Call us on 03450 21 21 51

SRM Solutions
The SRM Blog

Pen testing: why businesses need to be proactive not reactive ahead of the peak retail period

Written by Julia Wailes-Fairbairn

3rd October 2018

Share this article

A breach at any time of the year is bad for business. But with the highest volume of sales – both retail and online – occurring between Black Friday and the January Sales, a customer data breach during this period could be catastrophic. With just a few weeks to go, it is time to be proactive, not reactive.  Seeking external professional services at this stage could ultimately save immense damage to your business, your bottom line and your reputation.

First, some context. According to research (Carbon Black 2018), when it comes to cybercrime the most proactive investors are actually the cyber criminals themselves. It is estimated that they are now spending ten times more on finding cyber defence weaknesses in target organisations than the organisations themselves are spending on protecting against attack. Although the figures are global, with an estimated $1 trillion being spent by the cybercrime community compared to $96 billion by organisations to secure themselves, the UK has been identified as a major target.

Malicious attacks are therefore a very real threat, whether dealing with card transactions through a bricks-and-mortar shop or an online business. Unfortunately compliance does not guarantee security of your network systems. Like an MOT it only demonstrates that at a certain date and time your business had met the PCI DSS compliance standard. Similarly, businesses which have taken positive steps towards adhering to the requirements of GDPR will still need to take a proactive approach to defending against cybercrime.

So, what can be done? The most important investment at this stage is in professional penetration testing. This is the key to knowing exactly where potential vulnerabilities may lie. A bespoke combination of both manual and automated testing is an extremely efficient way to identify weaknesses and can be carried out with minimal disruption. If serious gaps are identified then further testing will exploit and develop these as a potential hacker would, providing you with valuable intelligence. You will then be in a position to work with experts to take whatever remedial action is required in good time. If actual (as yet undetected) breaches have already occurred, these can be reported on and contained before significant damage occurs.

While prudent investment in cyber security is vital, there is, however, no need to throw money at the problem. Engaging a professional consultancy with the full range of services will save you any unnecessary expense. This is because the exercise will be scoped to ensure you pay for what you need, not what you don’t. A professional team will also have the expertise to manage the whole process in a proactive way to ensure you are ready for business at the end of November.

Although every precaution should be taken to protect your systems, test and exercise is not the only important element of a mature and robust cyber defence.  Business Continuity Planning, Incident Response and Disaster Recovery Plans should also be in place and watertight. An expert consultancy will be able to help develop these so that business interruption in the event of a breach is kept to an absolute minimum. Additionally, SRM can provide Red Teaming and Incident Simulation activities to give you ultimate peace of mind

To discuss the full availability of our Test and Exercise and Incident Response services, call +44 (0) 3450 21 21 51.