The information systems used to power your organisation can expose you to operational risk, particularly where the systems are customer-facing e.g., websites, mobile apps, or Software as a Service (SaaS) solutions. Underlying vulnerabilities can be exploited by individuals with the right tools and malicious intent. Whether you develop your own bespoke solutions or use off-the-shelf products, there is an inherent risk that these solutions can leave the organisation exposed to risks that impact on your customers (e.g., breach of personal data) and/or the organisation itself (financial and reputational). However, there are steps you can take to manage this risk and demonstrate your organisation’s commitment to data security.
Vulnerability scanning
Many systems and off-the-shelf software products have known vulnerabilities that can be used by malicious actors to compromise an organisation’s systems. New vulnerabilities manifest on an almost daily basis. Security specialists monitor these developments and maintain catalogues of known vulnerabilities in technology frameworks, libraries and protocols. “Vulnerability scanning” is the term for searching for and identifying these known vulnerabilities in an organisation’s networks and applications.
Benefits of vulnerability scanning
Vulnerability scanning has several benefits:
- Identifies vulnerabilities before external threats can take advantage of them;
- Once configured, can be run as a repeatable process, providing ongoing, updated assurance;
- Facilitates incremental improvements; and
- Contributes to meeting data protection requirements and facilitating the security of processing.
Penetration testing
Penetration testing (sometimes referred to as a pen test) compliments vulnerability scanning. Pen tests can exploit vulnerabilities found through vulnerability scanning and simulate an attack by individuals or organisations with the skills, resources and motive to do harm to your organisation and customers.
This can include simulated activities like phishing emails. This is a form of social engineering attack, where a would-be attacker presents themselves as a trustworthy sender and encourages employees to take an action (e.g., clicking a link) that can provide an attacker with a path to achieve their malintent.
Benefits of penetration testing
Penetration testing enables the organisation to:
- Confirm threats posed by identified security vulnerabilities;
- Simulate real-world attack scenarios;
- Prioritise where to focus mitigation efforts;
- Reduce the attack surface of your organisation;
- Facilitates incremental improvements; and
- Demonstrate due diligence to aid in compliance accountability.
Evolving threat
Vulnerability scanning and penetration testing can be carried out prior to deploying a system to production. However, threats also evolve once the system has been deployed. The underlying frameworks and codebase that the systems are built on are continually exposed to new vulnerabilities. Alongside a good vulnerability management program (e.g., security patching and bug fixing), periodic assessment using vulnerability scans and penetration testing can contribute to minimising your organisation’s attack surface.
Trilateral Data Protection and Cyber-risk Service
The Trilateral Research Data Protection and Cyber-risk team has extensive experience helping organisations ensure their information systems are compliant with data protection and ePrivacy regulations. We offer a range of data governance services, including vulnerability scans and penetration testing exercises to help your organisation gain assurance in the security of your systems. For more information, please feel free to contact our advisors who would be more than happy to help.
