So GDPR looms ever closer, but as more people start discussing it they begin to realise that the legislation extends far further than anyone ever imagined – especially considering recent trends in the technology industry.
What people don’t realise though, is that the combination of malware and data security breaches is an accident waiting to happen.
Data is now big business and managing large quantities of data, even when it isn’t processed by users, can still be an enormous risk to business. The main problem is not to do with the protection of the data, but rather that even holding the data means companies have to adhere to certain new standards and comply with new regulations – specifically the eight new rights gained by data subjects in regards to their data.
The right to be Informed – all organisations must be completely transparent in how they process and use personal data with users.
The right of Access – individuals will have the right to know exactly what information is held about them currently and how it has been used to date.
The right of Rectification – individuals will be entitled to have personal data rectified if it is inaccurate or incomplete and no additional cost.
The right to be Forgotten – this refers to an individual’s right to having their personal data deleted or removed without the need for a specific reason as to why they wish to discontinue. A company can refuse if there are grounds to retain that data – for example a loan company while the loan is still active.
The right to Restrict Processing – an individual’s right to block or suppress processing of their personal data. This pertains to having to opt-in to have their data processed in particular ways.
The right to Data Portability – allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Rights to Individual Decision-making and Profiling – the GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them, or is based on automated processing.
The inability to comply with these rights will not only constitute a failure to meet GDPR standards but could cause undue attention from the regulatory body, the ICO. The ICO are legally obliged to follow-up any complaint of a breach of their guidelines. In other words, if you cannot meet obligations set out by the ICO, there is likely to be a complaint and, following that, a thorough investigation.
Why Ransomware is a key threat to GDPR Compliance
The UK GDPR is fundamentally about ensuring users get control over their data. If companies are unable to meet their obligations in terms of upholding the correct levels of control then they stand to face a large penalty.
Hacking, especially Ransomware, is the act of seizing control of a computer system. In effect, hacking stops users accessing either part or a whole set of data by disabling critical functions.
Examples of this are:
A DDoS or Brute Force Attack, which stop a processor or device from working by overloading it and forcing it to work at full capacity.
A LAN-based attack, such as a BotNET, which uses network connections to infect a group of machines (thereby creating an army of remote machines called ‘bots’) which can do anything specified by a hacker.
Ransomware blocks local access to a machine by encrypting the hard disk – cloning itself into every folder the user has access to, including shared folders and other devices. If the correct steps are not taken then an entire network can be taken over quickly. Ransomware attacks can be highly targeted and almost impervious to protection if done properly.
This final example is by far the most common, with an explosion of versions appearing in 2016 and 2017 inlcuding two new self-propagating threats in the form of WannaCry and Petya (Both originating from an NSA project called EternalBlue). Ransomware is easy to create, hard to protect against and, in most cases, extremely difficult to trace because it is often transferred via emails whose origin can be hidden easily.
“The number of emails infected by ransomware went up 6,000% from 2016 to 2017.”
IBM Security Review
Ransomware has special significance when it comes to the GDPR. Small businesses typically only operate from a handful of machines, meaning a single infection can have a devastating impact on their ability to operate (with passwords and data files typically stored locally) and meet the GDPR regulations in terms of providing customer data without being able to access their systems.
Secondly, the GDPR has a specific impact in this field because of the fines which companies can be exposed to. Where the cost of unlocking an infected device by paying a ransom may, before the GDPR, not have been worth it – after the GDPR this may be a more difficult decision.
The ransom demand is typically around $1000 (£739.88) per device. There is NO GUARANTEE that even if this sum is paid that the data is will left unmodified and untouched, or even that the hacker will provide the correct key. However, in a situation where a machine is already infected, companies may see it as a smaller price to pay than the potential fines which may be imposed by the ICO.
Finally, it is impossible to know what a hacker may have done to the machine. It is possible they may have loaded more viruses onto the hard disk, stolen sensitive data or created a backdoor to be able to access the machine (or even the local network). In short, leaving yourself exposed to Ranssomware is a headache, and one which rightfully creates doubt and uncertainty in the eyes of any auditor.
“I can tell you right now that businesses will not need to report every, single personal data breach to the ICO. However it will be mandatory to report a personal data breach under the GDPR but only if it’s likely to result in a risk to people’s rights and freedoms.
Pan-European guidelines will assist organisations in determining the threshold for reporting, but all of you can start now to develop a sense of what constitutes a serious incident in the context of your data and your own customers.
You will also need to consider whether a breach triggers notice to affected individuals. Personal data breach reporting has a strong public policy purpose. The law is designed to push companies and public bodies to step up their ability to detect and deter breaches.
The public need to have trust and confidence that a regulator is collecting and analysing information about breaches. It will help organisations get data protection right now and in the future.”
GDPR Blog – Data Breach Reporting
Where to go from here – navigating a new landscape.
All businesses should take some critical steps right now to secure their future. None are difficult, all should have been done anyway and, most importantly, there is still time to protect yourself if you act now. Please note: If you do choose to follow through with these options, consider that all staff must be trained or at least told what these systems do and why they have been put in place, otherwise they will not be used properly and it will become an exercise in wasting money.
Move Data to the Cloud. If you haven’t already, then you should strongly consider moving to a cloud platform such as Salesforce to manage your customer data. They have security measures to protect data, are GDPR compliant and data is protected even if the machine is corrupted. You should also ensure you can receive emails on your phone or another separate device.
Move passwords from local device. Tools such as Lastpass are remarkably beneficial for keeping passwords safe and access to all of your tools that you use for business (Google, Facebook, Twitter, CRM, Web Host). Lastpass can be accessed completely securely from any device.
Email Scanning. Purchase a licence for an email scanning tool. Emails are the cause of 90% of virus infections today. Having this means you can drastically reduce the risk your business faces. We recommend the world leading email scanning solution, based in the Cloud, Symantec.
Anti-virus. Anti-virus is one of the most fast paced and rapidly evolving areas of technology. Today, leading anti-viruses have dynamic technology to block attacks, stop them spreading and even take steps to make sure nobody else can get infected by them. This happens by sharing virus data between billions of devices around the world. We recommend ESET as the leading tool to prevent viruses from infecting machines.
Backups. Using backups is the best way to recover from an infection. This way it allows you to wipe any infected devices and still keep all of your data. We recommend NetJapan, a Cloud solution for backups.
Training. One of the easiest, cheapest and most effective methods of stopping ransomware infections, knowing what to do in the case of an infection and how to recover successfully is user training. Running scenarios in a classroom can pay dividends in the long run.
“Enterprises are now far more exposed to ransomware. In the first six months of 2017, 42 percent of all ransomware infections blocked by Symantec occurred at large businesses (enterprises).”
Symantec Internet Security Threat Report
Our advice to companies is to ensure you have the above safeguards in place, regardless of size, in order to protect against the devastating potential of Ransomware and other malware. IT Managers should be using the changes wrought in the GDPR as a catalyst to secure higher budgets and secure their organisations against the threats of tomorrow and against any risks to non-compliance with GDPR.
For SME’s this may mean moving towards standards such as ISO 9001 and 27001 in addition to the above recommendations. For Enterprises, especially global organisations such as Charities, -who have been shown to be prime targets – it may mean moving towards standardisation of service approach with ISO/IEC 20000 or even defining system access through biometric authentication.
Regardless of the size of scope of the changes you require, KJL can provide assistance. We often deal with bespoke security challenges and help create a compliance focused approach to solving them effectively.
To discuss any needs you might have and what we can do to help, please just call 01268 627101 to setup a meeting at your convenience.