Attention SMEs: One test a year no longer enough to stop hackers

The way organizations test their digital security is at a turning point. For years, companies relied on one-off penetration tests or anonymous hackers to identify weaknesses in their systems. But that approach is starting to show its limitations. Systems are constantly changing, and cyber threats are on the rise. How should organizations deal with this today? We spoke with cybersecurity expert Patrick Jordens. “It’s time we start organizing our digital security in a structured way. The days of occasional testing are behind us.”

Patrick Jordens

Patrick Jordens (1969) is an entrepreneur with a passion for digital security. He is the director of the Trusted Third Party (TT3P) and founder of DMCC Group, which helps organizations comply with all external laws and regulations as well as internal policies regarding privacy and consumer rights. He is also a visiting lecturer in marketing, data privacy, and ethics at Rotterdam University of Applied Sciences.

Why is the traditional approach to vulnerability testing no longer sufficient?

“From customer data to production processes: it’s crucial for every company to have robust digital security in place. Many organizations still rely on a traditional penetration test: a one-time assessment in which a security specialist attempts to breach your systems. While valuable, this remains a snapshot in time. Systems are constantly changing. If you make changes to your infrastructure two months after the penetration test, new vulnerabilities may have already emerged.

Companies also sometimes use bug bounty programs. You open your systems to a large group of external ethical hackers—so-called white hats—who continuously search for vulnerabilities. You only pay if something is found. Major companies like Apple and Google have been using this approach for years. But this method also has significant drawbacks. It’s a competition: who will find a bug first? More complex vulnerabilities are therefore often less attractive to hackers. They take time and require a deep understanding of an organization. That doesn’t fit well with a ‘quick reward’ structure. Moreover, you often don’t know exactly who is in your systems. Hackers usually operate anonymously. That, too, is a risk.”

Can you regularly and automatically scan systems for vulnerabilities using specific tools?

“Yes, those tools exist. But they have their limitations too. Such programs mainly focus on known issues that have been defined in advance. That doesn’t provide enough assurance for effective security. A real hacker thinks differently. They look at the context of a system and where logic can be exploited.”

Working with hackers isn’t a solution. Neither is an automated tool. What’s next?

“You’re seeing a clear shift toward structural collaboration. Instead of one-off tests or isolated bug bounties, organizations are increasingly working with dedicated teams of pentesters. We also call this ‘pentesting as a service’.

This involves continuously collaborating with specialists who know your systems. They can ask questions on the spot, understand the business logic, and therefore uncover deeper vulnerabilities. It’s not just a report after the fact, but an ongoing process.”

That sounds pretty pricey.

“It’s not cheap. You’re quickly looking at several thousand euros. For larger organizations, the cost goes even higher. But you have to weigh that against the cost of a hack. Once it happens, you’ll lose much more money.

Right now, you mainly see regular penetration testing at corporations and government agencies. But it’s slowly shifting toward small and medium-sized businesses. There’s still often the idea there: we did a penetration test once, so we’re good to go. That’s simply no longer the reality. Cybersecurity isn’t a one-time action. It’s something you have to maintain continuously.”