Criminal hackers will use GDPR to profit from companies worldwide, warns Cyber Security expert.
According to Rafael Narezzi, even before para GDPR is applied, there are many critical points criminals are seeking to use against companies that are not compliant with the new regulations.
As of May, 2018, GDPR (General Data Protection Regulation), a new data protection regulation, will enter into force and will be required of all organizations processing consumer data in the European Union. Those who do not comply, will have to pay fines of up to 20 million euros or 4% of their total annual global turnover, whichever is greater.
Despite being an EU regulation, any Brazilian company or organization which processes, collects, hosts or shares personal data of users of the European Union will need to be compliant. But what does this really mean?
According to Rafael Narezzi, cyber security expert, GDPR has arisen with the aim to protect the data of European companies and citizens. “However, in a world surrounded by digital challenges and the ever-growing volume of cyber-attacks, we must look at how GDPR can also be used in cybercrime. In a survey on the Dark Web, it was discovered that cybercriminals are expecting to use GDPR for their own benefit. According to the survey, hackers would use the regulations to weaken and blackmail vulnerable companies so they will have to pay off criminals or hefty fines. ”
However, not all is lost as companies should be given a grace period to adapt, but this will not be guaranteed. Companies that have their data (and that of their customers and/or users) exposed due to lack of compliance with GDPR will have difficulties explaining any breaches and might be at risk of great financial losses. According to Rafael Narezzi, even before the regulations come into force, there are already many critical points that criminals are trying to use against companies:
1. Right to Erasure (“Right To Be Forgotten”), gives all European citizens the right to request that their information be erased, removed, from the database or any other file that has their information, including backups. If the organisation does not delete or remove the information from its systems and have some kind of vulnerability, criminal hackers will be able to access and capture this data for commercialization on the Dark Web (which is currently very common and generates millions of dollars). The company will also have to pay for a fine if it fails to comply with the regulation. “All of this reminds me a lot about the Ashley Madison case where the company charged to have their data erased but when they were hacked, they simply did not delete the data as stated in their services contract. In this kind of cybercrime, the negotiation also becomes easier and more advantageous for the hacker “.
2. Data Breach Notifications. In this case, companies will have 72 hours to report information leakage. This can be like a time bomb, because if there is a leak, companies will have to choose between paying off the hackers or the fine; and perhaps, even both.
3. Data Protection Officers (DPO). This means that companies will need to hire a professional DPO, or will need to outsource this service. “It’s worth remembering that when we have humans controlling everything, the tendency is that cybercrime can offer large sums of money to access business data, or even provide commissions on the value to be negotiated.” Rafael reveals that this practice of social engineering is very common. He has come across many companies in cyber crisis because of this kind of blow which starts inside the corporations without any suspicion of who the possible malicious insiders might be.
4. This may lead to problems for companies that work with data mining – the process of exploiting large amounts of data in search of consistent patterns to detect systematic relationships between variables, thus detecting new subsets of data.
This practice frequently occurs without the users’ consent which means individuals can sue companies that correlate and manipulate their data. This also includes cybercriminals, who can legally prosecute and sue small companies for having correlated information and allowed unauthorized identification of consumer/user profiles and their consumption habits on the Internet. This grants cybercriminals rights as fake victims.
The expert says that there are ways out even in these extreme cases. Companies must invest in their information security and, when adapting to the new GDPR, they will be investing significantly in cost avoidance as well. This will help to avoid high costs which may incur as result of high fines for non-compliance and other damages inherent to cyber-attacks. When it comes to data security, the solution should be the elaboration and execution of an Action Plan which will address the various forms of cybercrime attacks, map and classify the data according to its level of criticality to the company, and implement an efficient and effective data security policy which is continuously monitored and regularly audited. For this, it is essential to have qualified professionals in cybersecurity to identify their potential risks and learn how to prevent them. “We have until May 2018 to work in this direction,” and much still needs to be done, says Rafael.
Artigos em outros idiomas são publicados em International News | Articles in other languages are published in the International News