If you’re a security professional and you suspect your employer is asking you to penetrate other networks without proper authorisation, that is not just an awkward ethical dilemma. In England it could expose you personally to serious criminal liability. The uncomfortable truth is that “I was just following instructions” is rarely a successful legal defence in cybercrime cases. So if your instincts say something is wrong, listen to them. Here’s the responsible path professionals usually take. Recognising the potential legal risk Why unauthorised hacking can be illegal In England and Wales, hacking offences are prosecuted under the Computer Misuse Act 1990. Even if you work in cybersecurity, accessing a system without permission from the owner can be an offence. Possible penalties include: criminal prosecution fines imprisonment restrictions on computer use The UK’s National Crime Agency regularly warns that cyber offences can be prosecuted even if the perpetrator claims they were testing security. In other words, if the company does not have explicit authorisation from the target organisation, you could personally be committing a crime. Check whether proper legal authorisation exists Ethical penetration testing requires written permission Legitimate penetration testing always requires: written permission from the organisation being tested defined scope and rules legal contracts or testing agreements clear documentation of authorised activities Security organisations such as OWASP emphasise that penetration testing must be performed only with explicit authorisation. If your company is asking you to probe systems without that consent, the activity may fall outside ethical cybersecurity practice. Document your concerns carefully Keep accurate records Before raising concerns externally, it is important to document the situation carefully. This may include: instructions you were given internal communications scope of the requested activity absence of legal authorisation Documentation helps demonstrate that you acted responsibly and raised concerns in good faith. However, be careful not to take confidential data improperly, as that could create additional legal issues. Raise concerns internally first Use internal reporting channels Most companies have internal reporting processes such as: compliance departments ethics hotlines internal whistleblowing channels Under UK employment law, employees are often expected to raise concerns internally first before going outside the organisation. Explain your concerns clearly and ask for clarification regarding: legal authorisation scope of testing contractual permission from target organisations Sometimes what appears suspicious may simply be poor communication rather than wrongdoing. Seek independent legal advice Speak with a solicitor experienced in cyber law If internal discussions do not resolve the issue, you should consider obtaining independent legal advice. A solicitor can help you understand: your personal legal exposure whether the activity breaches the Computer Misuse Act safe ways to raise concerns externally whistleblowing protections available to you Professional legal advice is especially important if you believe illegal activity may be occurring. Understand whistleblowing protections UK law protects certain disclosures Employees who report wrongdoing may be protected under the Public Interest Disclosure Act 1998. This law protects workers who disclose information about issues such as: criminal activity legal violations unethical conduct affecting the public interest However, whistleblowing protections can be complex, which is another reason legal advice is recommended before acting. Consider reporting to regulators or authorities External reporting may sometimes be necessary If serious wrongdoing is occurring and internal channels fail, concerns may sometimes be raised with appropriate authorities. Depending on the situation, this could involve: regulators law enforcement relevant oversight bodies Again, legal advice should guide this step to ensure you act within the law and protect yourself. Ethical cybersecurity principles The core rule: consent In professional cybersecurity practice, the most important ethical principle is simple: Never test or access a system without the owner’s permission. Organisations such as the National Cyber Security Centre and OWASP stress responsible security testing and lawful conduct. Ethical hackers operate within strict legal frameworks precisely to avoid the situation you are describing. Signs something may be wrong Warning signs that penetration testing may be unethical or illegal include: no written authorisation from the target organisation requests to hide activity vague or undefined scope instructions to bypass legal processes management dismissing legal concerns If you see several of these signals, caution is justified. Advertisement Bestseller #1 Mastering AI for Everyone: A Clear, Practical Guide to Understanding Artificial Intelligence and Using It in Everyday Life £10.99 Buy on Amazon Bestseller #2 Artificial Intelligence: A Modern Approach, Global Edition (Pearson series in Artificial Intelligence) £47.49 Buy on Amazon A practical course of action Responsible steps to protect yourself Verify the legality of the work requested. Document instructions and communications. Raise concerns internally with management or compliance. Seek independent legal advice. Use whistleblowing protections if necessary. This approach protects both your professional reputation and your legal position. Final thought One of the hardest realities in cybersecurity is that the difference between ethical hacking and criminal hacking is permission. If that permission is missing, the situation changes completely. The fact that you are questioning the ethics of what you are being asked to do is not a weakness. In cybersecurity, it is often the strongest sign that you understand the profession properly. And protecting your integrity is ultimately more important than protecting any company’s questionable practices. Post navigation An English Grey Hat Hacker Considering The Dark Path To Easy Money An English White Hat Hackers Knowledge To Share With All For The Greater Good