Article 32 of the GDPR (General Data Protection Regulation) requires organisations to implement technical measures to ensure data security – and one of the most important is penetration testing.
If you’re not already familiar with the term, penetration testing is a controlled form of hacking in with a professional tester, working on behalf of an organisation, seeks out system vulnerabilities in the same way a criminal would.
One of the major benefits of penetration testing is that it gives you an insight into your organisation that’s not possible through internal audits or risk assessments.
Although those processes are excellent for identifying the ways a criminal hacker may target your organisation, it takes a practical assessment to determine how accurate you are.
Penetration tests can be used to detect weaknesses in web servers, web browsers, email clients, point-of-sale software, operating systems, server interfaces and even human weaknesses.
As such, they should form an essential part of your GDPR compliance practices. In this blog, we explain when and how you should conduct penetration testing.
Identifying problems during development
Many organisations conduct penetration tests when they’re building a new system to identify risks that they’ve overlooked.
The benefit of testing at an early stage is that you have greater flexibility to correct weaknesses and avoid the risk of going live with a system or software that can easily be exploited.
Tests also demonstrate the way various weaknesses can be used alongside each other to cause greater damage. This is particularly useful because you will have come to accept that there will inevitably be flaws in your system – there is no such thing as an impervious organisation – but may not understand the full extent of the risk.
Indeed, taken on their own, small vulnerabilities may appear negligible. However, testers and hackers can create intrusion sequences that take small, steady efforts to pry open security gaps into much larger weakness.
Knowing that these flaws aren’t benign enables you to take corrective action promptly, rather than having to come up with ad hoc solutions around a fully built system.
Performing an end-of-state check
Organisations also often perform penetration tests once the system or software has been completed, as it provides an end-of-state check to ensure that the necessary security controls have been implemented.
The main benefit of this is that the tester gets an accurate idea of the final product. The vulnerabilities they detect will be there when the system or software goes live unless they are addressed.
Penetration testers will also typically provide a report on their findings. Unlike automatically generated reports from tools that offer generic remediation tips, these reports rank and rate vulnerabilities according to the scale of the risk and the company’s budget.
This gives the organisation the ability to prioritise the biggest risks and address them accordingly.
Penetration testing with IT Governance
IT Governance is a CREST-accredited provider of security testing services.
Our range of testing services enables organisations of all sizes to effectively manage cyber security risk by identifying vulnerabilities that could expose infrastructure, applications, wireless networks and people to attack.
A version of this blog was originally published on 18 September 2018.