If you’re a security professional and you suspect your employer is asking you to penetrate other networks without proper authorisation, that is not just an awkward ethical dilemma. In England it could expose you personally to serious criminal liability. The uncomfortable truth is that “I was just following instructions” is rarely a successful legal defence in cybercrime cases.
So if your instincts say something is wrong, listen to them. Here’s the responsible path professionals usually take.
Recognising the potential legal risk
Why unauthorised hacking can be illegal
In England and Wales, hacking offences are prosecuted under the Computer Misuse Act 1990.
Even if you work in cybersecurity, accessing a system without permission from the owner can be an offence.
Possible penalties include:
- criminal prosecution
- fines
- imprisonment
- restrictions on computer use
The UK’s National Crime Agency regularly warns that cyber offences can be prosecuted even if the perpetrator claims they were testing security.
In other words, if the company does not have explicit authorisation from the target organisation, you could personally be committing a crime.
Check whether proper legal authorisation exists
Ethical penetration testing requires written permission
Legitimate penetration testing always requires:
- written permission from the organisation being tested
- defined scope and rules
- legal contracts or testing agreements
- clear documentation of authorised activities
Security organisations such as OWASP emphasise that penetration testing must be performed only with explicit authorisation.
If your company is asking you to probe systems without that consent, the activity may fall outside ethical cybersecurity practice.
Document your concerns carefully
Keep accurate records
Before raising concerns externally, it is important to document the situation carefully.
This may include:
- instructions you were given
- internal communications
- scope of the requested activity
- absence of legal authorisation
Documentation helps demonstrate that you acted responsibly and raised concerns in good faith.
However, be careful not to take confidential data improperly, as that could create additional legal issues.
Raise concerns internally first
Use internal reporting channels
Most companies have internal reporting processes such as:
- compliance departments
- ethics hotlines
- internal whistleblowing channels
Under UK employment law, employees are often expected to raise concerns internally first before going outside the organisation.
Explain your concerns clearly and ask for clarification regarding:
- legal authorisation
- scope of testing
- contractual permission from target organisations
Sometimes what appears suspicious may simply be poor communication rather than wrongdoing.
Seek independent legal advice
Speak with a solicitor experienced in cyber law
If internal discussions do not resolve the issue, you should consider obtaining independent legal advice.
A solicitor can help you understand:
- your personal legal exposure
- whether the activity breaches the Computer Misuse Act
- safe ways to raise concerns externally
- whistleblowing protections available to you
Professional legal advice is especially important if you believe illegal activity may be occurring.
Understand whistleblowing protections
UK law protects certain disclosures
Employees who report wrongdoing may be protected under the Public Interest Disclosure Act 1998.
This law protects workers who disclose information about issues such as:
- criminal activity
- legal violations
- unethical conduct affecting the public interest
However, whistleblowing protections can be complex, which is another reason legal advice is recommended before acting.
Consider reporting to regulators or authorities
External reporting may sometimes be necessary
If serious wrongdoing is occurring and internal channels fail, concerns may sometimes be raised with appropriate authorities.
Depending on the situation, this could involve:
- regulators
- law enforcement
- relevant oversight bodies
Again, legal advice should guide this step to ensure you act within the law and protect yourself.
Ethical cybersecurity principles
The core rule: consent
In professional cybersecurity practice, the most important ethical principle is simple:
Never test or access a system without the owner’s permission.
Organisations such as the National Cyber Security Centre and OWASP stress responsible security testing and lawful conduct.
Ethical hackers operate within strict legal frameworks precisely to avoid the situation you are describing.
Signs something may be wrong
Warning signs that penetration testing may be unethical or illegal include:
- no written authorisation from the target organisation
- requests to hide activity
- vague or undefined scope
- instructions to bypass legal processes
- management dismissing legal concerns
If you see several of these signals, caution is justified.
A practical course of action
Responsible steps to protect yourself
- Verify the legality of the work requested.
- Document instructions and communications.
- Raise concerns internally with management or compliance.
- Seek independent legal advice.
- Use whistleblowing protections if necessary.
This approach protects both your professional reputation and your legal position.
Final thought
One of the hardest realities in cybersecurity is that the difference between ethical hacking and criminal hacking is permission.
If that permission is missing, the situation changes completely.
The fact that you are questioning the ethics of what you are being asked to do is not a weakness. In cybersecurity, it is often the strongest sign that you understand the profession properly.
And protecting your integrity is ultimately more important than protecting any company’s questionable practices.
We have created Professional High Quality Downloadable PDF’s at great prices specifically for Small and Medium UK Businesses our main website. Which include various helpful Cyber related documents and real world scenarios your business might experience, showing what to do and how to protect your business. Find them here.
