With the constant threat of Cyber Attacks against businesses. Being a Business owner can make you fearful of being attacked when you are a technical person, let alone when you're not a technical person. Now let's say that business owner comes to a company like ours because they need security services, and is not a technical person, they always want to know what services are best for their business, and this can be confusing, especially to a non-technical person about what each service is, let alone how it will help their business. In this post we will talk about Small, Medium, and Large Businesses and which services we would generally recommend to each business type.
Small Businesses we will assume as 1-10 employees that work in a fairly small office, with a single WiFi connection, and an externally hosted website, meaning not on a server owned, and maintained by the business. Although an attacker gaining access to the website would not pose a threat to a companies server (Because there is no server), the website could still contain sensitive information. Because of this we would always recommend having your companies website tested, no matter the size of your business. However if you have a small business like described, this is usually the extent of External Penetration Testing needed. The other testing Small Businesses mainly need is Internal Penetration Testing and a WiFi Auditing. The Internal Testing involves checking local machines for viruses, malware, checking for open ports that could pose a threat.
Medium Businesses we will assume to be similar to Small Businesses except with more people, more internal threats, and now the business will more likely than not host their own website, and have their own server(s). Therefore the need for external Penetration Testing has increased, and we would recommend it for externally facing hosts. On top of this we would still recommend Internal Testing, and WiFi Auditing.
Of course Large Businesses can benefit from all of our services; however, for large businesses it is a matter of prioritising what services are needed, and where they are most needed. Your company might have hundreds of public IP addresses, and therefore, it is necessary to work out what is it that is posing the highest risk to your organisation. For example being a bank, your main website is going to be where you need to put the most amount of focus. As that is where clients are going to log in, to do any transactions they might want to do.
On a side note, all businesses should also consider Social Engineering as a service, this can be a service that can affect all businesses small or large, and help people be alert, if anyone through either a phone call or an email, can extract important information from an organisation.
In summary, small businesses should focus mainly on their internal systems and their website, medium businesses should do the same but prioritise their externally facing server(s), if they have them, and large businesses should work to secure their assets both internally and externally, focusing on their most vulnerable areas, and what is going to cause the biggest loss to the organisation in the event it is leaked to an attacker.