Notifications
Clear all
Topic starter
25/06/2026 3:01 pm
TL;DR: Small businesses are often breached because they assume their size makes them less attractive, yet the article cites 70% of cybercrimes targeting small business and $5.4 million average breach costs, according to DigiCert. The practical lesson is that penetration testing is a governance control, not a luxury expense, because hidden exposure is what attackers exploit.
NHIMG editorial — based on content published by DigiCert: Intro to Penetration Testing Part 3: It Could Happen to You
By the numbers:
- 70% of cybercrimes that resulted in data breaches targeted small business.
- About 60% of small businesses that suffer a data breach close within six months after a breach.
Questions worth separating out
Q: How should small businesses prioritise penetration testing when budgets are tight?
A: Start with the highest-value paths into the business, especially internet-facing systems, administrative interfaces, and identity controls that could turn a small weakness into broad access.
Q: Why do small organisations still need penetration testing?
A: Small organisations are often easier targets because they may have weaker monitoring, fewer safeguards, and less recovery capacity.
Q: What do security teams get wrong about breach risk in small businesses?
A: They often confuse size with safety.
Practitioner guidance
- Run attack-path-based pentests on the full environment Scope tests to include externally reachable systems, identity stores, administrative interfaces, and any paths from initial access to sensitive data.
- Prioritise identity exposure in every remediation plan Track exposed credentials, excessive privileges, stale accounts, and weak authentication boundaries as first-class findings.
- Translate pentest results into business-loss scenarios Map each high-risk finding to downtime, data loss, recovery effort, and customer trust impact so leadership sees why it matters.
What's in the full article
DigiCert's full blog covers the operational detail this post intentionally leaves for the source:
- The full discussion of why small businesses often delay pentesting because of budget and time constraints.
- The exact rationale behind the four arguments the vendor uses to frame pentesting as a business necessity.
- The supporting statistics on breach cost, closure risk, and customer trust that underpin the article's case.
- The broader context around how the vendor positions penetration testing as a first security step for smaller organisations.
👉 Read DigiCert's blog post on why small businesses should pentest →
Small business pentesting: what vulnerability checks are missing?
Explore further
25/06/2026 4:17 pm
Pentesting is a governance discipline, not a compliance checkbox. The article’s core argument is that small businesses fail when they assume scale protects them from attack. That assumption has nothing to do with company size and everything to do with whether exposure is being actively measured. For identity security programmes, the lesson is that unknown weaknesses are still weaknesses even when the organisation feels too small to attract attention. The practitioner conclusion is simple: validate exposure before an attacker does.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
A question worth separating out:
Q: Who should be accountable for turning pentest findings into action?
A: Security leadership, infrastructure owners, and identity teams should share accountability, because the findings usually cut across systems and access control. The report should not end with a vulnerability list. It should end with named owners, remediation dates, and a clear view of which risks threaten continuity and customer trust.
👉 Read our full editorial: Pentesting for small businesses: why breach risk is not theoretical
