Hearing “all of your confidential information is extremely vulnerable, we know this because...” isbad news, but whatever follows the ellipses determines just how bad. Consider two scenarios.


  1. “All of your confidential information is extremely vulnerable... we know this because a hacker took all of your customers’ credit card info and locked all of your files behind ransomware.”
  2. “All of your confidential information is extremely vulnerable...we know this because we did a vulnerability scan of your network, and have some suggestions on how you can improve.” 61% percent of small businesses are victimized by cyber attacks each year, and one in five victims do not survive. It is financially worthwhile to make sure that you end up being the person hearing the latter sentence.


Scenario 2 describes the statement after you have had a vulnerability test conducted. Avulnerability test is a comprehensive audit of security flaws that a hacker could exploit, and thepossible consequences. This is the equivalent of a doctor giving a physical examination. Thisinformation will allow you to know what your risks are and plan your security policies accordingly.

Vulnerability tests should be conducted quarterly, and can be done by in-house IT or outsideconsultants.They should be done quarterly, or whenever you are incorporating new equipmentinto your IT network.

What is a pen-test: A pen-test is a simulated attack on a network to test the strength of itssecurity. Usually, the pen-tester will have a specific objective (e.g. “compromise this piece ofdata...) A vulnerability scan tells you “what are my weaknesses?” and pen­test tells you “how bada specific weakness is.”

How often should you pen-test: Different Industries will have different government mandatedrequirements for pen­testing. One of the more broad reaching regulations, the PCI DSS, forexample, requires pen-testing on an annual basis. However, it is prudent to go beyond the legalminimum. You should also conduct a pen-test every time you have