Just as GDPR will bring more focus (we hope) to cybersecurity at organizations around the world, the emphasis on protecting personal private information (PII) of EU/UK citizens – no matter where the company resides – will make this information more valuable to cybercriminals. One of the first rules of cybercriminals is they will not miss an opportunity to maximize profits at the expense of a multitude of unsecured, untrained and under-resourced (when it comes to cybersecurity) organizations. Even though ransomware and business email compromise (BEC) scams are currently driving losses due to cyber-crime ever-upwards, GDPR will force a change in the behavior. What are some of the key considerations?
1. PII Hostage Taking
GDPR mandates organizations collecting data ensure protections are established, maintained and monitored for both employee and customer PII. The current state of the legislature applies these protections to the citizen no matter what entity is collecting or processing the information. The requirement for data protection is transferable. The penalties for GDPR violations are dissuasive and significant: four percent of annual turnover or 20 Million Euro, whichever is greater. Given this scenario, a cybercriminal will quickly realize a target with less than adequate PII protections is ripe for a cyber-shakedown in the form of a data hostage taking. If the cybercriminal is crafty, they may breach the organization, collect all the PII that can be found, and wait for an opportune moment to threaten to report the organization to the GDPR SA. Once the organization has received “proof of data” like the “proof of life” demanded by would-be hostage ransom victims, the organization will be plunged into ethical and IT security chaos. Ethically, the organization needs to notify both the SA and the affected parties; however, given the untrustworthy nature of cybercriminals, just because the cybercriminal said they have all the data does not necessarily mean they do. If the data hostage incident presents itself at a time when the business is vulnerable – M&A talks, looking for funding, etc., the temptation to “make it all go away” by paying the cybercriminals ransom demand and not report the breach to the SA may be irresistible.
2. An Expanded Data Breach Market
After May 2018, when the GDPR goes into effect, organizations must report a data breach to the affected parties and the Supervisory Authority (SA) within 72 hours of becoming aware of it. GDPR does not discriminate as to how the data breach occurred; a data breach is a data breach. This amplifies the cybercriminal opportunity considerably. It could be an entrepreneurial, yet malicious employee absconding with a database backup from the CRM or payroll system looking to monetise the stolen data. Or it could be a cybercriminal who infiltrated the business, exfiltrated the data, and erased as much evidence of the crime as possible. Breach now in 2017 and extort in 2018. So, the question, of course, is this: how hard is it to breach a business, grab the data and wait for the clock to turn to May 25, 2018, before commencing “Operation GDPR Data Hostage”? Well, the numbers speak for themselves. US companies and government agencies suffered a record 1,093 data breaches in 2016, a 40 percent increase from 2015, according to the Identity Theft Resource Center. The number of records stolen globally in data breaches also rose dramatically to set a new record in 2016, according to a new report from Risk Based Security. The 4,149 confirmed breaches exposed more than 4.2 billion records. To make matters worse, there is the “elite cybercrime startup” package available in stores to download now. If “EternalBlue” and “Double Pulsar” didn’t strike fear into the hearts of the unpatched, newly released tools should concern the multitudes of business who were breached in the WannaCry ransomware attack. Back in April 2017, a whole pile of NSA crafted cyber-weapons were dumped by the Shadow Brokers. This paved the way to easy system exploitation by cybercriminals of any skill and capability.
3. Take the Security Fight to a New Level
When you look at the global situation, it can be disheartening and demoralizing. But through failure – as a security industry and as security professionals – it’s time to get back up off the mat and find our courage and strength to start taking the fight to the enemy. And no, I’m not talking about “hacking back.” Firstly, you need to manage customer and employee expectations and reduce organizational risk:
- Revisit EULA, terms and conditions of service, employment contracts, and computer usage policies. Get a legal review.
- Identify the PII data you need to conduct business with customers and manage employees.
- Delete PII data that is not needed and reduce PII collection requirements. Less PII = Less risk.
- Ensure that any change in processing, controlling, transmitting, or storage of PII data requires explicit customer and employee consent.
- Document your processing, controlling, transmitting and storage safeguards.
Secondly, you need to manage the protection, detection and availability of your IT systems as they relate to the controlling, processing, transmission and storage of PII:
- Ensure you have the right to monitor your information systems (user awareness and consent as terms of employment).
- Protect IT systems as per best practices, such as foundational security controls, SANS, NIST, ISO 27001, etc.
- Build systems to detect malicious activity, internal or external. GDPR does not discriminate when it comes to the origin of a data breach.
- Build systems to detect changes in processing, controlling, transmission and storage of PII.
- Ensure visibility is maintained on all PII data that's collected, processed, stored and transmitted.
Many companies will be breached in the foreseeable future, and it’s certain cybercriminals will be responsible for continued and sustained campaigns around ransomware, fraud and business email compromise. Just as we focus our defenses on these threats, it’s important to be ready for the next threat. Data hostage takings and ransom demands will no doubt be part of the cybercriminal business plan for profits as the GDPR comes into force. It’s time for the security gloves to come off.
About the Author: Ian Trump, CD, CEH, CPM, BA is an ITIL certified IT professional with 20 years of experience in IT security and information technology. From 1989 to 1992, Ian served with the Canadian Forces (CF), Military Intelligence Branch; in 2002, he joined the CF Military Police Reserves and retired as a Public Affairs Officer in 2013. Ian previously managed IT projects at the Canadian Museum of Human Rights and is currently Head of Security at ZoneFox. Ian works across the business to define, create and execute security solutions and promote a safe, secure Internet for Small & Medium Businesses world-wide. As Head of Security, Ian has deep experience with the threats facing small, medium and enterprise businesses. This research and experience has made him a sought-after cyber security resource for conference presentations, press commentary and keynote addresses world-wide. In recognition of his contribution to IT Security, Ian has been named as an executive council member of the CompTIA IT Security Community. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.