Last month, the world saw the unveiling of the European General Data Protection Regulation (GDPR). Its aim is to protect and empower all European Union (EU) residents, whether in Europe or overseas, when it comes to their data privacy. It also serves to reshape the way organisations operating in the European market approach data privacy.
In a nutshell, the GDPR wants EU residents to have complete control over their personal data by simplifying the regulatory environment. However, companies around the world are choosing to implement the regulation across all customers to ensure their data is also protected, and to streamline the compliance process. This is why many of our inboxes are now flooded with updated privacy statements from global brands.
However, as residents and businesses welcome the introduction of GDPR, so do cyber criminals.
GDPR may lead to an increase in sophisticated ransomware attacks
Businesses are undertaking specific measures to improve their cyber security capability in order to protect the data they have, and to comply with GDPR. However while this may thwart lower level attacks, it is very likely to attract higher concentrations of strategic and sophisticated attacks likely to devastate an organisation.
For example, in some instances it will be less costly for a business to give in to a ransom demand than to inform customers when a breach occurs. If it costs a dollar to notify each user, and a company has 500,000 users, there’s already a cost of half a million dollars before any fines or further expenses are calculated. Hackers use this to their advantage by demanding a smaller amount as ransom, incentivising companies by providing the “lesser of two evils” option.
Not only does paying a ransom potentially cost less than reporting, but hackers convince companies that they’ll waive the reputational damage that comes with a public breach, by attempting to sweep it under the rug.
Further to that, GDPR outlines that organisations have a 72 hour reporting period once they have been made aware of a breach, to notify the right authorities. Hackers can take advantage of this small window by applying pressure on an organisation to act on a ransom demand. We’ve seen examples of ransom payouts in the cases of Uber, Yahoo and Equifax - showing that a breach is likely to surface no matter what steps companies take to hide it.
GDPR could make it harder to protect residents
The GDPR also adds increased complexity to incident response. Services which provide vital information to security researchers and law enforcement agencies to identify the origins of phishing scams or malware distribution sites are finding it difficult to comply to the regulation.
The Internet Corporation for Assigned Names and Numbers (ICANN) is currently struggling to get their WHOIS system, used to query domain name registrant databases, to comply with the GDPR. This is unlikely to occur until at least December 2018, meaning agencies and researches will have a difficult time investigating potential cyber attacks, and leaving themselves open to hackers in the meantime.
The increase in strategic, sophisticated attacks and their impact further drives the need for organisations to remain vigilant. Knowing the type of data held, how it is protected and even if it is required, needs to be assessed and appropriate action undertaken to reduce risk. This, in line with appropriate governance, technical controls, detection and response capabilities need to be focal points for all organisations, large and small.
By Murray Goldschmidt, COO at cyber security firm Sense of Security