We made it to 2021. The world is a state and many people are prophesizing the coming of the "cyberwar". But hey, let us stay positive. Over the last 12 months many businesses, us included, moved to a 100% remote model. For some, it has been a project that the business has had on its plan for years. And then somehow it was rapidly implemented and security was added retrospectively.
Many say this was wrong. Yes, I am looking at you, security vendors, with your shiny boxes and claims of a silver bullet. But in fact, it wasn't done wrong. Businesses exist to make money for their shareholders, to pay their staff and (hopefully) to do some good in the community. If the transformation had not happened, then many of these businesses would no longer exist.
What does this have to do with Penetration Testing? Well, it is pretty much the number one reason why this year you should be considering undertaking a penetration test from a qualified, accredited company. All that excellent work to weather the global pandemic and shift the model of your company to a remote entity means that there could be some security weaknesses introduced. This is where it would be easy to fill a few paragraphs with FUD, Fear, Uncertainty and Doubt but at Hedgehog we don't do that. But it brings me nicely to the second reason for having a penetration test.
Demonstrating Good Cyber Security
As the lead Virtual CISO, I see my fair share of "security questionnaires" that need completing on behalf of our clients. I also send out a fair few too and then provide our clients with a risk level based on the response. Being able to demonstrate you had a penetration test performed every six months, or at least at a minimum, annually, means a great deal to those reviewing the risk you pose to their business. Taking it further, we are seeing a lot of our pentest clients asking for a certificate and a 2-page executive summary report that they can send to all of their clients. This demonstrates great cybersecurity dedication.
Staying True to the Data Protection Act
It would probably be fair to say that GDPR compliance may not be the first thing on your mind in 2021. But the fact is that the regulations always apply, organisations cannot afford to ignore data protection. The UK's Information Commissioner has been taking increasing action on companies who breach the GDPR.
Article 32 of the GDPR is concerned with “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
If you think that sounds like a fair description of a penetration test, it’s because it is. And unless your business is 100% offline and 100% paper-based, your data processing will involve technical/IT systems. And that means you need a penetration test.
Of course, many out there would talk about the multi-million-pound fines that might be handed out. But in reality how many of those have happened? Not many. The reality is that a DPA audit by the ICO following a breach is a headache that you don't need. And the breach in the first place is a bigger headache that you don't need. So why chance it?