8 min read

One of every five businesses in Europe don’t know if they are GDPR compliant

Bartosz Bielski

Service Line Manager, QA & Security

We’re in the midst of a major shift in personal data. The EU’s enactment of the General Data Protection Regulation (GDPR) in May 2018 means that businesses will be held accountable for the way they store and manage their clients’ and users’ data. No matter how prepared a business thinks it is for GDPR, effective penetration testing can help give a company a more complete picture of its level of readiness. It can not only help an enterprise make sure it has the best defenses in place to prevent a catastrophic attack, but also ensures that it knows how to respond to any kind of attack when it happens.

Why penetration testing is crucial for every data system

Penetration testing (also known as a pen test) is the practice of simulating an attack on a device, system, network or application to find its security vulnerabilities. The goal is to see if the data system is subject to exploitation through malicious activity. Ethical hackers can be contracted to carry out these tests to check if there are no loopholes in the system.

The first step of penetration testing is to create a comprehensive inventory of the discovered threats. This involves describing the risk (e.g., can the machine be taken over?) and the probability of it happening. The next step is to identify the riskiest, most probable, and most critical threats. Then, a real life test is carried out to show the potential damage these vulnerabilities can incur. An additional benefit is that the company gets to see how capable it is to identify and respond to a breach.

The outcome of penetration testing is invaluable to any business in the era of GDPR. It could be what saves a business from being the victim of a massive data breach, like the one that touched 9.4 million Cathay Pacific passengers earlier this year, Facebook’s most recent data catastrophe affecting 50 million accounts, or the Marriott database infiltration which exposed around 500 million customers of the global hotel chain.

Data collectors are on notice. This means everyone

GDPR has been likened to the Health Insurance Portability and Accountability Act (HIPAA), which brought landmark changes to personal patient information management in the late 90s. Healthcare institutions had to completely reconsider their protocols or else be penalized. In fact, Mega-insurer Anthem Inc. just had a $16 million HIPAA settlement for the largest healthcare data breach ever,  affecting more than 79 million people. The breach was attributed to “critical security weaknesses” that might have been exposed through penetration testing.

But while HIPAA brought changes to the healthcare industry, GDPR affects everyone who collects users’ data. This includes data that may not seem sensitive, like email addresses and IP addresses. This means GDPR has implications for virtually every business.

Yet, many are still in the dark about GDPR -- 20% of businesses in the EU, 10% of businesses in the U.K., and 48% businesses in the U.S. don’t even know whether they are GDPR compliant. Ignorance will soon bring consequences, as the most serious violations of GDPR cost as much as $20 million or up to 4% of a business’s total annual revenue.

In short, not being prepared for a data breach (and not knowing how to respond when one happens) now has the potential to completely dismantle a company.

When understanding the risks, remember “CIA”

A helpful acronym to understand what kinds of data risks companies are exposed to is “CIA”:

C - confidentiality: This refers to data breaches in which sensitive information such as names, personal information, passwords, medical history, credit card numbers, email addresses, etc. are stolen.

I - integrity: This involves modifying data. A classic example is changing a bank account number so that transfers are routed to a different account. Another example is changing email addresses so messages are delivered to a new email address.

A - accessibility: This includes hacks that make systems, servers or data unreachable. For example, in a ransomware attack, customer data is encrypted, access to the data is blocked, but none of it is leaked.

Data breaches have always been a subject of major concern for companies. Consumers place their trust in businesses when they share their information, and it is up to those establishments to ensure it is safe in their hands. Even though the GDPR has created complications and more liability in regards to personal data use, penetration tests are still among the best strategies to ensure data system security.

Challenge everything!
About pattern image