SHIFT IN TACTICS AMONG CYBER CRIMINALS
While General Data Protection Regulation (GDPR) brings with it opportunities for companies to further secure data, it may also lead to a shift in tactics among cyber criminals. After 25 May, perpetrators with access to personal data shall effectively have a price point for what to demand following an attack and can threaten to expose companies to the Information Commissioner’s Office (ICO) unless a ransom is paid. Due to the severe fines permitted under the GDPR and the potential for reputational damage, victims may opt to pay criminals even if it means agreeing to an inflated ransom. According to a 2017 report by Symantec, the average ransomware demand recorded by the software company in 2016 and 2017 (to July) for a single infection was USD1,071 and USD544 respectively, considerably less than what ICO are able to impose.
Research published by the Online Trust Alliance (OTA) indicates that the implementation of the GDPR is to occur following unprecedented yearly rises in cyber incidents. The OTA found that there were an estimated 160,000 global attacks in 2017 – including breaches, ransomware and DDoS – compared to approximately 80,000 in 2016. On account of underreporting the same research also speculated that there may even have been as many as 350,000 incidents in 2017. Consequently, the threat level towards companies accountable to the GDPR is only assessed to increase after its initiation and throughout 2018 amid a continued rise in breaches worldwide.
WHAT ARE THE FINES?
The GDPR will become enforceable on 25 May and is set to dramatically change how companies both inside and outside the EU manage and secure the personal data of EU citizens. As well reported, penalties for non-compliance with the GDPR can be severe. For the most serious breaches a fine of up to 4% of an organisation’s global turnover or €20 million (USD23.5 million) may be imposed, whichever is highest.
COMPLIANCE REQUIRES CONSISTENT IMPROVEMENT
Although companies must prioritise compliance with the regulation, of equal importance is the continued improvement of enterprise data management, including the development of personnel, and recognising how the GDPR could alter the modus operandi of cyber attacks.
The GDPR should not be viewed by companies as simply a fulfilment of prescribed steps after which compliance is achieved, but rather the beginning of a comprehensive enterprise-wide data protection policy that demands regular review. Further advised measures include the regular audits of data processing activities and security protocols, updating of personal data records and using data protection impact assessments when processing data is deemed “likely to result in a high risk to the rights and freedoms of natural persons”.
Employee development is essential not just to familiarise staff with the GDPR, but the basics of cyber security. The results of a 2016 / 2017 social engineering study released on 9 April 2018 by Positive Technologies emphasises how staff may facilitate a breach. Of the 3,332 malicious emails sent to company employees during 10 penetration tests, 27% of recipients clicked on phishing links. Of additional concern is that, out of those who fell victim to links and other forms of social engineering, 12% worked in IT and 3% were even employed in information security.
HOW NYA CAN ASSIST
NYA can help companies work towards compliance and advise on IT security best practice to effectively fortify the network against cyber criminals. Improving on the regulation requires a tailor-made approach unique to every enterprise. Through periodically reviewing existing policies, testing protection systems for vulnerabilities and assessing prevailing threats, NYA can implement an enterprise-specific framework that provides resilience.
*** This is a Security Bloggers Network syndicated blog from NYA authored by Alison Burrell. Read the original post at: https://www.nyarisk.com/2018/05/24/will-cyber-ransoms-increase-gdpr/