Even though this is not an "official" term that is being used (well, at least not yet), it does describe the concern I am trying to explain to people at different occasions. I often discuss GDPR from the security perspective, and the conversations most of the time end up focusing at the implications of the regulation and the "next day".
This is when I end up trying to describe the potential scenario of "GDPR Extortion", as I always like to see things through different lenses when it comes to forward-thinking in Information Security and CyberSecurity.
By saying "GDPR Extortion" I tend to mean something similar to "DDoS Extortion", and it is easier to give an example to people in order to explain this type of potentially evolving threat.
For those of you who are not familiar with the latter term, DDoS Extortion is when a business receives an email that states that unless a fee is paid (usually in Bitcoin), a DDoS attack will be launched. In some cases the email will arrive after the DDoS attack has actually started, claiming that it will stop if the ransom is paid (or "turned down", if a portion of the ransom is paid).
In a similar way, as we are expecting GDPR to be in effect from the 25th of May 2018, it is a high possibility that cybercriminals will focus on exploiting this regulatory framework for their financial gain. More specifically, once GDPR is introduced, cybercriminals will have an opportunity to make a huge profit by trying to blackmail businesses which they have already successfully breached and have extracted Personal Identifiable Information (PII).
As we know, GDPR introduces higher fines to any businesses that will experience a breach. The cost of the breach, the fine and the damages on the reputation, can have a significant impact or even be catastrophic (in some cases).
As you can see, there is a "gap" that needs to be in an open discussion on how to deal with this possible scenario. Cybercriminals are expected to see this as an opportunity to launch attacks and they expect to get paid just because in some cases the ransom will end up being significantly lower that the overall cost of a breach.
Especially under GDPR, the cost of reporting a breach might be that high, that there might be cases where considering paying the cybercriminals will be seen as a reasonable alternative.
What I am trying to say it that it needs to be clear to companies and decision makers that the attempt to hide a breach will end up with losing way more at the end, especially if you are caught paying individuals or groups (who are criminals) in order to keep the breach hidden.
There is enough Cyber Extortion going on already, and we are trying to tackle it the best way we can. Let not allow GDPR to become an enabler for cybercriminals to see this as another money making opportunity.
What the decision makers and budget holders need to understand is that security is an enabler. Allow me to elaborate a little bit and say that if it comes to the unfortunate event of a breach, under GDPR you will be asked to demonstrate that you took your security seriously throughout the year. Meaning that you did not just do the bear minimum, but on the contrary, you were proactively taking forward steps. Challenging your security at each step of the way, making sure that if something "bad" was to happen, you will be able to prove to the regulator that there was nothing else that you could have done to prevent the breach, like; respond faster, contain it better, and recover faster than you did. If you can prove all of the above, that you were doing a very good job regarding the cyber-resilience of the business throughout the year, and the breach happened because e.g. of an unknown zero-day (0day) exploit that none of your defenses was able to detect, then there is a really high chance for the fine to be something very small or even not applicable in your case.
I fully understand that this is a subject that needs to be discussed further and there are cases where this kind of extortion is illogical to happen. However, as Information Security professionals we need to think ahead of the curve and make sure we are aware of such possibilities, we have answers on such potential scenarios and we try to minimize the chances of becoming a reality.
This is when I end up trying to describe the potential scenario of "GDPR Extortion", as I always like to see things through different lenses when it comes to forward-thinking in Information Security and CyberSecurity.
By saying "GDPR Extortion" I tend to mean something similar to "DDoS Extortion", and it is easier to give an example to people in order to explain this type of potentially evolving threat.
For those of you who are not familiar with the latter term, DDoS Extortion is when a business receives an email that states that unless a fee is paid (usually in Bitcoin), a DDoS attack will be launched. In some cases the email will arrive after the DDoS attack has actually started, claiming that it will stop if the ransom is paid (or "turned down", if a portion of the ransom is paid).
In a similar way, as we are expecting GDPR to be in effect from the 25th of May 2018, it is a high possibility that cybercriminals will focus on exploiting this regulatory framework for their financial gain. More specifically, once GDPR is introduced, cybercriminals will have an opportunity to make a huge profit by trying to blackmail businesses which they have already successfully breached and have extracted Personal Identifiable Information (PII).
As we know, GDPR introduces higher fines to any businesses that will experience a breach. The cost of the breach, the fine and the damages on the reputation, can have a significant impact or even be catastrophic (in some cases).
As you can see, there is a "gap" that needs to be in an open discussion on how to deal with this possible scenario. Cybercriminals are expected to see this as an opportunity to launch attacks and they expect to get paid just because in some cases the ransom will end up being significantly lower that the overall cost of a breach.
Especially under GDPR, the cost of reporting a breach might be that high, that there might be cases where considering paying the cybercriminals will be seen as a reasonable alternative.
What I am trying to say it that it needs to be clear to companies and decision makers that the attempt to hide a breach will end up with losing way more at the end, especially if you are caught paying individuals or groups (who are criminals) in order to keep the breach hidden.
There is enough Cyber Extortion going on already, and we are trying to tackle it the best way we can. Let not allow GDPR to become an enabler for cybercriminals to see this as another money making opportunity.
What the decision makers and budget holders need to understand is that security is an enabler. Allow me to elaborate a little bit and say that if it comes to the unfortunate event of a breach, under GDPR you will be asked to demonstrate that you took your security seriously throughout the year. Meaning that you did not just do the bear minimum, but on the contrary, you were proactively taking forward steps. Challenging your security at each step of the way, making sure that if something "bad" was to happen, you will be able to prove to the regulator that there was nothing else that you could have done to prevent the breach, like; respond faster, contain it better, and recover faster than you did. If you can prove all of the above, that you were doing a very good job regarding the cyber-resilience of the business throughout the year, and the breach happened because e.g. of an unknown zero-day (0day) exploit that none of your defenses was able to detect, then there is a really high chance for the fine to be something very small or even not applicable in your case.
I fully understand that this is a subject that needs to be discussed further and there are cases where this kind of extortion is illogical to happen. However, as Information Security professionals we need to think ahead of the curve and make sure we are aware of such possibilities, we have answers on such potential scenarios and we try to minimize the chances of becoming a reality.
No comments:
Post a Comment