Even months after interest in GDPR compliance peaked, some companies are struggling to make sure they comply with this new set of regulations aimed at protecting the privacy and security of European citizens. The regulation applies to businesses anywhere as long as their users are in the EU, and with the highest penalties potentially reaching the millions of euros, they’re right to worry.
Take the case of British Airways for example. On September 6th, 2018 the airline announced that it had suffered a breach that affected around 380,000 users, and that part of the stolen data included personal and payment information.
Now, although we don’t know the fine that will be levied on British Airways, under GDPR a violation such as this one may lead to a fine of €20 million or up to 4% of a company’s annual turnover in the previous year (whichever is higher), which for BA could reach about £489 million (US$633 million) based on 2017 figures.
A similar case is that of Marriott. In November 2018 they announced that they had been a victim of an attack that compromised the data of 500 million users. Marriott’s annual turnover in 2017 was US$22.9 billion.
More recently, Google has been the target of a €50 million fine in France for failing to provide enough information to users about its data consent policies and not giving them enough control over how their information is used.
Often when we read about GDPR, it may sound like it’s all about notifications (letting users know what kind of data the company is using and how it will be used and notifying them of security breaches in a timely fashion), but if these cases show us anything it’s that companies will be under scrutiny not only for how they use their customer’s data but also how they protect it. This is where early detection and prevention of security vulnerabilities is key.
Article 32 of the GDPR provides that businesses must “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including […] as appropriate: […] a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
Granted, that’s not very specific. What counts and what doesn’t as a “process for regularly testing” security? We outline a few possibilities below:
-
Penetration testing
A penetration test or “pen test” is a simulated attack against a system to determine its security and any vulnerabilities it may have that leave it open to attackers. Pen tests are usually done by consultants using both automated tools and manual, ad-hoc tactics to attempt to exploit the system.
The cost for a pen test depends on who’s doing it, but they usually start at around US$5,000.
-
On-premises vulnerability scanners
Some of the tools pen testers use are available for purchase. These usually include desktop or online scanners, but require some advanced knowledge of web security to be able to act on vulnerabilities they find.
Pricing depends on the software of choice, with some providers charging a one-time fee of around $5,000, and others about the same amount on a yearly basis.
-
Cloud vulnerability scanners
Cloud-based web scanners are services that simulate attacks to a web app in the same way an actual attacker might. They use some of the same tools consultants use during a pen test. Once the scan is complete, you’ll get a report with any vulnerabilities found.
The cost for these scanners varies, with paid versions starting at under US$100 a month, learn more there.
The benefit of prevention vs reaction
According to IBM Security the average cost of a large data breach (in which more than one million records are lost) in 2018 was $3.9 million dollars. This figure takes into account the many categories of expense arising from a breach, including lost business, technical investigations, legal penalties, and employee time spent on recovery.
A cost that high really helps put into perspective the benefit of regularly scanning your apps and finding security holes that need fixing before someone else does. In combatting data breaches, the cost of prevention is much lower than that of reacting after the fact.
Overall, with the number and frequency of attacks increasing in recent years and the fact that the GDPR is now in effect, “better safe than sorry” makes more sense than ever.