833-847-3280
Schedule a Call

GDPR and Penetration Testing

GDPR and Penetration Testing: Requirements and What You Need to Know

If you haven’t heard of GDPR yet, all the privacy policy changes emails that were sent probably went to spam. Our goal is to help you understand what it is and, more specifically, how it relates to penetration testing. We often get inquiries asking what type of testing a client would need to satisfy a GDPR Compliance requirement, so our team got together to provide some clarity.

What is GDPR?

The General Data Protection Regulation (GDPR) is focused on the personal data of citizens within the European Union.

Beyond many goals, GDPR is often viewed as having two primary goals within the EU:

  • To define the online rights of EU citizens.
  • To regulate the handling of EU citizen’s personal data.

A key goal of GDPR is to provide EU citizens with more control over their own data. Under GDPR, individuals have a handful of rights:

  • To be informed: Before data is collected on individuals, the individual must knowingly give consent.
  • Access: If requested, companies must provide individuals access to what data has been collected about them and how that data is being used.
  • Rectification: If data is old or incorrect, individuals have the right to have the data corrected.
  • Erasure: If an individual is no longer a customer, or has withdrawn approval of data collection, then an individual has the right to have data fully deleted.
  • To Restrict Processing: An individual has the right to request their data not be used for any processing, but the data does not have to be deleted.
  • Data Portability: An individual has the right to have data moved from one company to another.
  • To Object: Individuals have the right to immediately stop their data from being used in direct marketing.
  • Rights related to automated decision-making including profiling: Individuals have the right to know if automated decision-making is being used in a way that can impact them.

GDPR and Penetration Testing

What could privacy policies and penetration testing have in common? With some fine reading of the GDPR, you can find a direct link under Article 32;

“(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”

This could mean anything in a sense because it doesn’t specifically list out what needs to be tested on a regular basis. A strong rule of thumb, and technique to follow, is that any system(s) or application(s) that touches personal data should be tested.

Penetration tests are time saving, money saving, business saving security measures that are helpful, and beneficial to any team. Regardless of your industry – healthcare, fitness, financial, pharmaceutical, entertainment, small business, big business, no budget, big budget … If GDPR’s Article 32 isn’t a big enough reason to understand the importance of penetration testing, the mandatory breach disclosure should be enough for you to think twice.

The days of delaying breach disclosures are gone! There’s a thing called a mandatory breach disclosure, which means you must now announce an incident within 72 hours of the discovery. Hope for the best, prepare for the worst. It applies here too! After a cyber incident your reputation, your money, your business, it will all come to a harsh unwanted reality in which a penetration test would be too late. Don’t put your business in that position. It can all potentially be avoided with penetration tests that can discover vulnerabilities and potential breaches before malicious hackers do.

Penetration Testing for GDPR Compliance Requirements

(External Infrastructure, Web App & Email, Internal Infrastructure)

External Infrastructure

The ICO says that “the GDPR specifically requires you to have a process for regularly testing, assessing and evaluating the effectiveness of any measures you put in place”. In practice this will mean undertaking vulnerability scanning AND penetration testing – at least once a year, probably once a quarter and depending on your ‘risk appetite’ weekly or even daily.”

Like the rule of thumb we mentioned earlier, that any system(s) or application(s) that touches personal data should be tested. Another rule of thumb when asking yourself how often I should get a penetration test done, is depending on your “risk appetite”, or how sensitive, detailed, your data is. The more you have, the more frequent you’ll want to get tested.

If you’re thinking of getting a vulnerability scan done, vulnerability scanning is automated and generally looks at every system that is visible on the public internet. It also checks that operating systems are up to date, that software is up to date, patches and security updates have been installed, and that the system can’t be exploited by way of these methods. You’ll also want to get a penetration test to ensure that known or default user credentials aren’t in use.

In other words, you want to make sure that no one other than you, or any authorized person(s), is connected to your cyber world. For instance, internet enabled IP telephone systems where the installation engineer has either added or forgotten to remove some default user credentials and anyone who knows them can log in. Anyone who would have access could easily interrogate the directory and listen to voicemail messages. Industry researchers finding that IT and system service providers are not always meeting their contractual requirements (SLA’s) for keeping the systems up to date and correctly patched.

This can be applied to web applications and email. External applications come in three general forms and if they contain PII then you have a GDPR responsibility.

Internal Infrastructure

ASS-U-ME 

An internal vulnerability assessment looks at the internal servers, networks and end user devices such as laptops, desktops, etc., and much like an external test, it seeks to confirm that the systems are up to date and correctly configured. This are is overlooked because it’s assumed that a bad guy isn’t going to get in. Don’t “ass-u-me”, it’s a dangerous game. A poorly configured internal network can make data breaches easily, with devastating damage as a result.

There is good news for MainNerve Customers! MainNerve has been providing this type of testing with our Best Practice model. We have added our inputs to ensure our customers are protected at the same level as the GDPR. We have the eyes on glass approach when it comes to our testing methods. The “Eyes on Glass” means, our cyber ninjas perform up to 90% of the testing manually and will review the reports with our technical writers before sending them out. MainNerve specializes in the following compliance driven testing: PCI, HIPAA, NERC, DFARS, CJIS, ISO 27001 & FedRamp. Add GDPR and we are your one stop shop for all your penetration testing and compliance solutions needs.

Conclusion

To sum up, GDPR and security have been highly talked about. While it can create controversy and even headaches for some businesses, it also allows for a better opportunity for those companies who value privacy and security. It really all depends on your business’s perception of the risk.

Businesses will continue to grow – money, clients, information, data, etc. Therefore, businesses will get hacked. There are safety measures you can take when it comes to security and GDPR. Certainly, penetration testing is one of them.

If you’re ready to take action, click here to fill out a Contact Us form!

Latest Posts

A transparent image used for creating empty spaces in columns
As technology evolves at an unprecedented pace, artificial intelligence (AI) has emerged as a transformative force in cybersecurity. Organizations now use AI to detect and respond to threats faster than ever, but this progress raises an important question: is the human factor still relevant in…
A transparent image used for creating empty spaces in columns
In the complex world of cybersecurity, simple strategies can often make a big difference. One of the most powerful ideas in protecting your organization from cyber threats is as straightforward as it sounds: don’t leave the front door open. Picture this: your company’s network is…
A transparent image used for creating empty spaces in columns
With the rise in cyber threats, data breaches, and evolving regulations, cybersecurity risk management has never been more crucial for businesses. Today, companies are more connected than ever, and every device, user, and application potentially opens a new path for cybercriminals to exploit. From ransomware…
A transparent image used for creating empty spaces in columns
 In today’s increasingly digital world, more businesses are operating entirely online with remote teams and cloud-based infrastructures. As these companies grow, so does the importance of cybersecurity. One question we often get is: “Can online companies get penetration tests?” The answer is a resounding…
A transparent image used for creating empty spaces in columns
In today’s education landscape, cybersecurity is more critical than ever. Schools are no longer just places of learning; they have evolved into hubs of digital information, housing vast amounts of sensitive data. From student records to financial information, the risk of cyberattacks has become a…
A transparent image used for creating empty spaces in columns
 In today’s digital landscape, cybersecurity is not just a luxury but a necessity. As businesses increasingly rely on technology, the importance of safeguarding sensitive data has never been greater. However, for many small and medium-sized businesses (SMBs), the costs associated with cybersecurity services, particularly…
contact

Our Team

Name(Required)
This field is for validation purposes and should be left unchanged.
On Load
Where? .serviceMM
What? Mega Menu: Services