In May 2018, the GDPR, a regulation created to protect the data of private citizens and corporations, will come into effect and companies will have to take greater responsibility for data protection or face hefty fines. Tech experts and police are warning that these fines will encourage hackers to hold data for ransom – so long as the ransom undercuts the cost of fines from the ICO and the costs incurred by the damage to reputation.
Andrew Clarke from the City of London Police Cyber Crime Unit warns of a potential increase in crime by businesses against other businesses: “It’s possible that companies may seek to illegally exploit GDPR by threatening to release the data of other companies in order to sabotage competitors. Unfortunately, hackers are accessible through the dark web – where funds are illegally laundered through terrorist organisations and criminal gangs – and after GDPR comes into effect we may see an increase in company-on-company attacks.”
How serious is cyber crime?
Cyber crime has been rising exponentially, with high-profile victims such as Equifax, Uber, the NHS and Yahoo. According to the 2017 Internet Security Threat Report, one in 131 emails contained malware: the highest rate in five years. The average ransom spiked 266%, with criminals demanding an average of $1,077 per victim.
The secondary cost of a cyber attack is the loss of client trust and negative PR: after its infamous breach, Equifax stock tanked 35%, losing them almost $6 billion. When fines are being enforced next May, they will run up to 20 million Euros or 4% of global revenue, meaning that a data breach could put some companies out of business if they do not comply with the GDPR.
So it’s easy to see why paying out a few thousand euros to make the problem go away might be a tempting option, and the GDPR fines provide hackers with a frame of reference with which to price their demands. When HBO became a victim to hacking, the consequences of not paying the ransom included having an episode of ‘Game of Thrones’ leaked on Pirate Bay, along with countless other sensitive documents. However, choosing to pay the ransom has wider consequences, siphoning money through the dark web and funding further criminal (or even terrorist) activity.
Who is at risk?
It’s not just media giants like HBO and financial mega-corporations like Equifax who are at risk: any business with a device connected to the internet could be a target. In 2015, 43% of cyber attack victims were small businesses according to the study by Symantec, so all companies need to be preparing for when (not if) their data comes under attack.
The most common means of spreading ransomware is through email phishing, something that nearly every company is vulnerable to. These emails can be sent en masse and all it takes is one employee to open an attachment without due diligence for the malware to infect a whole network, a method that accounts for 90% of all successful cyber attacks according to KnowBe4.
Organisations with sensitive data (personal or financial) are often a particular target. Law firms hold an abundance of secrets about their clients and are often involved in transactions of staggering amounts of money. The Panama Papers leak is just one example of how devastating this information can be to a wide range of people who are often targets for political as well as financial reasons. However many law firms seem unaware of the dangers, with an estimated 80% of US law firms falling victim to hackers. Cyber criminals have even identified that deals are more likely to be closed and transactions to take place on a Friday, leading to a weekly increase in phishing attempts called ‘Friday Fraud’.
How can you protect your company’s data?
- Training staff on GDPR compliance is the best way to ensure that data is protected responsibly.
- Assign a Data Protection lead.
- Ensure sensitive data is encrypted. An independent study found that only 44 percent of organisations reported “extensive” use of encryption, despite it being one of the most effective ways to protect data.
- Back up your data regularly. Ransomware will block access to your files; having as much backed up as possible will minimise the damage and take away a hacker’s leverage.
- Use strong passwords and change them regularly.
- “Look after your company’s digital health. Keep systems up-to-date and with the latest patches,” advises Clarke.
If you are targeted by cyber criminals and are locked out by cryptolocks or ransomware, do not pay the ransom. “If the systems have been backed up and their data is secure, I would urge companies not to give funds to the cyber criminals,” says Clarke.
“If a company is being held to ransom in fear of being reported to the ICO by a criminal group, I would advise not paying and reporting quickly to the Police and ICO, but this decision ultimately lies with the company.
“Every report we get better informs us on how to deal with cyber attacks and helps us prevent the next one.”
How might cyber crime develop in the next few years?
Cyber crime is becoming increasingly sophisticated and organised, and we can expect to see more and more focused attacks. The ransom demanded for stolen or encrypted data is likely to rise, and on the ‘Internet of Things’, data is likely to only become more valuable. When everything is connected to the internet – our phones, fitness trackers, TVs and even fridges – data breaches will get personal.
Artificial intelligence is already beginning to enter the fray, and will no doubt form a part of cyber attack strategy and data protection counter strategy. A malicious AI will be able to analyse vast amounts of data to find the best strategy to break through a company’s defences in a fraction of the time it would take a human hacker, making AI an essential part of future anti-malware development.
The inevitability of a data breach means that already, businesses are focusing on resilience as opposed to prevention. Having a system in place for when your digital fortress is infiltrated is absolutely vital, and in the future there will hopefully be even more tools to help businesses bounce back after an attack. In the meantime, GDPR guidelines are there to ensure businesses look after our data and use it responsibly, and companies need to start seeing cyber crime not as an abstract concept, but a real and dangerous threat to their business and their clients.
YUDU Sentinel is an app based crisis communication platform for the management of fire, terrorist and cyber attacks, or any other critical incidents. Crisis managers have immediate access to an independent two-way communication (SMS, voice, email and in app messaging) and can view key documents on mobiles. Sentinel is a cutting edge crisis management tool. Find out more at http://www.yudu.com/do/notification/sentinel or contact us on Twitter @YUDU.