TL;DR: Small businesses are often breached because they assume their size makes them less attractive, yet the article cites 70% of cybercrimes targeting small business and $5.4 million average breach costs, according to DigiCert. The practical lesson is that penetration testing is a governance control, not a luxury expense, because hidden exposure is what attackers exploit.
At a glance
What this is: A DigiCert blog post arguing that small businesses should treat penetration testing as a necessary control because breach risk, cost, and reputation impact are often underestimated.
Why it matters: It matters to IAM and security teams because the same false confidence that leaves network weaknesses untested also leaves identity and access gaps unmeasured, whether the subject is human, NHI, or autonomous systems.
By the numbers:
- 70% of cybercrimes that resulted in data breaches targeted small business.
- About 60% of small businesses that suffer a data breach close within six months after a breach.
👉 Read DigiCert's blog post on why small businesses should pentest
Context
Small businesses often treat breach testing as something reserved for larger organisations, but that assumption breaks down quickly once an attacker looks for the easiest path in. In practice, the issue is not company size, it is whether weaknesses have been surfaced before an attacker finds them. For identity and access programmes, the same logic applies across human users, service accounts, and automated systems.
Penetration testing is essentially structured adversarial validation. It asks where an environment is most exposed, whether those weaknesses are technical, procedural, or identity-related, and what the business impact would be if they were used. The article frames pentesting as a pragmatic control, not a theoretical exercise, and that is the right starting point for any security programme that still relies on assumptions about being too small to matter.
Key questions
Q: How should small businesses prioritise penetration testing when budgets are tight?
A: Start with the highest-value paths into the business, especially internet-facing systems, administrative interfaces, and identity controls that could turn a small weakness into broad access. Prioritise tests that reveal real blast radius, because a short, focused test that exposes a critical path is more useful than broad testing that produces only low-value findings.
Q: Why do small organisations still need penetration testing?
A: Small organisations are often easier targets because they may have weaker monitoring, fewer safeguards, and less recovery capacity. Penetration testing shows whether an attacker can move from one weakness to meaningful impact, which is what actually matters when deciding where to invest limited security budget.
Q: What do security teams get wrong about breach risk in small businesses?
A: They often confuse size with safety. Attackers do not need a large target if a smaller one has exposed credentials, weak access control, or poor detection. The better question is not whether the business is small, but whether a single entry point can quickly become a damaging incident.
Q: Who should be accountable for turning pentest findings into action?
A: Security leadership, infrastructure owners, and identity teams should share accountability, because the findings usually cut across systems and access control. The report should not end with a vulnerability list. It should end with named owners, remediation dates, and a clear view of which risks threaten continuity and customer trust.
Technical breakdown
Why small organisations remain attractive attack targets
Attackers often choose the path of least resistance, not the largest organisation. A smaller business may have fewer controls, less monitoring, and weaker recovery capacity, which makes it easier to turn a single exposed weakness into an incident. Penetration testing helps reveal those soft spots before an external actor does. In identity terms, this includes exposed credentials, weak authentication boundaries, and administrative pathways that were never reviewed under pressure.
Practical implication: test for exposure as if you were the attacker, then prioritise the paths that would most quickly produce access or data loss.
How breach cost changes the risk equation
The article uses cost to show that the price of inaction is not abstract. Breach losses include direct response effort, lost business, recovery work, legal and compliance costs, and brand damage that can persist after the technical issue is fixed. That changes pentesting from a security nice-to-have into a business decision about exposure tolerance. For IAM teams, unmanaged privileges and weak access boundaries often become the fastest route from technical weakness to financial impact.
Practical implication: tie pentest findings to business impact so remediation is ranked by likely loss, not just by technical severity.
Why reputation loss is part of the technical threat model
The article makes clear that a breach does not end when systems are restored. Customer mistrust, partner hesitation, and procurement scrutiny can outlast the incident itself. That is why exposure testing should be paired with a clear understanding of what data, identities, and privileged paths are reachable from each weakness. Even a small breach can become a governance problem if the organisation cannot explain how the attack happened or why it was not detected sooner.
Practical implication: include identity pathways and customer-impact scenarios in test scope, not just network or application weaknesses.
NHI Mgmt Group analysis
Pentesting is a governance discipline, not a compliance checkbox. The article’s core argument is that small businesses fail when they assume scale protects them from attack. That assumption has nothing to do with company size and everything to do with whether exposure is being actively measured. For identity security programmes, the lesson is that unknown weaknesses are still weaknesses even when the organisation feels too small to attract attention. The practitioner conclusion is simple: validate exposure before an attacker does.
False size-based confidence is a control failure. The piece shows a familiar governance pattern where organisations know a risk exists but delay action because they believe they are an unlikely target. That is not a threat model, it is an assumption problem. In IAM terms, this is the same mistake made when teams defer access review, secrets review, or privilege testing because the environment seems limited. The practitioner conclusion is that programme maturity starts with abandoning the idea that obscurity equals safety.
Penetration testing exposes identity and access paths that normal operations hide. The article focuses on network testing, but the deeper lesson is that attack paths rarely stop at a perimeter weakness. Once an entry point exists, the question becomes whether credentials, roles, or administrative pathways let the attacker turn that foothold into impact. That is why pentesting should inform NHI, PAM, and human access governance together. The practitioner conclusion is to test the paths that convert access into damage, not just the presence of vulnerabilities.
Identity blast radius is the real business risk. When a small organisation is breached, the problem is rarely the initial vulnerability alone. The damage comes from how far access can spread once something is compromised, whether that is a user session, a privileged account, or a service credential. This makes blast radius a more useful governance concept than isolated vulnerability counts. The practitioner conclusion is to measure how much reach a single compromise would create across identity and access layers.
Penetration findings only matter when they change remediation priority. The article correctly argues that testing should drive action, but too many organisations stop at the report. Security teams need to connect test results to a ranked remediation plan that covers exposure, privilege, monitoring, and recovery. That is especially important where human and non-human identities share the same systems. The practitioner conclusion is to use pentest output to reset control priorities, not to generate another shelf report.
From our research:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- For a broader view of how exposed credentials accelerate compromise, see DeepSeek breach and use it to reset your exposure assumptions before the next test cycle.
What this signals
Identity blast radius: small businesses should stop measuring security maturity by size and start measuring it by how far one exposed path can travel. The practical issue is not whether a breach is statistically likely, but whether a single foothold can reach credentials, admin functions, or sensitive records before containment begins.
Pentesting becomes more valuable when it is tied to access governance, because that is where hidden reach usually lives. If a team cannot explain which credentials, roles, and systems a tester could reach from one entry point, the programme is still relying on assumption rather than evidence.
The next maturity step is to treat vulnerability validation, identity review, and incident readiness as one workflow. That is where small organisations gain the most leverage, because a short testing cycle can expose both technical weakness and the governance gap that turns it into business risk.
For practitioners
- Run attack-path-based pentests on the full environment Scope tests to include externally reachable systems, identity stores, administrative interfaces, and any paths from initial access to sensitive data. The goal is to prove whether one weakness can become real business impact, not just whether a scanner finds a vulnerability.
- Prioritise identity exposure in every remediation plan Track exposed credentials, excessive privileges, stale accounts, and weak authentication boundaries as first-class findings. These are often the shortest paths from discovery to impact, especially when attackers look for fast wins in smaller environments.
- Translate pentest results into business-loss scenarios Map each high-risk finding to downtime, data loss, recovery effort, and customer trust impact so leadership sees why it matters. Remediation funding is easier to secure when the report shows how a single path could affect the business.
- Include recovery and communications in the test debrief Treat incident response readiness as part of the validation exercise. If a breach were to occur, teams should already know who contains access, who investigates identity-related paths, and who communicates with affected stakeholders.
Key takeaways
- Small businesses are not safer by default, because attackers look for the easiest path to impact rather than the biggest target.
- The cost of a breach is not only technical remediation, it also includes downtime, recovery effort, and long-term trust loss.
- Pentesting matters most when it changes remediation priority, identity governance, and recovery planning before an attacker finds the gap.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.IP-12 | Penetration testing validates protective processes and exposes hidden weaknesses. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | The article's theme maps to validating least-privilege and access boundaries. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Exposed credentials and weak access controls are classic NHI governance failure modes. |
Review secret exposure and privilege scope together, then remediate the highest-reach identities first.
Key terms
- Penetration Testing: A structured exercise that simulates attacker behaviour to find weaknesses before real adversaries do. It is most useful when it proves whether a weakness can become access, data loss, or operational impact, not just whether the weakness exists.
- Identity Blast Radius: The amount of access, reach, and downstream impact that one compromised identity or credential can create. In practice, it is a better measure of security exposure than raw vulnerability counts because it shows how far an attacker can move once inside.
- Attack Path: The sequence of steps an attacker uses to turn an initial weakness into meaningful compromise. For identity programmes, the important question is whether a path can move from discovery to privileges, sensitive data, or control of critical systems.
- False Sense of Security: A governance condition where an organisation believes it is unlikely to be targeted or exposed and therefore delays validation. In security, this often leads to untested controls, stale assumptions, and a larger breach when an attacker eventually proves the opposite.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by DigiCert: Intro to Penetration Testing Part 3: It Could Happen to You. Read the original.
Published by the NHIMG editorial team on 2025-09-30.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
