Beyond compliance: The business benefits of penetration testing

It goes without saying that the biggest benefit of carrying out regular penetration tests is protecting your business and customers from an attack and data breach. However, there are also a number of other benefits businesses can leverage.

Compliance is also crucial to avoid facing fines – from GDPR to PCI DSS and SWIFT CSP – but  compliance and protection from an attack are far from the only factors to consider here. If you’re looking for funding, looking to be acquired, or simply looking to land more deals, it might be time to consider the business benefits of penetration testing.


Peace of mind

Pen-testing can highlight where your team needs training, where your software needs updating and where your system needs restructuring. Crucially, independent pen testers can make these recommendations without trying to sell you a solution.

Ultimately this gives you peace of mind. Once your team’s cybersecurity strategy has been thoroughly tested with both manual pen tests and automated tools, you’ll know what you’re working with. You can see what’s not working, improve your protocols and setup, and ensure a continuity of security throughout your organisation. Then you can keep building your company without worrying about cracks in the foundation.


Attracting and keeping customers

It’s not only your organisation that will appreciate a pen tested infrastructure. You’re also able to pass on that peace of mind to your clients – reassuring them that their data is safe with you.

Large organisations are aware of the risks involved in trusting other companies with their data. Some of our own clients require cover letters for the companies they work with, and they won’t link their data to your organisation unless they can see you’ve either had a clean pen test or you’re addressing any issues that were found.

So if you can promote the fact that you’ve had pen testing done to prospective clients, you’ll be more likely to get through their quality assurance gate. And once you’re through it, you’ll be able to appeal to other key stakeholders too, particularly strategic and financial partners, who need to feel at ease before they give the go ahead.


Attracting investors

Speaking of financial partners, it’s here that the rubber can really hit the road. Companies looking to merge with or buy other businesses often won't even consider acquisitions that they can't qualify as being data-secure.

Shareholders can be equally discerning. If Series A or Series B funding is in your long term plans, you need to act like a billion dollar company before you’re treated like one. That means having a robust information security strategy and being able to prove it’s airtight.


Protecting your brand

The pandemic has made it clear that businesses need to look beyond present efficiency to create systems that are robust for the future. So while your brand may be high and dry to date, you can’t afford to roll the dice on your reputation tomorrow.

Thorough penetration testing can ensure you avoid more than GDPR fines. It can ensure you steer clear of irreparable damage to your brand. If vulnerabilities are uncovered in testing, especially if they come up more than once, you’ll know how you need to act to mitigate risk. You’ll be able to address the issues, create a long term continuity plan, and keep growing long into the future.


A blueprint for data security success

So whether your destination is acquisition, funding or converting more leads, a bias-free audit can set your company in the right direction. Your IT teams might have carried you this far. But scanning for blind spots will do them a favour in the long run – and inspire trust in all onlookers, too.

Datavax is a trusted, neutral, and CREST-certified cybersecurity partner. To learn more, don’t hesitate to get in touch.

GDPR - A recap on the changes

GDPR enhances the rights and principles already defined in the directive and the DPA however it also introduced some more significant changes, including the

  • Requirement to actively demonstrate compliance and document processing activities.
  • Greater powers for supervisory authorities and increased reliefs available to Data subjects.
  • The office of the data protection commissioner (ODPC) now has the ability to issue fines for non-compliance. A recent example of this; WhatsApp was issued a €225 million fine for breaching privacy regulations (BBC 2021).
  • Mandatory reporting of data privacy breaches to the appropriate supervisory authority.
  • Introduction of ‘privacy by design’ as a concept when developing, designing, selecting and using applications, services and products that are based on the processing of personal data.
  • Requirement to complete privacy impact assessments (PIAs) for change activity where there is a “high risk to the rights and freedoms” of the data subject or where processing is likely to be carried out on a large scale.

These changes and recommendations are complemented by guidance from other supervisory bodies such as the information commissioners office (ICO) in the UK who have advised organisations to consider the following:

Information you hold; awareness and communication; rights of individuals; data subjects access requests; legal basis for processing; consent; processing of children’s data; data breach reporting; privacy by design and pia’s; data transfers and appointment of data protection officers (DPO’s).

If you want to find out more about GDPR, read our blog: Data protection in SaaS, Who's responsible for what?

Data protection in SaaS – Who is responsible for what?

Although Europe already has some of the world’s most stringent data protection laws, those protections were upgraded when the general data protection regulation (GDPR) came into force in may 2018. Although it is obvious who is responsible for maintaining security of data held in in-house systems (you are), the modern operating environment is much more complicated.

The average organisation now uses 1427 cloud services, which means that there are potentially 1427 points at which your business may expose sensitive personal data.


Who is a data controller and who is a data processor?

Under GDPR, your business is known as a “data controller” – you are the body who has obtained personal data and outlined how it will be used. The data controller bears the greatest responsibility for ensuring information is properly protected against loss, theft or unauthorised sharing.

Every cloud provider you use must share some of that responsibility however, as they will now be classified as “data processors”. By accepting your business, data processors agree to be bound by the same terms as you – to protect personal data against, loss, theft or unauthorised sharing.


What is your cloud provider's responsibility?

In the past, data processors – like cloud service providers – had no real responsibility to understand the information held on behalf of their clients. Under GDPR this has changed slightly – the processor must at least maintain logs of data access for use in any investigation following a reported GDPR breach.

It is also extremely important to understand whether you, or your cloud provider, is responsible for implementing security. For PAAS/IAAS services which provide a basic platform on which your company builds its own systems (think amazon AWS and Microsoft Azure), you are most likely responsible for security provisions – so you will bear the greatest burden under GDPR.

If, on the other hand your cloud provider offers security as part of a SAAS package, they are most likely responsible for maintaining safeguards to protect your customers’ data. We say “most likely” because the GDPR does not specifically divide responsibility. Instead, your business must agree which party will take responsibility for each aspect of security. These agreements must be detailed in your service contract too.


Non-EU providers are still bound by GDPR

According to GDPR, any business processing data belonging to EU citizens has the same data protection responsibilities – and will be prosecuted to exactly the same extent as a local organisation in the same position. This means that google-based services – which have historically been delivered from data centres in the US – will have to adhere to GDPR.

Importantly, your business will need to negotiate GDPR-compliant contracts with businesses outside the EU. If an agreement is not possible, you will need to seek an alternative provider. Larger companies may not be able to offer sufficient flexibility to meet the specific contractual needs of your business and its customers, so consider this when negotiating.

Ignoring GDPR compliance is not an option – nor is assuming that investigators will automatically divide responsibility between parties.

Ultimately you, as the data controller, will hold the majority of the data protection obligations – but you need to be clear where there are any overlaps, and address them with your partners. Otherwise, you could be found liable for data loss – regardless of whether the incident occurred in your data centre, or that of your SAAS provider.