The mention of GDPR and automatically you start to snooze and, get a cold sweat on if you are part of a data loss prevention team. If you are a CISO you start packing up your desk (as this time it could be the big one) and some cyber criminals will look at GDPR and think “there’s money to be made out of this madness”.
Since GDPR came in there have been a few changes in the cyber landscape and one significant change is the rise of ransomware. It is simply everywhere. When you first look you may be forgiven for thinking that it is particularly prevalent in the USA. And yes, that is partly true, but the reason for that is that by US law, a company must declare when they have had a data breach. Since 2002, the US Data Breach Notification Laws state that a company has 10 days to notify the authorities of a data breach. That, from a mapping point of view, is what makes the US look like a hotspot.
It wasn’t until I was reading “An interview with a Russian Cyber Criminal” https://www.darkreading.com/endpoint/interview-with-a-russian-cybercriminal that something struck me. During the interview the interviewee stated that, “yes the US is an easier target, but the EU GDPR works in the adversary’s favour, because victims are more likely to pay quickly and quietly to avoid the penalties imposed under the GDPR.”
When you look at that in the cold hard light of the day, it makes sense. Why would you declare a data breach and risk fines of up to €20 million or 4% of annual global turnover (whichever is higher)? The legislation that is designed to help protect companies by ensuring they protect their data is actually part of the problem.
Now take a look at the ransomware report figures
Ransomware by Country in 2020
Looking at the data, countries affected by GDPR are few and far between. Is Europe really that good at defending itself against ransomware? Or are we silently paying the ransom as suggested in the interview, thus negating the need to declare a data breach under GDPR, whilst outwardly lambasting countries like the US for openly paying the ransom?
Is it really Europe and its fear of the GDPR fines that are compounding the problem of ransomware? When you are risking 4% of your annual global turn over, then some may say a ransomware payment is the better option financially.
The European Union has become a repeat victim and is now so ashamed of being attacked that it is not able to tell the authorities what is happening. The EU is stuck between a rock and a hard place or, in this case, legislation and criminal groups, both of whom want to take their money.
Could GDPR be amended slightly to follow the lead of the US Data Breach Notices which have been designed to protect those affected by the breach, rather than fining them?
Whatever happens, now is the time to turn the tides against the criminal groups and make a stand. Take a stand using the right levels of cyber defence and proactive intelligence.