GDPR represents the largest step forward for personal privacy since the Internet became a part of everyday life. By giving individuals control of the personal data being held by third parties, they now have a choice as to how that information is used. And by specifying hugely punitive fines, the EU has shown they are taking the issue of personal privacy very seriously.
But just as private individuals regain control of their personal data from private corporations, the GDPR has opened some new opportunities for cybercriminals to exploit those very same people. We’ve outlined 3 scenarios and our advice on how to tackle them
Phishing emails disguised as GDPR notices
In the run up to the GDPR go-live date, you were probably inundated with hundreds of emails. Terrified by the consequences for holding personal data without permission, brands began emailing everyone on their contact list to advise of changes to their privacy policies and providing opportunities to opt-in to future communications. Even now, these messages are still arriving as late-starters try to rush through compliance.
The sheer volume of GDPR-related email provides cybercriminals with a good opportunity to distribute malware or steal sensitive personal information. As your own inbox was flooded with opt-in requests, how many times did you check if the message and links were legitimate?
By creating an air of urgency (“you must renew now or miss out forever”), hackers have a very good chance of tricking people into clicking where they really shouldn’t. Especially when phishing emails are obscured by so many legitimate messages.
1. Check each email you receive carefully. Do you recognise the source and is the sender email legitimate? Only services that you engaged with before will ask you for opt-in.
2. If you are sending these type of emails as a business, ensure you use formatting, design and a sender email that is familiar to the recipients.
Increased risk of corporate blackmail
The potential fines for breaching GDPR are huge – up to €20m or 4% of global turnover, whichever is greater. Obviously businesses will do anything they can to avoid prosecution.
Previous ransomware attacks have shown that enough victims do pay the ransom to make the technique profitable for hackers. But with the added threat of legal action, CTOs and CIOs are under even more pressure if corporate IT defences are breached.
Data breaches have a significant effect on corporate reputation, adding additional incentive to pay hackers rather than announce security failings publicly. Ponemon Research suggests that damage to brand and reputation following a hacking reduces gross revenues by as much as 31% - far less than the 4% maximum GDPR fine which is levied against turnover.
We expect hackers to exploit this additional psychological advantage as part of future attacks. Faced with the choice of paying hackers a €500,000 ransom, or an information commissioner fine of several million Euro (plus the potential negative PR consequences), some businesses may decide that the ransom is preferable.
Failure to report a data breach is obviously illegal under the GDPR, but cybercriminals are hoping that C-suite decision makers decide the risk of prosecution is preferable to the brand being damaged publicly.
1. Ensure you have a policy and process in place for data breaches.
2. Train your teams on the GDPR and how they can ensure personal data remains safe.
3. Document your processes and act in a compliant manner.
4. Establish a relationship with your local Data Protection Authority. They are here to help, not simply to punish you.
GDPR is a much-needed update to previous data protection legislation and it will force organisations to be more careful with the personal data belonging to natural persons. Unfortunately, these new frameworks also provide criminals with new leverage against your business.
To avoid future problems, CSOs will need to bolster defences for initial GDPR compliance, before creating a new program of continuous improvement to identify and fix security weaknesses before they can be exploited. And as always, employees need to be trained to be careful with incoming email – particularly right now as the volume of incoming messages is so high.
1. GDPR is an organisation-wide concern. Ensure all teams handling personal data are trained.
2. This is a compliance journey. Ongoing maintenance and monitoring are key.
A good place to start your GDPR journey or to check whether you have covered most eventualities is our GDPR Mapping Questionnaire. Going beyond IT and networks, it outlines the questions each of your department needs to answer when it comes to personal data processes.