The EU’s General Data Protection Regulation (GDPR) provides EU citizens with greater control over their data. By defining privacy as a human right, the GDPR is setting privacy protection standards for countries all over the world. Although it’s primarily considered a privacy standard, GDPR also has strong requirements related to security, one of which is penetration testing.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private sector organizations collect, use, disclose and safeguard personal information. PIPEDA is expected to be replaced by the Consumer Privacy Protection Act (CPPA) in 2021/2022. CCPA will represent Canada’s effort to modernize its private-sector privacy law regime. This is a welcome development. However, the CPPA will not make penetration testing mandatory for organizations, so many Canadian companies will continue to skip it, regardless of its many known benefits.
At Packetlabs, we believe that every organization should make penetration testing mandatory as a part of its security setup. In this blog, we explain why.
GDPR Makes A Strong Case for Penetration Testing
GDPR is known primarily for its focus on privacy. It stresses the importance of “privacy-by-default,” i.e. providing privacy-friendly default settings, as well as “privacy-by-design,” the idea that privacy must be a strong consideration throughout the development process.
In this scenario, it may seem as if GDPR does not have much to do with penetration testing when the fact is – to achieve privacy-by-design, pen testing is essential. It is also referred to in Article 32 of GDPR:
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
This rule doesn’t define precisely what must be tested regularly. However, it does clarify that pen testing is considered essential by GDPR. This alone is a strong incentive for organizations to conduct pen testing, especially on any systems or applications that touch personal data.
The GDPR also provides another powerful reason for Canadian companies to conduct pen tests: a concise window for mandatory breach disclosures. GDPR requires companies to disclose any data breaches within 72 hours of discovery. Penetration tests can proactively discover vulnerabilities or the probability of potential violations before they occur. By focusing on prevention, pen tests can save companies from breaches and the pain of breach disclosure.
Comparing the Costs of Penetration Testing and Data Breaches
As mentioned earlier, many organizations skip pen testing because it is not mandated by law. Another reason is that they don’t have the budget for it – or think they don’t. In general, the cost of a pen test varies between $1.5K-$150K, depending on the provider’s skills and experience, testing objective and goals, infrastructure complexity, testing methodology, and other factors. If this appears too steep for your organization, consider the alternative instead – the cost of data breaches.
Research shows that a data breach can cost anywhere from $1.25 million to $8.19 million. According to IBM, the average total cost of a breach in 2020 was about $3.86 million. Moreover, each breached record holding customer PII data costs companies about $150. Now consider the number of records in your organization, and calculate the potential cost if those records are breached. Does making penetration testing mandatory within your organization still seem expensive?
Another IBM report found that the volume and severity of cyberattacks have both increased over the years. For example, about 53% of organizations in the survey experienced a data breach in the previous two years. Breaches generally involved the loss or theft of sensitive/confidential information belonging to the business or customers. Another 51% also experienced significant business disruptions in the same period.
IBM’s X-Force Threat Intelligence Index 2021 report also raised other critical issues. One is that almost all companies are vulnerable to ransomware, data thefts, and server access attacks. This includes companies in Canada, 3% of which were the victims of the Sodinokibi ransomware in 2020. Penetration testing is one of the most effective ways to stay ahead of such threats. That’s why you should make pen testing a mandatory part of your cybersecurity infrastructure – even if the privacy laws of your country do not mandate it.
Conclusion: Make penetration testing mandatory for your company
The cost of a penetration test is much lower than the potential cost of a data breach. With the help of pen testing experts like Packetlabs, you can proactively strengthen your cyber defences and close any security gaps before bad actors can exploit them. Make penetration testing a mandatory component in your risk management strategy.