With the entry into force of the new General Data Protection Regulation (GDPR) in May 2018, the requirements for companies that handle data involving Europeans’ personal information will become more stringent. The same goes for organizations and public institutions. Recently, we explained the fundamental changes brought about by the application of the GDPR and the most popular myths that have been spread in the media. On this occasion, we will analyze how cyber attackers could profit from this new regulation.
Resorting to cyber blackmail
According to a survey by Crowd Research Partners, 30% of organizations are not ready to comply with the GDPR and will have to make substantial changes to their security policies and technologies. Companies must take into account that this regulation involves paying special attention to data management within the company, requiring a very thorough treatment of customer information. Failure notify the authorities on security incidents could result in some seriously heavy fines. In addition to preparing for the GDPR, organizations must also keep in mind that cybercriminals may see it as an opportunity.
How can they take advantage of the new regulation? The most direct way: seeking even higher ransoms.
The GDPR requires organizations to keep their employees’ and their clients’ data under wraps. Violations of Personally Identifiable Information (PII) is the primary target of the new framework. When cybercriminals realize the value of PII, they can sequester it and subsequently threaten to report the security breach to the compliance authorities. If the cyber attackers do not receive the ransom, they will proceed to leak the data and the companies will be in dire straits. On the one hand, the applicable fines that come with a breach, as well as the possible compensation claimed by the victims, could be substantial. On the other hand, the reputational damage to the business itself, especially if it comes into light that the company was attempting a cover up (as was recently the case with Uber) could be sever. So companies will most likely pay the ransom — in any case, the sum will probably be smaller than the potential fine itself, which can amount to millions of euros and may be more than the company can afford. But the fact that there is no guarantee that the data will be returned, or that you will not be blackmailed in the future, may still dissuade companies from caving in.
The right to be forgotten and the obligation to notify
The new regulation gives European citizens the “right to be forgotten”. This means that, at any time, a consumer may request that their information be delete from a company or other institution’s database. Failure to meet this consumer request could result in some very severe consequences. For example, a cyber blackmailer could seek payment from a company if he or she manages to access a database containing data that should have been erased.
Although the obligation to notify on a security incident in less than 72 hours begins when the company becomes aware of it (and not necessarily at the moment it actually occurs), the notification could be like a time bomb for the company. If it has to do with leaked personal data, organizations will have to choose between paying the ransom or the fine… and, given the urgency of the decision, they could end up facing both.
Preparation as a defense strategy
As we pointed out in our cybersecurity trends report, 2018 will be the year of attacks on companies. And one of the reasons for this will be the GDPR. This not only means that we are going to see a greater number of attacks, but many companies that, in a pre-GDPR time, would cover their security breaches, will now be obligated by law to make them public.
The best response to this situation is to be adequately prepared and protected. To that end, we have prepared “Preparation Guide to the New European General Data Protection Regulation” to facilitate the transition and help you to understand both opportunities and threats that the law will bring to light. Companies that rely on Adaptive Defense have an advantage, since they will have all the necessary prevention tools to protect the company — not least of all being the new Data Control module.
The GDPR will mark a before and after in data protection policy. As of May 2018, defending the data of your company’s customers will go from being an ethical duty to a legal obligation.