GDPR and Penetration Testing: What You Need to Know
GDPR and Penetration Testing: What You Need to Know
You might be a small or medium organisation that’s seemingly below cyber criminals’ radar, but you are far from immune to data breaches. Small and medium-sized enterprises account for a large proportion of cyber attacks, victims of random and indiscriminate attacks that target vulnerabilities, rather than specific organisations.
In this article we will help you understand what is GDPR, and more specifically, how GDPR relates to security and penetration testing. Penetration testing is essentially a controlled form of hacking in which a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.
The General Data Protection Regulation (GDPR) is focused on the personal data of citizens within the European Union. GDPR is often viewed as having two primary goals within the EU and beyond.
To regulate the handling of EU citizen’s personal data. A key goal of GDPR is to provide EU citizens with more control over their own data. GDPR sets out to make this optional & completely up to the individual. Under GDPR, individuals have a handful of rights:
To be informed: Before data is collected on individuals, the individual must knowingly give consent.
Access: If requested, companies must provide individuals access to what data has been collected about them and how that data is being used.
Rectification: If data is old or incorrect, individuals have the right to have the data corrected.
Erasure: If an individual is no longer a customer, or has withdrawn approval of data collection, then an individual has the right to have data fully deleted.
To Restrict Processing: An individual has the right to request their data not be used for any processing, but the data does not have to be deleted.
Data Portability: An individual has the right to have data moved from one company to another.
To Object: Individuals have the right to immediately stop their data from being used in direct marketing.
As you may have noticed by the multiple privacy policy updates you’ve received; Companies are not only explaining how data is captured, stored, and used, but also secured. While GDPR is primarily viewed as a privacy standard, there are also underlying roots in security.
How GDPR affects Security There are some underlying affects to security professionals. A key development in GDPR is the requirements around breach announcements. If you examine large breaches such as Equifax, companies tend to know far before the effected consumers find out. With GDPR, the new standard is 72 hours from the discovery of a breach. Security professionals will have more cause to stay on top of analysis & internal communication of security concerns.
GDPR and Penetration Testing At first glance GDPR may seem as if it doesn’t have much to do with penetration testing. If Article 32 isn’t enough of a reason to understand why penetration testing is an important security factor of GDPR, the mandatory breach disclosure should be enough of an incentive. The days of delaying breach disclosures are over as you must now announce an incident within 72 hours of the discovery. Penetration tests can discover vulnerabilities or potential breaches before anyone else, ultimately saving you the pain of breach disclosure.
GDPR will create the perfect reason to have regular penetration tests, but when it comes down to it penetration tests are helpful to any team. Most security professionals can relate to the full plate that others in the industry have. Beyond just identifying vulnerabilities prior to real-world exploitation, penetration tests help teams prioritize security fixes based on the severity and impact of different findings.
Conclusion Penetration Testing is an important part of meeting GDPR compliance, and will also identify risks associated with data breaches that include the personal data of EU residents. Currently a failure to comply with GDPR can lead to penalties of up to €20 Million or 4% of an organisations worldwide gross annual revenue. These regulations and penalties also apply to companies outside of the EU (I.E: Israel) which could include your organisation.
Scorpiones can help you meet the security testing requirements of GDPR. Our penetration tests will also mitigate against the risk of a data loss from a security point of view by identifying weak points in your systems that could lead to compromise. Contact Today for a Free Quote.
