1. PII Hostage TakingGDPR mandates organizations collecting data ensure protections are established, maintained and monitored for both employee and customer PII. The current state of the legislature applies these protections to the citizen no matter what entity is collecting or processing the information. The requirement for data protection is transferable. The penalties for GDPR violations are dissuasive and significant: four percent of annual turnover or 20 Million Euro, whichever is greater. Given this scenario, a cybercriminal will quickly realize a target with less than adequate PII protections is ripe for a cyber-shakedown in the form of a data hostage taking. If the cybercriminal is crafty, they may breach the organization, collect all the PII that can be found, and wait for an opportune moment to threaten to report the organization to the GDPR SA. Once the organization has received “proof of data” like the “proof of life” demanded by would-be hostage ransom victims, the organization will be plunged into ethical and IT security chaos. Ethically, the organization needs to notify both the SA and the affected parties; however, given the untrustworthy nature of cybercriminals, just because the cybercriminal said they have all the data does not necessarily mean they do. If the data hostage incident presents itself at a time when the business is vulnerable – M&A talks, looking for funding, etc., the temptation to “make it all go away” by paying the cybercriminals ransom demand and not report the breach to the SA may be irresistible.
2. An Expanded Data Breach MarketAfter May 2018, when the GDPR goes into effect, organizations must report a data breach to the affected parties and the Supervisory Authority (SA) within 72 hours of becoming aware of it. GDPR does not discriminate as to how the data breach occurred; a data breach is a data breach. This amplifies the cybercriminal opportunity considerably. It could be an entrepreneurial, yet malicious employee absconding with a database backup from the CRM or payroll system looking to monetise the stolen data. Or it could be a cybercriminal who infiltrated the business, exfiltrated the data, and erased as much evidence of the crime as possible. Breach now in 2017 and extort in 2018. So, the question, of course, is this: how hard is it to breach a business, grab the data and wait for the clock to turn to May 25, 2018, before commencing “Operation GDPR Data Hostage”? Well, the numbers speak for themselves. US companies and government agencies suffered a record 1,093 data breaches in 2016, a 40 percent increase from 2015, according to the Identity Theft Resource Center. The number of records stolen globally in data breaches also rose dramatically to set a new record in 2016, according to a new report from Risk Based Security. The 4,149 confirmed breaches exposed more than 4.2 billion records. To make matters worse, there is the “elite cybercrime startup” package available in stores to download now. If “EternalBlue” and “Double Pulsar” didn’t strike fear into the hearts of the unpatched, newly released tools should concern the multitudes of business who were breached in the WannaCry ransomware attack. Back in April 2017, a whole pile of NSA crafted cyber-weapons were dumped by the Shadow Brokers. This paved the way to easy system exploitation by cybercriminals of any skill and capability.
3. Take the Security Fight to a New LevelWhen you look at the global situation, it can be disheartening and demoralizing. But through failure – as a security industry and as security professionals – it’s time to get back up off the mat and find our courage and strength to start taking the fight to the enemy. And no, I’m not talking about “hacking back.” Firstly, you need to manage customer and employee expectations and reduce organizational risk:
- Revisit EULA, terms and conditions of service, employment contracts, and computer usage policies. Get a legal review.
- Identify the PII data you need to conduct business with customers and manage employees.
- Delete PII data that is not needed and reduce PII collection requirements. Less PII = Less risk.
- Ensure that any change in processing, controlling, transmitting, or storage of PII data requires explicit customer and employee consent.
- Document your processing, controlling, transmitting and storage safeguards.
- Ensure you have the right to monitor your information systems (user awareness and consent as terms of employment).
- Protect IT systems as per best practices, such as foundational security controls, SANS, NIST, ISO 27001, etc.
- Build systems to detect malicious activity, internal or external. GDPR does not discriminate when it comes to the origin of a data breach.
- Build systems to detect changes in processing, controlling, transmission and storage of PII.
- Ensure visibility is maintained on all PII data that's collected, processed, stored and transmitted.