What if WannaCry Happened in the GDPR Era?

Mitigating Risk to Enhance Data Security

In this article, Jason Allaway, RES Area VP for the U.K. and Ireland, reveals what the true cost of a ransomware attack like WannaCry will be in the GDPR era. As many organizations struggle to prepare for the upcoming regulation, Jason shares the three pillars of risk that must be integrated into organizations’ GDPR strategies to protect and secure sensitive data without hindering productivity.

Over the last few weeks, there have been numerous news stories around the WannaCry ransomware attack and the disruption that it has produced. WannaCry has caused major issues and compromised personal data around the world in a very short period of time.  It was reported that more than 200,000 computers were hijacked in more than 150 countries, with victims including hospitals, banks, telecommunications companies and warehouses.

Today, data is worth a lot of money, and cybercriminals know it. This is one of the key reasons why the EU has established requirements around doing more to protect data from breaches with the impending GDPR legislation. In fact, the GDPR compliance deadline of May 25, 2018 is less than one year away.

What if WannaCry Was Released on May 25, 2018?

Nobody can be sure what will happen after something like WannaCry strikes once the GDPR compliance deadline passes. It is assumed the governing bodies would jump into action, and it is inevitable that there will be a breach at some point after the compliance deadline. Based on the EU’s regulations, an investigation will begin to see if the organization met all the requirements and took the appropriate measures to secure the data.

For example, if an organization that experienced a data hijacking from malware was found to be out of compliance with GDPR, the consequences would be steep. There could be many reasons for noncompliance: maybe they didn’t have the right processes in place or they didn’t have a way to enforce their policies. Or maybe they didn’t report the breach within the 72-hour requirement. No matter where they fall short, it’s likely the organization will be made an example of – and it will be expensive.

GDPR has set forth some hefty fines between €10 million and 20 million, or up to 4 percent of a company’s total worldwide annual revenue. This is not to mention reputation damage and any disruption they already experienced from the breach itself. In the case of an attack like WannaCry, organizations would be hit hard on multiple fronts. The potential of getting struck with compliance fines on top of the breach means that organizations must take their approach to increasing data protection very seriously, and they must act quickly.

The 3 Pillars of Risk

There has been countless commentary and advice on how to protect and lock down systems and what should have been done by organizations to ensure they were protected from ransomware like WannaCry. However, one thing not being discussed is the amount of risk that something like WannaCry presents when it comes to compliance. Because a ransomware attack can cause this much disruption on such a large scale, it must be part of an organization’s GDPR strategy. To be effective, every organization should evaluate their level of risk across three key areas: technology, people and processes.

Technology

In an ideal world, organizations have the latest technology updated with the latest patches and security. The perimeter and the internal entry points would be secured without compromising user productivity. Also, technology would enforce policies so users do not open or read files or websites from unknown senders. In this secure world, risk is mitigated though technology. But many organizations are still utilizing legacy systems because they are “good enough” or haven’t implemented modern technology yet due to lack of resources (budget, time, etc.).

People

People will follow human nature, at times doing things that do not follow the rules. For example, how many times have people driven over the speed limit to get somewhere faster? With the uncertainty of being caught and the knowledge it is illegal, people still do it. It is human nature to do what is necessary to get where we are going. Same goes for the workplace: users want to be productive, have a consumer-like experience and get their needs fulfilled immediately or they will go around IT, resulting in shadow IT.

Processes

There are many processes that must be put in place to mitigate risk around GDPR. One example of a poorly defined or poorly enforced process might be how users manage their files – everything from deleting to locking their files. How many files are encrypted or contain personal information? Is data stored where it shouldn’t be? It is easy to assume there are a lot of people who – although not with malicious intent – store data in unsecure locations outside of the core network because it is simply easier to access and manage. And that is just one example of how a process that is not well-defined or enforced can lead to risk.

Mitigating Risk as the Cornerstone of GDPR Strategy

An organization’s GDPR strategy should address risk in all three of those areas: technology, people and processes. Organizations must not only ensure employees can carry out their jobs without disruption, but also enforce the processes and rules that need to be applied based on the context of the user (who they are, where they are, what device they are using, etc.). Then they must decide if the action they are trying to do is unusual or outside the rules. If controls are implemented correctly and automated, an organization will end up with a productive and secure environment.

When it comes to GDPR, the largest mountain to climb is mitigating risk around people and processes, without hindering productivity. Organizations need to make sure processes are strong and complete enough to ensure GDPR requirements, but flexible enough to let people still do their jobs. If not, workers will go around the system and open the organization up to even more risk. With self-service, context-aware technologies, and by automating the rules around processes, organizations can leverage technology to set boundaries (where files can be saved, automatic encryption, preventing rogue or unauthorized applications with whitelisting, etc.) and protect the infrastructure and data from vulnerabilities.

This piece was originally shared on RES’s “RES*OLUTION blog” and is republished here with permission.