WannaCry and GDPR – unlikely allies?

The global economic impact of cybercrime is currently estimated to be close to $600 billion, according to the Centre for Strategic and International Studies. This figure is set to reach eye-watering $2 trillion by 2019 as the intensity and frequency of attacks increase. Claiming over 200,000 victims, last year’s most notorious ransomware, WannaCry, infected 300,000 computers, leaving a trail of destruction in its wake. No one is safe from cybercrime – both businesses and individuals can be targeted.

The picture in the UK is much the same. The National Cyber Security Centre, founded in late 2016, has observed over 590 major cyber incidents during its first twelve months of operations, with the majority of these attacks aimed at businesses.

>See also: GDPR and the rising cost of ransomware

In an effort to combat the rising number and cost of data breaches, the General Data Protection Regulation (GDPR) will be coming into force on May 25th this year to force businesses to better protect consumer data from attacks.

Under GDPR, the impact of WannaCry and similar cyber-attacks will be twofold for the enterprise. First a damaging data breach, then a crippling GDPR fine. Organisations who don’t take their network security seriously could face ruin.

WannaCry and GDPR go hand in hand

WannaCry illustrated just how bad some organisations are at security. It also highlighted the diversity of threats out there. Contrary to some people’s preconceptions, WannaCry was not spread via email, like many other attacks that preceded it.

Instead, the attack targeted vulnerabilities within networks. Corporate networks, with no control or visibility into what’s happening inside their network, were easy pickings for the cyber criminals.

The worm used NSA-leaked EternalBlue software to exploit underlying vulnerabilities in public facing server message ports. In essence, it was accepted by networks with no idea what device was actually trying to establish a connection, and spread through them like wildfire. This explains the random nature and wide-spread reach of the attack, affecting organisations from the UK’s National Health System to CJ CGV, a cinema chain in South Korea.

>See also: Why the cyber threat landscape could grow under GDPR

If GDPR was in force, WannaCry would most likely have triggered fines of up to 4% of revenue for every one of the breached organisations, in addition to the costs of securing their network and the resulting downtime of critical services.

A costly data breach paired with a GDPR fine is something few organisations will be able to withstand unscathed.

Time is running out

Under GDPR regulations, organisations will need to keep data secure, be able to quickly issue alerts if a breach has occurred and make sure to report it within 72 hours. So, to stay compliant with GDPR, companies ultimately need complete visibility over all connected devices and their specific activities in order to know what is going on within their networks.

This reinforces the need for organisations to improve the efficiency of their security teams. Identifying and neutralising network vulnerabilities needs to be the key objective for them.

The proliferation of the Industrial Internet of Things will only compound the problem. Gartner predicts that more than 20 billion devices will be connected by 2020, by which point it expects that more than 25% of all attacks on enterprises will come via IoT devices. That’s a lot of unidentified devices accessing networks, possibly for nefarious purposes.

>See also: WannaCry — how the NHS actually got quite lucky

This has the potential to wreak havoc if outdated security protocols (or even no security at all) are in place. If every device is a potential weak point, companies urgently need to figure out a way to protect themselves.

And the potential threats aren’t just limited to ransomware. Take Mirai Botnet, for example. This is a malware that was used to orchestrate one of the largest DDoS attacks ever seen and that has recently resurfaced. It takes over control of IoT devices and uses them for criminal purposes. CCTV cameras and routers are amongst the most targeted devices but any IoT device could be affected.

With billions more about to come online, IoT could become a security nightmare for organisations, turning otherwise dormant devices into dangerous weapons. Some experts are worried that larger versions of cyber threats like Mirai Botnet could even bring down the entire internet.

>See also: Locking up the Internet of Things in 2018

The threat to organisations is clearly very real. With no protection and adequate cyber security measures in place, IoT devices on a corporate network are ticking time bombs. If companies continue to be complacent about their security efforts, a potential cyber-attack won’t just paralyse an organisation, the subsequent fines imposed by the GDPR legislation might cripple a business for years.

So, an investment in adequate protection against cyber threats isn’t just a means for companies to avoid these fines. It is a long-term investment in the longevity of a business.


Sourced by Tom Dolan, VP of Global Financial Services at ForeScout

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics