Your organization is “GDPR compliant”, but do you perform penetration tests?

21 November 2018

Today’s organizations are facing an ever-expanding set of legal and regulatory compliance requirements regarding how they must handle sensitive information, how they must ensure the resilience of their digital processes, and how they must protect the privacy of individuals. Organizations must not only operate within legal and contractual boundaries but do so in a way that creates the business value that their stakeholders expect of them.

 

Business risk and costs associated with not sufficiently complying with laws and regulations and focusing on information security and privacy have also increased significantly in recent years.

 

The European Union’s General Data Protection Regulation (GDPR) is one example where European data protection authorities have been provided with powerful tools allowing them to impose sanctions on organizations that do not sufficiently complying with strict privacy principles. In addition, the risk for organization’s becoming victims of a cyberattacks that disrupts critical business processes has increased.

 

 In June 2017 the shipping giant Maersk was hit by a crypto virus attack that encrypted PCs and servers. Maersk estimates the damage for the organization to be between $200 and $300 million USD according to Financial Times. Cybercrime has become big business and cybersecurity experts have observed a professionalization of how information and hacking tools are shared freely and sold in dark corners of the internet.

 

Compliance is a complex topic as it touches all levels of an organization from strategic to tactical and operational processes. Many organizations are turning to best practice standards and compliance frameworks when designing their internal organization, policies, processes, and technical security measures for compliance.

 

Penetration testing – your infrastructure protects your information and business processes

Penetration testing is a term used by cybersecurity experts when talking about putting the security of computer systems, networks, or web applications to the test. The goal of the security experts is to find any vulnerabilities that could potentially be exploited by an attacker to gain unauthorized access to sensitive information or disrupt the infrastructure and the business processes that depend on it.

 

Results from penetration tests including any vulnerabilities found during the simulated attack are classified according to their criticality based on potential business impact and presented to the organization. This allows the organization to remove and manage vulnerabilities before they can lead to information leakage, disrupted business processes, and negative business impact.

 

Penetration testing – an important building block of your compliance framework

Legal and regulatory frameworks such as the European Union’s GDPR often outline general principles for protecting information rather than technical requirements or the need to perform specific tests. These principles and requirements need to be adapted by organizations and translated to concrete actions that ensure the organization’s compliance. Organizations sometimes struggle with this process as it requires knowledge and experience from different disciplines such as sector-specific and privacy laws and regulations, information security management, and IT security.

 

Penetration testing is an important building block of any compliance framework offering many direct and indirect benefits for organizations including:

  1. Improved regulatory compliance e.g. regarding PCI-DSS or the requirements stated in GDPR’s article 3
  2. Improved stakeholder confidence including management, business partners, and customers.
  3. Improved business resilience through avoided security incidents and business disruptions, reducing risk for financial loss, loss of customer confidence, and potential regulatory fines.
  4. Improved risk management due to increased transparency regarding actual vulnerabilities enabling decisions and prioritizations based on facts rather than on gut-feeling. 
  5. Improved security posture and organizational learning by regular testing, validation, and exercise. 

Sebastian Carlsson

Deputy CEO and Head of Cybersecurity

sebastian.carlsson@combitech.com

Other news

29 October 2020

How do you know if your system is secure, if it has never been tested?

Combitech contributes to a safer and more secure society. An important part of this work is performed by our penetration testers. Their work is to simulate hacker attacks in order to find vulnerabilities and weaknesses in networks and systems. Three of Combitech’s sharpest pentesters, Christoffer Olsen at Combitech Denmark, Michael Johansson at Combitech Sweden and Olav Sortland Thoresen from Watchcom in Norway explain what they do, how they do it and why their work is vital to many companies.

3 April 2019

A Holistic Approach to Cybersecurity

The capabilities and motivations of attackers to go after operational systems in infrastructures critical to society’s resilience are omnipresent. But these sectors are traditionally not prepared to deal with such security threats. It is time to wake up!

21 November 2018

Increase Competences through Penetration Testing

Innovation within the hacker and cybercrime communities are developing new tactics, new strategies and new technologies faster than most organizations invest and implement new security technology. In other words, if your IT system was secure yesterday, it does not necessarily mean that it still is today. Penetration testing is the solution to many questions, but…

Want to know more?