With the introduction of the new EU general data protection regulation (GDPR) this time next year (25 May 2018 to be exact) – businesses all over the globe could find themselves in breach of the regulation and facing hefty fines should they fail to prevent a ransomware attack, phishing attack or similar. The message is finally getting out there – something needs to be done about ransomware and fast.
How Ransomware could cause a breach of GDPR?
As noted in this RTE article by @AengusCox – data protection and governance expert @DaraghOBrien, Managing Director of Castlebridge Associates, confirms GDPR is all about accountability. Not only do organisations have to comply with the regulation, they also have to demonstrate compliance through evidential proof (documentation, etc) of the controls, processes, technology, etc. that they have in place to protect the sensitive and personal data they hold on EU citizens (to include their staff, customers, vendors and third parties).
Daragh confirms that ransomware could indeed be seen as a breach of GDPR by the data protection commissioner, as ransomware typically can affect both the availability and access of personal data and can also affect the recovery of the personal data. Indeed, some viruses are known to upload personal data to hackers – a clear data breach and major breach of the GDPR.
As the GDPR comes more and more into focus through the year and into next year – security experts predict that hackers/scammers will begin to steal data with advanced ransomware and then blackmail the victims by threatening to report them to data protection commissioner.
What can be done?
In the RTE video interview, Daragh notes that security awareness training for staff is crucial now. Businesses urgently need to train their staff how to recognise and avoid clicking on links in phishing emails.
Many may not realise yet, but Article 39 1(b) of the GDPR regulation places a mandatory onus on organisations to undertake security awareness training for staff that deal with sensitive personal data. The EU, when drafting the regulation, were aware that staff are one of the weakest links in any organisation and are one of the main causes of ransomware and data breaches as a result of being fooled by sophisticated phishing emails.
A survey from Intel in 2015 found that 97% of people around the world cannot identify a sophisticated phishing attack. In addition, a 2016 study from a global security awareness training company found that from over 1,000 organisations in the USA, 88% of them deemed security awareness training to be a critical, necessary and effective measure in helping to prevent ransomware entering their organisation.
How Tech Guard Can Help
Here at Tech Guard – we provide a world class security awareness training and testing service, which not only trains staff with short online interactive security awareness training, but also tests them by regularly sending them phishing emails that mimic the latest scams. Training of staff should not be done on its own. Its effectiveness should be tracked and measured through regular phishing tests with remedial training undertaken as required.
Our service can track which staff clicked on our simulated phishing email links, or worse, which staff members replied to our spoofed emails, allowing us to immediately enroll them in remedial training. We report these results to management on a regular basis – which allows them to continuously assess their risk.
Recently we have introduced a plugin for Outlook and Google Apps that allow employees to report emails they deem suspicious. This greatly helps to promote good security behaviour and keep staff alert to the latest threats. Our plugin also tracks which staff members report our simulated phishing emails as scams, allowing companies to see which staff understand and apply the training and which staff require remedial training.
This gives a business a network of sensors to detect and help prevent phishing attacks on their organisations and respond accordingly. Not only that, it also allows management to incentivise staff that are good at spotting phishing emails, which can greatly help boost employee motivation for keeping security top of mind.
No Silver Bullet – A Layered IT Security Approach is Needed
Note – while a security awareness training and testing service can drastically reduce an organisations risk to ransomware, data breaches, phishing scams and other cyber attacks – there is no silver bullet. It is very important that organisations continue to undertake a layered approach to IT and cyber security. Just like the layers of an onion – organisations need to implement multiple layers of IT Security measures to help reduce their risk of a cyber attack. Next generation technology (anti-virus, firewall, DNS protection, etc), with in-built behavioural analysis and/or sandboxing, is becoming more and more important as cyber threats and ransomware continuously change and adapt their behaviour to try to avoid being detected.
Tech Guard also provides a suite of next generation IT security solutions for organisations to help reduce their risk of a cyber attack even further. Our next generation backup, disaster recovery and server continuity solution has recently been upgraded to include built in ransomware detection so you can easily detect when the ransomware first hit in your backups and how far back you need to go to restore your data. Contact us for more information.
**Take our Phish Prone Challenge – Assess the phish-prone percentage of your staff today**
Sign up to our phishing security test today and find out your organisation’s level of risk to a cyber attack.