Why hackers will use GDPR to their advantage by TSG

Hackers are going to come for your data with more force than ever. Your data is about to become your business’ most valuable asset and biggest risk, thanks to the imminent General Data Protection Regulation (GDPR).

GDPR is coming in May 2018, and will bring with it eye-watering fines for non-compliance. For significant breaches, businesses could face fines of £17.5 million or 4% of global turnover – whichever figure is higher.

The Information Commissioner’s Office (ICO) revealed that recent data breach fines could have been 79 times higher if GDPR was already in place. The infamous Talk Talk breach, for which the company was fined around £400,000, would have cost £59 million under GDPR.

All businesses will process Personally Identifiable Information (PII) in some capacity; even those who don’t keep customer data will have employee’s personal information on record. That means every business must comply with GDPR. It also means all businesses are at risk of data breaches. Knowing the increased financial risk attached to breaches, hackers are more likely than ever to target your data and hold your business to ransom over it.

Heimdal Security researchers have suggested that businesses may be more susceptible to Ransomware or extortion threats than ever before, as hackers use the looming fines of £17.5 million or higher as leverage.

Ransomware is by no means a new phenomenon, but it’s seen a significant resurgence in the last couple of years. By definition, Ransomware is malicious malware that ‘locks down’, or encrypts, a user’s or entire business’ files, meaning users can no longer access them. The hackers then demand a ransom payment, usually in the form of bitcoin, to provide the decryption key and return access to your files. Supposedly.

65% of UK businesses who are infected by Ransomware pay the fine, but only 45% of those who pay up regain access to their files (Trend Micro). The only guaranteed outcome of paying the ransom is that cyber criminals will be more emboldened to carry out further attacks. There’s a significant risk that you could be paying twice for your breach; once to the hackers, and then your eye-watering fine in the tens of millions.

Ransomware’s revival can be attributed to the fact that IT security is more comprehensive and robust than ever. A lot of legacy malware required administrative rights in order to wreak havoc on your machine, but Ransomware requires no high-level access. There’s also the fact that it’s highly profitable, which is a key motivator in light of GDPR.

Prioritising IT security gives you the best chance of avoiding this scenario. A multi-layered security strategy removes the wide surface area that hackers have access to.

Because of the significant rise in Ransomware attacks, there are now Ransomware-specific solutions that can stop this particularly insidious type of malware in its tracks. These tools, for example Sophos Intercept X, stop the malware before it gets to any files. If files have already been encrypted, the tool will revert them back to their original state. This tool is an anti-exploit solution which can help prevent zero-day attacks (attacks that exploit vulnerabilities never seen before) by detecting suspicious behaviour, rather than simply the behaviour of previously discovered malware; this is what differentiates Ransomware-specific anti-viruses from standard anti-virus tools.

It’s highly likely, however, that hackers will turn to tools alongside Ransomware to extort businesses. Tactics like phishing (whereby users are directed to fake login pages that allow cyber criminals to steal credentials), keystroke-logging viruses and memory scraping malware could give hackers the ammunition to blackmail businesses into paying up, lest they risk a heftier GDPR fine.

Encryption is a best-practice form of security that is recommended in the preliminary GDPR document. This protects your data by continually validating the user, application and security identity of a device to allow access to encrypted data. This protects businesses from breaches that occur through lost or stolen devices, while dashboards can offer proof that, should laptops, mobiles or portable storage devices go missing, you can prove to the ICO that you have appropriate measures in place to prevent a breach. Encryption can be at a file or full disk level, allowing for complete security.

Keeping systems patched and up-to-date is essential to the security of your business. The global WannaCry attack that struck institutions of all shapes and sizes, including Nissan and the NHS, exploited a vulnerability in unpatched systems; the finger was firmly pointed at Windows XP, but it has been established that unpatched systems were the reason so many businesses fell victim to WannaCry.

It’s important to never assume that you’re protected from cyber-attacks and data breaches. Whilst GDPR has a lot of benefits and the process can actually be used to help businesses get a handle on the data they hold, it’s giving hackers more ammunition than ever to target your precious Personally Identifiable Information (PII). GDPR requires you to put adequate measures in place to protect your data; failure to do so, including the presumption that a cyber-attack will never happen to your business, could be seen as negligent and therefore non-compliant.

Article produced by UK IT support company, Technology Services Group.