It’s just a USB drive, casually dropped by an employee entrance, in the cafeteria or next to a cubicle. But what happens to that drive can tell worlds about your company’s IT security.

An employee wanders by, picks up the drive and, out of curiosity, sticks it in the computer at his or her workstation. The drive contains infected code that compromises your system.

Evaluating your company’s security vulnerabilities is the first step toward plugging those gaps and preventing costly data losses and security breaches that could compromise both information and your company’s reputation. For some small to mid-size businesses, evaluating security is a requirement of doing business with government agencies, credit card companies or health-related companies.

But utilizing an ethical hacker can make sense for your business even if you’re not required to do so. For a few thousand dollars, an ethical hacker can give you a sense of areas you need to shore up.

“A lot of small business owners think, ‘We’re a small company. Why would anyone want to access my environment?’’’ says Carl Herberger, vice president of information security and compliance for Evolve IP ^[1], a managed technology services provider for small and mid-sized businesses. You’re more of a target than you might imagine, asserts Herberger. “It is the small businesses that are frequently entryways to bigger businesses.”

What an ethical hacker does

A robust security check will do more than simply attempt to penetrate your IT system from the outside, advises Tom Kellerman, a commissioner on The Commission on Cybersecurity for the 44^th Presidency and vice president of security awareness for ethical hacking firm Core Security ^[2]. Depending on the level of service for which you contract, an ethical hacker will:

• Evaluate vulnerabilities in IT infrastructure An ethical hacker will indeed attempt to access your critical data as a malicious hacker would, running network, web application and client application tests. Frequently, as organizations grow and evolve, “bits and pieces” of data are left exposed and forgotten, says Rudolph Araujo, technical director for Foundstone Professional Services, which performs these sorts of security health checks or ethical hacks. “The other part is increasingly what we’re finding are a lot of these vulnerabilities tend to be at the application level.”
• Test human behavior Herberger includes those USB drops in his evaluations. “The biggest challenge is with the threat you know,’’ he says of employee behavior. Social engineering tests reveal how your employees handle situations that put your critical information at risk. These tests can mirror phishing attacks, asking employees to click on links in emails or to reveal information online. But tests can also take the form of evaluating the likelihood of an unauthorized person to gain access to a secure area.
• Find the leaks A security evaluation might also determine the types of information that is revealed about your company online, through employees’ social networking sites and other documentation that may pop up.

What you’ll pay

The low end of the range tends to be below $5,000, says Herberger. “We’ve done things in the $2,000 to $5,000 range, but the scope is much smaller.” Araujo says the cost could be as low as a few hundred dollars, depending on what you ask an ethical hacker to do.

A mid-size business might pay $10,000 to $15,000, estimates Herberger.

Even small companies are beginning to budget these sorts of security evaluations on an annual basis. “An annual basis would be the minimal standard,’’ Araujo advises. “IT environments tend to change so quickly that the results from a year ago are probably going to change.”

What to consider

Don’t simply turn your enterprise over to an ethical hacker without forming a game plan, says Araujo. Make sure you understand the process, ask the right questions and take these factors into consideration:

• Know what’s critical Identify the data you’re trying to protect, says Araujo. “What’s the risk your business is exposed to?”
• Check credentials You’re placing your system in the hands of an outside entity. Ethical hackers receive certification in penetration testing, and there’s a professional code of ethics that protects your confidentiality. Make sure to vet the ethical hacker you employ.
• Ask about repeatability An ethical hacking firm should perform repeatable, scalable exercises that allow you to track whether you’ve made progress, says Kellerman. You’ll also want an actionable report that outlines how you can correct deficiencies.
• Evaluate business value Protecting your information is an obvious business benefit. But there may also be value in demonstrating your security to potential business partners as well. Regular security evaluations also might offer some protection if court cases involving data breaches arise.

“Most organizations right now are hemorrhaging data,’’ says Kellerman. “It’s fundamentally critical to gain great awareness of where your vulnerabilities are.”