GDPR, the general data protection regulation, is set to change data protection laws forever, as of May 25th, 2018. The regulation aims, in part, to strengthen the protection of information and reduce the threat of a data loss or breach, such as those masterminded by cunning cyber-criminals. So, should cyber-criminals be worried about the effects of the regulation on ‘business’?
‘Cyber-crime is simply any criminal activity that occurs by means of computers of the internet’
Among many forms of cyber-attack, different methods can be used to differing effect, some to extort profit and others more likely to cause damage or downtime. Complex cyber-attacks will incorporate several stages and can often last several months. In December 2016, a few days before Christmas, hackers were able to successfully cause a power outage in a region of the Ukraine, causing almost 250,000 people without power supplies. The cyber-attack had taken months of planning and involved a phishing scam as well as systems being hacked, and code rewritten. Some of the most common forms of cyber-attack include:
- Malware strains
- Phishing attacks
- Denial of Service (DoS) attacks
Breaches, cyber-attacks and how organisations should react
Importantly under the GDPR, organisations have a legal responsibility to report data breaches, which hasn’t always been the case. Several high-profile cyber-crimes throughout 2016 and 2017 remained unreported for months or even years, with the organisations who’d been hit choosing to try and cover up the data loss. Included in this list of organisations is Uber, Yahoo and Equifax.
Under the GDPR a Personal Data Breach is classified as‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
If cyber-criminals are successful in an attack, organisations will now have to report the breach within a 72-hour period of discovering it. The ‘breach notification’ must be shared with the relevant information regulatory authority, such as the information commissioner’s office (ICO) in the UK. Information included in the notification should include who has been affected, what data has been lost and what the likely outcome of the data loss may be – all these factors will contribute to what penalty is given by the authority, if one is given.
Uber’s breach report running late
The app may be good at letting customers know if drivers are running behind schedule but when it came to the company reporting a data breach that had affected some 50,000,000 customers, not so much. In October 2017, the company reported the breach, announcing that a total of 57 million drivers and customers had their personal information stolen in a hack that took place a year prior. Corporate systems had not been accessed.
Will there be more or less attacks?
Cyber-criminals are unlikely to see the regulation as any sort of deterrent. Ransomware attacks, hacks and other cyber-attacks are already against the law and while some attackers have been tracked down, cyber-attacks are often relatively untraceable. The number of attacks has been rising steadily over the past few years and with infections being launched from malicious emails or webpages they can be simple to put together. However, a recent report published by trend micro predicts that 2018 will see an overall decrease in attacks with a higher concentration of strategic attacks, designed to improve return on investment.
Organisations are likely to have improved data management and protection processes in place to ensure compliance with the regulation. These, in theory, will decrease the risk of a data breach, whether accidental or due to a cyber-attack. If successful attacks do take place however, cyber-criminals may be able to demand high ransoms due to the fines that can be given by authorities for a breach.
Whether or not cyber-criminals are able to find ways to continue breaching systems after the GDPR takes effect, organisations need to ensure best practice data management is followed and that data is securely protected always. Methods of protection include encryption and it is vital that organisations have a full, off-site backup of data that can be recovered from in a disaster.