You know about ransomware. A hacker infiltrates your IT systems, locking them down until you pay a ransom. Some studies now estimate that over 50% of businesses have experienced this type of attack in the last year, and it's particularly prevalent within the legal sector.
Previously, firms could protect themselves by having a disaster recovery plan in place to ensure they could get back up and running in the event of a disruption. However, GDPR means this approach alone is no longer adequate and security measures must be strengthened to prevent attacks. Ransomware is developing and hackers are now taking copies of data at the point at which they lock systems down – a practice the industry has dubbed 'datanapping'. Being able to get your systems back quickly is irrelevant, the hackers already have your data and will threaten to release it publicly if you don't pay up.
Rather than keeping it quiet, the GDPR will require businesses to report data breaches to the supervisory authority, with even more severe penalties levied if they fail to do so. And with the added threat of data being released to the public, there's the reputational damage along with the inevitable compensation claims from those affected.
Nowadays, little technical knowledge is required to launch an attack and the risk of getting caught is low as ransom payments are made in bitcoins, meaning they're untraceable. Thousands of cyber attacks are unleashed on UK businesses every day and the GDPR only makes this a more attractive way for criminals to make money. With significantly higher fines and stricter regulations, GDPR gives criminals power they didn't possess previously as businesses are more likely to pay the ransom to avoid large fines, if sensitive data is released online.
Cyber criminals are acutely aware of the potential negative impact on a firm's reputation if data is released and will use this to demand a higher ransom. If your firm decides to pay out, it will rarely be a one-off, so you'll need to fix your security vulnerabilities fast. It's easy to see how this becomes a recurring cycle of paying up again and again, with hackers returning every few months for more. But carrying out security investigations to fix issues as they arise can become much like plugging holes in a sieve and be costly in the long run.
Firms have until May 2018 to ensure their systems are robust enough to meet their data security obligations. A business cannot outsource its responsibilities under the GDPR, meaning the culture and mindset around how data is treated has to be modernised. An external audit of a firm's infrastructure and network security is the first step to assessing whether the appropriate measures are being taken to protect data.
The good news is that the GDPR is likely to be the much-needed catalyst for change, forcing firms to focus on prevention rather than cure for security attacks.