Being notified that “all of your confidential information is extremely vulnerable, we know this because…” is bad news, but whatever follows the ellipses determines just how bad. According to Security Magazine, 43% percent of small businesses are victims of cyberattacks each year, and three in five victims do not survive. It’s financially worthwhile to make sure that you end up being one of the two who do survive even the worst attack.  


When considering a data security breach, there are two main ways it can go. Your IT department or partner can reach out to you, saying: 

  • “All of your confidential information is extremely vulnerable…we know this because a hacker took all of your customers’ credit card info and locked all of your files behind ransomware.”  

This is the scenario for companies that do not have proactive testing and monitoring processes in play. 

  • “All of your confidential information is extremely vulnerable…we know this because we did a vulnerability scan of your network, and we have some suggestions on how you can improve.”  

This is a more realistic scenario for small businesses that adopt vulnerability testing. 

A vulnerability test is a comprehensive audit of security flaws that a hacker could exploit, and it outlines the possible consequences. This is the equivalent of a doctor giving a physical examination. The information will allow you to know what your risks are and plan your security policies accordingly. 

Vulnerability tests can be executed in-house or by third-party partners. At a minimum, they should be done quarterly, or whenever you’re incorporating new equipment into your IT network.  


Penetration testing is often referred to in the IT world as a pen-test. A pen-test is a simulated attack on a network to test the strength of its security. Usually, the pen-tester will have a specific objective, like compromising a specific set of data.

Different Industries will have different government mandated requirements for pen-testing. One of the broader reaching regulations, the PCI DSS, requires pen-testing on an annual basis. However, it’s prudent to go beyond the legal minimum. You should also conduct a pen-test every time you have: 

  • Added new network infrastructure or applications 
  • Made significant upgrades  
  • Modifications to infrastructure or applications  
  • Established new office locations 
  • Applied a security patch  
  • Modified end user policies 


To put it simply, vulnerability testing tells you what your weaknesses are, and penetration testing tells you how bad a specific weakness is. 

While it may seem like a lot of extra work, setting up repeatable processes in systems that are designed for this type of monitoring and testing is really the bulk of the work. If you need help setting up yours so you can rely on it for years to come, contact us. Setting up security processes is one of our main specialties.