GDPR is the topic on everyone’s lips in the business world,
as the incoming regulation sees the biggest shift in data protection laws since
the 1995 Data Protection Directive. We’ve seen a lot of scaremongering around
GDPR, with talks of fines in the millions for data breaches. We know that it’s
unlikely the Information Commissioner’s Office (ICO) will enforce the maximum
penalties on businesses that experience data breaches because of its history of
lighter enforcements.
Whilst this will put many minds at ease, businesses must be
acutely aware of the cyberthreat landscape. 2017 was dubbed the ‘year of the
cyber-attack’ thanks to high-profile hacks and data breaches from around the
world. May’s worldwide WannaCry attack brought Ransomware, a specific and
insidious type of malware that encrypts a user’s files and demands a ransom
payment for their decryption, into mainstream headlines for the first time. The
hit on the NHS initially looked like a targeted attack on the UK’s health
system, but it was later proven to be more of a spray-and-pray exercise with
businesses of all sizes hit across the globe.
The creators of WannaCry appeared to make a paltry £108,000
out of the worldwide attack, which took down over 200,000 systems; it’s
estimated that the hackers received only 200 payments. A ‘killswitch’ was found
within days of the attack, halting the spread of the Ransomware virus. Whilst
it’s encouraging to see businesses refusing to give in to the hackers’ demands
and pay up, the real cost lies in the downtime caused by cyber-attacks like
this.
Take the NHS for example; within minutes of the virus
infecting systems, the service was, in parts, incapacitated; doctors and nurses
couldn’t access patient records, with GPs resorting to pen and paper, whilst
non-emergency operations were cancelled and the public was advised to only use
A&E services in cases of emergency. A figure of £180,000 was attributed to
the emergency measures the NHS put in place in the immediate aftermath of the
attack, but this doesn’t take into account the cost of downtime or the costs
incurred by individual trusts, so the overall costs could run into the hundred
thousands or even millions. A post-mortem report into the effects of the attack
showed that over a third of trusts were affected, as well as almost 600 GP
practices. A total of 19,000 appointments were cancelled, over 100 of which
were cancer-related. By these figures, it’s not too far off the mark to say
that this cyber-attack, had it taken down the entire NHS, could have cost
lives.
The Petya/NotPetya Ransomware attack that again struck
worldwide in June 2017 hit businesses hard financially. International shipping
company Maersk was infected with the Petya virus, which affected its business
operations substantially for two weeks, even shutting down its largest terminal
in Los Angeles. The malware stole authentication credentials to infect the
network, using this hack to block access to vital systems that operated the
company’s shipping terminals globally. Not only were files locked down, but the
applications themselves were inaccessible. Maersk took the safety measure of
shutting down its Maersk Line APM Terminals, meaning it couldn’t move cargo for
days. In the two weeks of disruption, customers were unable to make new
bookings or receive quotes before the business returned to its usual
operations.
Whilst Maersk has stressed that the business hasn’t lost
customers as a result of this cyber-attack – which is unlikely due to the
reputational damage associated with data breaches – it has estimated revenue
losses of £234 million from its two weeks of downtime. Research into
high-profile data breaches, including TalkTalk, Barclays and Carphone Warehouse,
unanimously showed that businesses suffer an immediate drop in customer
sentiment. TalkTalk lost over 100,000 customers following its data breach,
indicating the loss of trust for thousands of customers.
Similarly, American pharmaceutical company Merck reported
losses of over $310 million (£214 million) in its Q3 revenue alone, with
projections that a similar loss would be reported in Q4 because of the Petya
attack. It estimated that $135 million had been lost in sales, whilst the other
$175 million was attributed to the cost of recovering from the attack. Petya
caused a production shutdown at Merck that halted the manufacture of
prescription medication and vaccines, with the impact so severe that employees
weren’t allowed to work. The fact that this has impacted on Merck’s revenue for
a significant period of time following the attack should be a stark warning to
businesses.
So how is this relevant to GDPR?
Heimdal Security researchers have concluded that hackers are
likely to use GDPR as leverage to extort money out of businesses. Security
Evangelist Andra Zaharia argues that social engineering (a form of ‘psychological
manipulation’) is an integral cog in the Ransomware machine, with hackers
posing as colleagues or threatening to release compromising information if
their demands are not met. Zaharia believes cyber criminals will take this to
the next level by using your data as a ‘bargaining chip’, knowing the
consequences your business faces will be reputational damage, legal
consequences and potential financial punishment from the ICO.
The Uber hack is an example of how hackers can successfully
manipulate a business into paying in order to keep a breach quiet. Whilst the
hackers didn’t use Ransomware to breach the Personally Identifiable Information
(PII) of 57 million customers, they successfully forced Uber into paying over
£75,000 to delete the stolen data and to keep the hack under wraps. Whilst we
understand the highest fines under GDPR will be used only in the most extreme
cases, it’s likely the ICO would have penalised Uber not only for the hack, but
the cover-up too, as both are significant breaches under GDPR; the cover-up is
likely to be the most severely punished of the two.
The hackers responsible for Uber’s data breach have shown
how effective this socially-engineered manipulation is; Zaharia of Heimdal
Security argues this will only become a more effective technique as the
supposedly large fines (real or perceived) and reputational damage attached to
GDPR are used as blackmail.
As Ransomware is already the most profitable form of malware,
it makes sense that it will become the weapon of choice under GDPR. What’s
more, it requires few high-level administrative rights in order to infiltrate a
system, meaning it can still slip past some modern security solutions. Ransomware,
or other forms of malware, won’t be used in isolation, however. Social
engineering tactics like impersonating employers, blackmail and extortion will
go hand-in-hand with destructive viruses. Phishing, which directs users to fake
login pages in order to steal login credentials, is also on the rise as cyber
criminals become more sophisticated in replicating humans and reputable brands
like Apple or Amazon.
The three examples here demonstrate how businesses suffer
financially because of cyber-attacks; Merck and Maersk experienced huge
financial losses due to downtime, which resulted in a loss of sales, while Uber
paid up to hackers in order to keep its enormous data breach quiet, and could
face further consequences as UK, Australian, US and Filipino authorities launch
investigations into the breach and cover-up.
Whilst it’s true that under GDPR, the ICO will have the
power to fine businesses 2% or 4% of global turnover, depending on the severity
of the breach, it’s unlikely we’ll see those fines implemented on a large
scale. The GDPR is designed to protect the personal data of individuals, not to
make examples out of businesses. We know it’s important to not buy into the
scaremongering around fines in the millions, but this shouldn’t come at the
expense of compliance.
The GDPR requires businesses to put in place ‘appropriate
measures’ to protect their PII data from hacks and breaches. Should a business
follow this instruction and still experience a data breach, proving to the ICO
that these security measures were implemented will ensure the punishment isn’t
severe. By putting measures in place to address GDPR, like encryption (a
security method explicitly mentioned in the regulation), robust anti-virus
solutions and implementing a culture of privacy by design, you also get the
added benefit of protecting your business from cyber criminals prepared to use
GDPR to their advantage.
Natasha Bougourd
is Lead Applications Writer at Technology Services Group (TSG), a UK IT support company
specialising in business IT security. For more from them,
visit their blog here.