Early identification of vulnerabilities will protect against GDPR non-compliance
The recent WannaCry ransomware exploit infected 200,000 companies across 150 countries. In this case, cybercriminals demanded £230 ($300) to decrypt data files, but this nominal ransom belies a potentially greater threat.
Ransomware has become the weapon of choice for cybercriminals. 638 million attacks were reported in 2016 and this type of malware now accounts for 66% of all payloads. The ingenuity of attackers with WannaCry in using a worm-borne mechanism and the accelerating scale of attacks presents a clear-cut picture of fast-evolving adaptation of threats according to where they can inflict the greatest impact.
The incoming GDPR could offer added impetus and opportunity for attackers, in this growing tide of ransomware. The enhanced value of personal data and the organisation’s need to protect it, both raises the threat of ransomware seeking to compromise the personal data an organisation holds, and hikes the potential value of the ransom a victim may be prepared to pay.
It’s not a combination we’ve seen yet, but cybercriminals are nothing if not resourceful in identifying new vulnerabilities and going for the kill.
It’s not hard to imagine the next generation of ransomware designed to inspect the data that it is encrypting to exfiltrate personal data such as names, email address, passwords, credit card numbers and the like, for further cyber crime exploitation. In this example, a ransomware incident where the malware accesses the personal data or meta data would likely be treated as a data breach by the regulator under the GDPR.
If this all sounds particularly onerous, the venom so to speak, in terms of focused attacks in light of the GDPR, is also the antidote. Personal data must be carefully managed, protected and stored for compliance with the GDPR – this in itself sets a far higher threshold for data security vigilance in ensuring vulnerabilities are routinely identified and patched than is required for data custodianship today.
For GDPR compliance, ensuring good security hygiene and applying a patch in good time is only one of the risk factors to address. The real-time visibility needed to connect the dots in an ever-changing environment of emerging vulnerabilities and attack vectors between cybersecurity teams and practices and the custodians of personal data and GDPR compliance, can be far beyond the capabilities of many organisations (and many software applications too).
The types of risk factor to address for ransomware risk assessment are discussed in this video – including the ability to investigate through our Business Lens not only the location and patching information for any critical server, but also the association it has to a security risk score, the data the server contains, its GDPR risk level and the process and people that interact with that server and its data.
In a nutshell, whilst IT teams focus on classifying and protecting their valuable personal data for GDPR, they may not consider lower level vulnerabilities to require as much resource. On the flip side, attackers exploit any vulnerability they can find and then seek to move up the food chain, identifying how this can be connected to key systems and critical data which can ultimately be breached and held to ransom.
Modelling the entire enterprise from the ground up is how our trust-hub Business Lens solves the risk management challenges of data privacy beyond just patching the leaks. The very best defence in depth against ransomware is good data - complete visibility of all critical and personal data to all security and privacy teams and senior management inside a single dashboard. This ensures not only an accurate assessment of dynamic risk, but the ability to spot new vulnerabilities quickly, prioritise resources, share information and block the path of would-be ransomware attacks.
For more information on the Business Lens, book a demonstration here with one of our analysts.
Written by David Nunn, Data Protection Officer
View the Business Lens solution here: