The biggest change to data protection laws since the 1990s, GDPR requires businesses to put “appropriate measures” in place to protect the Personally Identifiable Information (PII) it holds, whether that’s customers, prospects, employees or suppliers. All businesses will hold some form of PII, even if it’s just employee data, and therefore must comply with GDPR.
2017 saw cyber threats like ransomware finally covered in the mainstream media thanks to the global WannaCry, Petya and Bad Rabbit outbreaks. The beloved NHS was hit in an attack that was initially perceived as a targeted strike on the National Health Service.
However, it quickly came to light that the NHS was just one of thousands of businesses worldwide that was hit. International businesses like Maersk suffered losses in the hundreds of millions. Sophos’ survey with IT Managers found that over half of businesses surveyed had been hit by ransomware in 2017.
It wasn’t just ransomware that saw a resurgence last year; 2017 was dubbed ‘year of the cyber-attack’ thanks to the proliferation of malware attacks and data breaches. Notable attacks include the Uber breach (and infamous coverup) and the Equifax data breach. One thing that stood out in 2017 was that hackers were targeting business data with some ferocity and, according to security experts, hackers will be more hellbent than ever on getting their hands on your precious PII data under GDPR.
Heimdal Security researchers have warned businesses that they’re likely to see an increase in cyber-attacks under GDPR as the hackers use the regulation as leverage, holding businesses to ransom lest they face a fine from the Information Commissioner’s Office (ICO), which is responsible for enforcing GDPR.
Ransomware is an obvious tool of choice for cyber criminals, with the ability to compromise data, demand payment and falsely promise the decryption key in return for the ransom.
Ransomware attacks and their ransom demands often have a time limit too, with the threat of destruction if the demands aren’t met in time. This adds a strong element of social engineering, whereby victims are manipulated into action. Any malware or cyber-attack that compromises data, though, gives cybercriminals the upper hand.
The Uber hack is the perfect example of how hackers could operate under GDPR. The hackers successfully blackmailed Uber into paying over £750,000 to keep the data breach – which saw the PII data of over 57 million customers stolen – a secret.
Uber would have breached GDPR twice with this hack; one for the cyber-attack itself, one for the cover-up. A lot of the media attention around GDPR has focused on the potential fines – 2-4% of global turnover, depending on the severity of the breach – in the event of a data breach, but less so on the strict reporting requirements set out by the ICO.
Businesses will be required to report breaches to the ICO within 72 hours of discovering them. Further, if the breach is likely to “adversely affect individuals’ rights and freedoms”, victims whose data has been breached must be notified too. As Uber failed to carry out these two key duties, it would likely be punished severely under the GDPR.
Uber hasn’t, in fact, gotten off lightly; its chief information security officer John Flynn has recently had to testify to the US Senate, whilst UK, Australian and Filipino authorities could still launch legal investigations into the hack.
Assuming Uber would be fined the maximum penalty of 4% of global turnover, which was $6.5 billion in 2016, it could have faced an eye-watering fine of $260 million. Research into some of the most high-profile data breaches of the past year revealed that, on average, the fines doled out to those businesses would be 79x higher under GDPR.
With statistics like this, it’s easy to see why paying a ransom in the tens or hundreds of thousands to the hackers would be preferable to paying fines that would potentially reach the millions to the ICO and the unwanted publicity that would come with that. But no security expert worth their salt would recommend that you pay up; not only would it be in breach of GDPR, but hackers are more likely to target businesses who pay the ransom again.
It’s very likely that your business will be earmarked as a ‘payer’ – a guaranteed cash cow. There’s also no guarantee that your files will be returned to their original state (after being encrypted by ransomware) or destroyed (if hackers have stolen your data); only 45% of UK businesses who’ve paid a ransomware demand have successfully gained access to their files (Sophos).
The key element is also that paying the hackers doesn’t guarantee that you’ll avoid the fines associated with GDPR. Uber’s breach eventually got out and it’ll likely face harsher penalties for the coverup than the data breach itself.
When it comes to breaches, the ICO requires you to prove that you put those adequate measures in place to prevent a breach. Thanks to the proliferation of zero-day attacks, whereby hackers exploit yet-unknown vulnerabilities, there’s still the possibility that you’ll get hit. But providing you put robust cyber security measures in place, you won’t get punished.
It’s very much a case of prevention is better than cure when it comes to complying with GDPR. The regulation explicitly mentions encryption as a means of protecting your data; taking heed of this will put you in a great position not only in defending against data breaches, but in proving to the ICO that you have put protections in place to secure your data. With the proliferation of Ransomware and the fact that traditional anti-virus solutions don’t stand up to it, it’s also a good idea to implement a Ransomware-specific anti-virus product.
When it comes to reporting to the ICO, root cause analysis technologies will be essential. These technologies allow you to see where and when the attack breached your system and will allow you to prove to the ICO what measures you put in place.
The cyber threat landscape has been growing year-on-year thanks to the increasing number of internet-connected devices used by both consumers and businesses alike. 2016 was dubbed ‘year of the ransomware’ thanks to the resurgence of the unique malware, whilst 2017 was simply the ‘year of the cyber attack’. There’s no doubt that 2018 will follow this upward trend and, according to experts, it’ll only get worse under GDPR.