GDPR Fines, Ransomware, and Cybersecurity: What You Need To Know

GDPR and security
Shutterstock Licensed Photo - By Inspiring

The GDPR (General Data Protection Regulation) was developed a few years ago to replace the Data Protection Directive of 1995 in the European Union. After years of revisions, it finally took effect in May. The regulatory framework was enacted to protect the privacy of EU citizens, with GDPR fines and other regulations helping to maintain the rules. It is a noble goal and will likely have a number of positive benefits. However, it may also create a new set of risks that security experts and crisis management teams will need to prepare for. One of them is the likelihood that GDPR ransomware threats are going to rise.

Will the GDPR put companies on high alert about possible new ransomware attacks?

Ransomware has become a very serious threat. According to CSO Online, the global costs exceeded $5 billion in 2017. A number of factors have played a role in driving the explosive threat that it poses to organizations of all sizes.

Most laymen wouldn’t attribute the GDPR to an increase in ransomware attacks. However, some of the most astute cybersecurity experts have made this link. The potential for GDPR extortion is worth putting on your radar.

Trend Micro is one of the most prominent organizations to make such a bold prediction. According to a speculative post they published last December, a growing number of ransomware attackers are going to calculate the likely fine a company would face under the GDPR before issuing their demands. They will probably set their ransom demands just under the penalty threshold they would face. The likely outcome is that many companies would make the payment and never report the incident, for fear that EU regulators might find out and impose GDPR fines on top of it.

Other experts have claimed the opposite is likely to occur. They cite a provision in the GDPR that requires organizations to report any security breach, even if the impact is minimal. However, the likelihood that they will follow through on reporting could be low, regardless of the merits of the law.

Some organizations may decide that the risk of being fined is greater than that of quietly breaking the law and sweeping a GDPR ransomware incident under the rug. Also, they may make the argument that the ransomware infection does not qualify as an actual security breach. Some lawyers could argue that ransomware generally locks devices or freezes servers, but does not actually purloin encrypted data, therefore it would not actually qualify as a breach and does not need to be reported.

These threats may be especially effective against very small and home-based businesses. Unfortunately, a growing number of malicious actors are targeting these types of businesses, and GDPR extortion is plausible.

VPNFilter malware attacks are among the biggest threat to home-based businesses. They are specifically designed to infect home Internet routers and small office networks. According to the United States Computer Emergency Response Team, this type of attack has created a number of risks in addition to malware, including:

  • Temporarily or permanently destroying sensitive information
  • Disrupting operations by crashing the network
  • Forcing organizations to spend thousands of dollars or more on file and system restoration
  • Potential causing irreparable harm to the company’s image after the attack was orchestrated

This can be a huge concern for businesses of all sizes. GDPR ransomware attackers realize that home businesses cannot afford anywhere near the fines that the GDPR calls for and will act accordingly.

Organizations must take sensible precautions to avoid this dilemma

Ransomware attacks are likely to increase in the coming years, especially as EU regulators become more stringent about enforcing their policies. Organizations of all sizes must recognize that they may be put in a place where they need to choose between paying the ransom or accepting a fine for failing to meet compliance standards. The regulators may act with leniency, especially if the company is small. However, they should not operate on the assumption that they will get off with a mere slap on the wrist. On the other hand, they should consider the possibility that malicious hackers may continue to organize such attacks as long as they feel there is a chance that the company is in violation of GDPR requirements.

The only guaranteed solution is to make sure the network is strongly defended to prevent a ransomware attack—or any subsequent GDPR extortion—in the first place. Here are some precautions that can help them.

Reset your router

The VPNFilter attacks were organized against businesses with routers that had not been updated for quite some time. Resetting the router could significantly reduce the threat of these attacks. Of course, there are other forms of malware that exploit other vulnerabilities. However, fixing all weak points in your security infrastructure is key, so it is important to address every possible port through which a ransomware attack may be carried out.

Understand the importance of IoT management

According to Cloud Management Suite, securing IoT devices is one of the most important steps to prevent ransomware attacks. Recent figures show that 10% of ransomware attacks against SMBs are targeted at IoT devices. They should keep the IoT network architecture as simple as possible and regular monitor all incoming and outgoing data on all IoT devices to look for threats.

Make sure that software is regularly patched

Hackers take time to understand the flaws in every application they can exploit. The older an application is, the more time they will have had to uncover them. This leaves you vulnerable to attacks. Make sure that your software is patched to prevent this from happening.

Make sure that your data is regularly backed up

Since most organizations carefully encrypt their data, they are not so worried about hackers stealing and releasing it. Although some ransomware attacks do this, the majority threaten to destroy files instead. You can nullify their threat by making sure that your data is carefully backed up on another server that they will not have access to.

Have automated content scanning controls in place

It is vital that you regularly scan incoming emails for all known malware threats. Email is one of the most common ways to distribute malware.

Be very careful using public Wi-Fi connections

Hackers often spoof hotspots to trick people into providing information through them. Make sure that you carefully verify any hotspot that you’re using to prevent them from getting access to your machine.

Remain Aware to Stay Safe

While the threat of ransomware is never fun to think about, it doesn’t need to rule your life either. It’s simply a matter of being as aware as possible and taking whatever precautions you can to decrease your odds of getting hacked, and to keep your data secure. Hopefully, GDPR’s benefits will far outweigh the risks.

Ryan Kade is the editor overseeing contributed content at Smartdata Collective and contributes weekly column.