A recent Information Commissioner’s Office (ICO) fine has emphasised the need for businesses of all sizes to undertake regular penetration testing in order to protect themselves and their customers.
An SME was this week fined £60,000 for failing to take reasonable steps to maintain data security, after personal data relating to over 26,000 customers was compromised by a cyber-attack in 2014. The ICO found that the organisation in question’s failure to identify weaknesses across its infrastructure led to, amongst other things, its website being vulnerable to common hacking techniques such as SQL injection, which ultimately led to the a breach.
A stark warning to SMEs
This attack demonstrates the increasingly hardline approach that regulators are adopting to organisations of all sizes that suffer a data breach. ICO enforcement manager, Sally Anne Poole, says that penalties such as this one should serve as a warning to other businesses that they will be held to account for their security failings:
“Regardless of your size, if you are a business that handles personal information then data protection laws apply to you.”
She believes that the General Data Protection Regulation (GDPR), set to be enforced in May 2018 (and which will see fines of up to 4% of an organisation’s global annual turnover), will increase the scrutiny placed on all businesses that process personal information:
“If a company is subject to a cyber-attack and we find they haven’t taken steps to protect people’s personal information in line with the law, they could face a fine from the ICO. And under the new General Data Protection Legislation coming into force next year, those fines could be a lot higher.”
Address security risks with a pen test
Commissioning a qualified ethical hacker to conduct regular website and network penetration testing is one way that businesses can do more to protect customer and employee information.
Redscan’s CREST-approved penetration testing services help organisations to effectively mitigate cyber security risk by not only identifying but helping to remediate gaps that could lead to technology, applications, people and processes being compromised by hackers and other online threats.