Why regular testing is important for GDPR compliance

Peter Bassill, CEO of Hedgehog Security, discusses one-way organizations can properly protect the data they store while also meeting new GDPR compliance rules

By Peter Bassill, CEO, Hedgehog Cyber Security

Six years after it was first proposed, the European Union’s General Data Protection Regulation, or GDPR, has now come into force. Its purpose is to give EU  citizens greater control over their personal data, such as who collects it, how it is processed and what it is used for.

For many businesses and organizations, the regulation is seen as a burden. In an already competitive environment, GDPR makes selling, marketing and the performance of general business functions all the more difficult.

Compliance will require most, if not all, businesses and organizations to modify their existing processes and to also develop new ones. They will have to overhaul their security systems, their privacy protocols, and data management structures, too.

Failure to comply can result in fines of up to €20 Million or 4% of an organizations’ annual gross revenue – whichever of the two is higher.

While much has been written about how data is obtained, there are very few articles and resources covering what is required of organizations when it comes to the protection of information.

What does compliance entail?

Under Article 32 of GDPR, organizations, and companies that collect and hold the data of EU citizens are required to implement technical measures that ensure the security of that data.

While it offers some guidance on the security measures companies should take, it is far from extensive. Instead, it places responsibility on organizations to find, implement and revise effective security measures in light of the dangerous and constantly changing information security threat landscape.

Article 32, section 1d describes the need to establish: “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing”.

Despite outlining what it means to be compliant, the new law is surprisingly silent in terms of providing advice to businesses on how best to go about achieving the required protections.

Penetration testing  

One solution is penetration testing, which is a systematic process of identifying security vulnerabilities in applications and networks. Simply put, it is a controlled hack of your own system to determine where attackers could gain unauthorized access.

By putting your operating systems, services, applications, and other networks through penetration testing you get a real-world assessment of the security controls you believe are in place and whether they are functioning effectively.

Vulnerabilities can arise for several reasons like system bugs, improper configuration or inappropriate end-user behavior. Through penetration testing, you can identify the source of vulnerabilities, the efficacy of the security measures you have in place to deal with them, and your end-users’ adherence to security policies.

Managing and maintaining compliance requires a  robust infrastructure that enables you to monitor and control the use and movement of data; identify who is using said data; restrict access to the data appropriately to those who need access to it, and render the data unintelligible in the event that unauthorized users access it.

Penetration testing is the most effective way of achieving these requirements. That said, you should make sure compliance is not your only motivation for undertaking penetration testing – it is important to ensure that your networks and systems are secured from any malicious attacks that could also damage your business.

This is more important now than ever. With cyber attacks on the rise, penetration testing can help ensure your business and data are properly protected.

How to do a penetration test    

Penetration tests are performed using technologies that can systematically compromise servers, networks and other potential points of exposure.

An experienced professional tester can replicate the techniques used by real hackers to give your system a comprehensive examination, and without causing any damage to your network.

It is also possible to engage in your own security testing – there are a number of free online resources that help with this. Before you consider carrying out your own penetration tests, however, keep in mind that a lot can go wrong and very quickly.

A penetration test means compromising your network to scans and probes. In short, you are subjecting it to a controlled hack.

This can slow down your system or even crash it. Instead of the intended purpose of assessing the health and security of your system, you could end up with unnecessary and costly disruptions to your business that will require money and resources to resolve.

We always recommend using a professional company to carry out a penetration test. This allows you to establish every possible security flaw and vulnerability in your system, but with minimal disruption and risk to your business.

GDPR means businesses plying their trade in Europe must properly protect the data and information they store, and penetration testing, when done correctly, is the most efficient and effective way of doing this.

About the Author

Peter Bassill, CEO, Hedgehog Cyber Security. Peter has been in the Information Security world since 1999 and in IT in general since 1996. His work history contains a unique blended balance between the development of exceptional technical capabilities and business knowledge. Peter achieved numerous technical and engineering qualifications and certifications, including becoming a Charted IT Professional, a Fellow of the British Computer Society and a Certified Information Systems Security Professional (CISSP). Peter worked as CISO for the Gala Coral Group until 2010 before starting out on his Own.