What these companies do is test your servers for any vulnerabilities and they will probe your servers' infrastructure to check to see where the gaps lie, where there are any particular threats and what risks you face, it is worth noting that you can purchase software that will act as a vulnerability scanner and tell you what ports are open on your servers, those ports can invite hackers to gain access and exploit your data.
Where to host your servers? This is also something you should focus on, if your hosting company houses your servers then it's a good bet that they will have their own technical safeguards, and, because it's your server it's your job to know what security is in place to protect it. Many companies use sub standard methods of server hosting, and use sub standard companies to house them. There are many companies out there, it's up to you who to choose and you should use due diligence to protect yourselves by asking what security is in place to protect your servers and the information contained within.
There is no doubt that having security flaws can lead to higher risks and there is plenty you can do to lower the risk. This is by having suitable accreditation or certifications in place like Cyber Essentials and Cyber Essentials Plus, a UK Government approved scheme where a certified third party asks you questions and in the case of Cyber Essentials plus, carries out suitable testing of your server infrastructure to see if someone can gain entry.
Should someone hack into your servers and gain access to the information contained within - and distribute it or make it known that you were hacked you could be looking at a substantial fine. Not only can these fines run into the hundreds of thousands if you suffer a breach, they can also run into the millions under the GDPR - and it is this that you want to avoid.
Knowing the ICO, they would like to know what safeguards you had in place, did you do enough to protect the information contained on the servers and what was your attitude towards continual improvement. Working with the ICO helps, as this will reduce a fine and show that you are willing to act in the right way.
ISO 27001 is a great standard for improving your processes, it helps you to focus on continual improvement but the downside of it is is that no penetration testing is completed by the certification body, the auditors will only ask questions related to your information security and will hopefully push you towards getting penetration testing completed. Having Cyber Essentials Plus in place gives you a defence mechanism against cyber threats. People who appropriately probe into your systems to help are a fantastic way of improving the security of systems, because they will tell you where the dangers lie in your systems.
If the ICO do fine you, and find out you were not doing enough then it's safe to say that any breach of data is going to cost you, and it is this which companies should be aware.
Or else it's money (and reputation) down the drain...
Steven Burgess is an ISO 9001 and ISO 27001 Consultant to companies in the UK and also a Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.