(This column originally appeared in Forbes)
My clients are mostly small and mid-sized businesses. Many have experienced cyberattacks or been on the wrong side of a data breach.
Hackers can infiltrate a company’s network and create havoc in countless ways, and there’s just as many tools to help prevent these incursions. But, there is a way to make sure small businesses are one step ahead of these potential threats, even before these tools are needed: penetration testing.
Why Are Cyber Attacks Increasingly Targeting Businesses?
Cybersecurity is a major concern for businesses, and now AI is fueling an upsurge.
In 2025, the Identity Theft Resource Center published its annual report and said as many as 81% of the 662 small business owners or executives at small to mid-sized companies surveyed suffered a security breach, a data breach or both in the past year. AI-powered attacks was identified as a root cause in more than 40% of cyber events, “a pivot from internal risks to external, technologically advanced adversaries.”
A 2025 report from IBM revealed how AI is “greatly outpacing security and governance” with 97% of the organizations surveyed reporting an AI-related security incident.
The biggest reason why this happens? Unfortunately, it’s us.
A 2025 Data Breach Investigations Report from Verizon studied over 22,000 security incidents and 12,000 confirmed breaches. It found that 60% were caused by human error, including mistakes, phishing clicks, credential misuse, or social engineering that resulted in stolen or reused credentials or caused user mistakes or mis-delivery of data
IBM’s report said human error caused about 26% of breaches directly, “and the broader human factor (including phishing and credential misuse) accounts for the majority of incidents.”
What Is Penetration Testing?
Penetration testing, or pentesting, is an ethical hacking security strategy designed to test both our systems and our employees. It simulates incursions and creates spoof communications, such as emails, texts, messaging, even phone calls.
A good pentesting program can see how far it can penetrate a company before it causes damage. It’s become a critical method for determining the overall security of our networks. You can set up a pentesting service on your own, or hire an IT firm.
How Pentesting Protects Small Businesses
A pentesting program, combined with other security strategies, can go a long way towards minimizing risk.
Employers can further minimize the impact of risks by running security software on servers and devices and moving data and files to a managed services provider, automatically downloading and installing new operating system builds, which include the latest security protections, and prompting employees to regularly change passwords, install a virtual private network to encrypt data and force backups of data.
IT security experts always advise their clients to do whatever they can to minimize the risk. They know that all risks will never be completely eliminated.
“Hackers will go after low hanging fruit,” Anthony Mongeluzo, CEO of Pro Computer Science Inc., told me recently. “They don’t want to spend time figuring out how to infiltrate a system when there’s so many systems they can invade that don’t have these types of security protections in place.”
Protection Example
I have a client in New Jersey who implemented a pentesting strategy, along with other cybersecurity procedures. They use an IT firm who installed a pentesting software product and who also provides quarterly training to their employees, updating them on the latest security risks. They’ve also set up software to send fake emails to employees in an effort to trick them into clicking on a malicious link or downloading a malware infested file.
The pentesting process helps his company evaluate whether their existing defenses — such as firewalls, endpoint protection, and intrusion detection systems — actually stop malicious activity. After the tests are completed, the tools produce detailed reports that explain the vulnerabilities discovered, how serious they are, and what steps should be taken to fix them.
The Benefits Of Pentesting for Small Businesses
When small businesses fall victim to a cyber attack the consequences can be significant.
Ransomware may require them to make expensive payments to release their data from rogue encryption. Confidential customer and other data can go missing or be stolen which opens up a business to lawsuits and other liabilities. Some actors are so malicious as to use their malware to shut down servers and applications altogether, which can lead to long periods of business interruptions or even, in some cases, business termination if not fixed timely.
The consequences are time consuming, expensive, and disruptive. If customers, suppliers and partners find out, concerns may rise. Having cyber insurance helps, but when it comes time to use insurance for anything it usually means the disaster has already happened. Employing security strategies like pentesting helps to minimize the chance of disasters before they happen.
How Often Should A Business Conduct Pentesting?
Many IT firms that I work with offer pentesting services, and tests are run at least weekly, sometimes more often.
They use these platforms to probe networks, servers, applications, and websites to see whether weaknesses — such as unpatched software, poor configurations, or weak authentication — can be exploited to gain unauthorized access.
Good IT firms will also set up software that will automatically send fake emails and other communications to their clients’ workers to see if any will bite as a training exercise. These emails are usually based on current examples from attacks reported by bureaus who monitor these things like the Anti-Phishing Working Group and the Spamhaus Project. When employees inadvertently or mistakenly click on a link or download or file or perform some action that could potentially trigger a cyber event, the firm receives alerts and the employee (and their managers) are notified.
The Bottom Line on Pentesting
If there’s one thing I’ve learned from running a small company for more than two decades, and providing technology services to hundreds of businesses during that period, is that the smartest owners and managers I meet share one common trait: they’re always looking ahead. Employing a pentesting program can avoid surprises by helping to identify potential vulnerabilities before they’re exploited.
Frequently Asked Questions (FAQs)
What is PTaaS?
PTaaS, stands for penetration testing as a service, and usually involves a monthly fee. Firms provide an ongoing service to continuously test a company’s ability to thwart intrusions and data breaches using software and hardware tools. Subscribers receive immediate, real-time updates of results rather than waiting for periodic reports.
What are examples of PTaaS?
Examples of vendors that offer PTaaS platforms include companies like HackerOne, Synack, Cobalt, Pentera, and Bugcrowd.
Is pentesting legal?
Yes, pentesting is no different than other methodology used to test existing systems and search for vulnerabilities.
Is pentesting ethical?
Although pentesting uses what is routinely called ethical hacking, the hacking is driven by services and firms that are seeking vulnerabilities in a network and with full authority and approval by the business that hired them.
Are there any gray areas?
Some see a fuzzy line between hacking and testing data. Others are concerned that tests being used by PTaaS providers can be used without a customer’s consent, with certain data being exposed. Pentesting tools and strategies should be fully disclosed to customers, particularly to customers where data governance policies may not address this type of security methodology.
What role does AI play in pentesting?
AI is developing a growing role in pentesting. More platforms will be deploying agentic AI to perform automatic tests, self-identify potential security flaws, and apply fixes with minimal human involvement. AI can help identify software code and other applications used by a company that could in the future be exposed. It will also help companies better determine vulnerability scenarios based on past experience.
