be no disruption of your executives’ normal workload.

What is penetration testing?

There are different levels of penetration testing depending on the level of assurance you need. All need executive-level cooperation and meetings, so there will still be a salary cost in addition to the penetration testing company’s charges.

Screenshot source

A network security penetration test is the most basic level of penetration testing: This examines your computer network and how quickly a hacker could get into it. It will include remote access and on-premises vulnerability testing.

A web application pen test is more complicated and would look at the scripts you have on your website and any apps you use.

The top level of security assurance would involve a ‘red team’ of professional security consultants. They would use using various subterfuges to gain employees’ trust and to gain access to your offices and servers. They would leave evidence of their ‘break-in’ and advise you on the measures you need to take to prevent a malicious hacker following the same route.

The short version

This article lists just four of the many threats to your company’s cybersecurity and the probability of you falling victim is high.

Reducing the risk of a catastrophic data breach will cost time and money. Even if you use free guides from the government, it will involve a senior manager or executive spending many weeks assessing your vulnerabilities and taking corrective action.

If you take a DIY approach to securing your network you should still call in an accredited penetration testing company: This is the only way to be certain you have dotted all the ‘i’s and crossed al the ‘t’s.

Calling in a UK penetration testing company would be a less time-intensive way to test and secure your defences against the malcontents and criminals who would get their kicks from destroying what you built up.