Fed up with the carelessness and rapaciousness with which tech firms treat user data, Europe has taken its stand on cyber-security – and failure to follow the EU's new rules could cost companies as much as €20 million - and even more.
This ultra-tough stance is part of the EU's new GDPR - the General Data Protection Regulations – which next May will become the law of the lands that make up the European Union. But GDPR goes far beyond Europe; companies all over the world have been scrambling to ensure that they comply. GDPR rules include a detailed set of regulations designed to ensure that organisations that collect data keep it safe, secure, and under the control of the people it belongs to.
Among the GDPR's many requirements: the right to data portability or erasure, the requirement to hire a dedicated security officer, and a requirement that customers be notified almost immediately if there is a breach that leads to a leak of their data. Just ask the folks at Target; customers were so shook up at the big data breach at the company in 2014 that profits were down sharply for nearly a year after the breach, and the company still suffers from a reputation with being a little too casual with user data safety.
But for many companies that deal in data, the most onerous rule of the many in GDPR is the rule of responsibility. Companies that collect data from customers on their web sites, or store data in computers, are responsible for that data, and will have to pay a penalty – no matter how or why a breach occurs. That means that if hackers steal data from a database, the company that held that data may have to pay compensation and/or a fine – even if the breach is the fault of employees who inadvertently allowed hackers into the system by responding to a phishing scam. Considering how unsuccessful companies have been in preventing such breaches in the past, the GDPR rules are clearly a matter of great concern for many firms.
While there have been many government initiatives and guidelines in the past to ensure that companies take cyber-security and privacy seriously, GDPR is the first one with actual teeth. Firms must get permission from users if they want to collect data, and they must take all precautions possible to protect that data. If there is a breach, firms must inform those whose data has been compromised within 72 hours of the event, in order to enable victims to protect themselves (change passwords, etc). In addition, companies must appoint a data officer who will be the point person between users, regulators, and the firm on GDPR compliance. And, companies that collect data from EU residents must store that data on servers located in the European Union – even if they are based elsewhere in the world.
Failure to comply with any of these rules could cost companies dearly – as much as four percent of total annual turnover with a minimum of €20 million. That the EU is serious in its penalty policies is clear from the huge US$ 2.7 billion (£2 billion) fine it imposed on Google in June over the company's giving preference to its own results in shopping engine searches.
Theoretically, if a company has its t's crossed and i's dotted – if it follows all the rules and fulfills all the GDPR requirements – it would be able to show that its staff did everything they could to protect data and users, and thus should not be held responsible for losses or be required to pay fines or penalties. But as every CEO knows, the greater the number of regulations, the greater the possibility that someone in the IT department is going to miss something, like a security update or a required dependency – possibly putting them on the hook legally. And the EU, of course, has unlimited resources to pursue such cases.
And breaches will occur; of this there is no doubt. Despite the best efforts of IT departments, hackers continue to succeed, bringing companies and organisations large (Sony, Target, the DNC) and small (local organisations and firms) to their knees, mostly via phishing attacks (according to studies, 91 percent of data breaches start with a phishing campaign). All it takes is for one click in the chain to fail – for one employee to respond to an appeal, to click on an attachment that looks legitimate that can load malware on a computer that can eventually compromise the entire organisation data on customers or users – to jeopardise the company, and get it in hot water with the EU.
Despite educational efforts, threats, begging, and anything else companies can think of, employees continue to respond to those phishing campaigns– but with GDPR, those responses can cost a company money. What are some of the strategies that companies can use to protect themselves, and what are their advantages, or disadvantages?
1) Antivirus/Filters: The standard go-to for e-mail threats (and most malware) for years has been installing an anti-virus program that will check incoming data to ensure that it is “safe.” Advanced anti-virus systems use a signature file to check on whether a program or agent that is trying to act within the system has been known to be malware – in which case the system will prevent it from operating. That's an effective defence system – for malware that's already been observed in the field. It won't do much good against zero-day malware, which in the first quarter of 2017 constituted some 30 percent of all malware observed.
2) Sandboxes: A more advanced system to protect computers and networks, sandboxes enable IT staff to examine email attachments before users open them on their computers – where any malware they carry could infect the network. Sandboxes are a virtualised environment, enabling the execution and analysis of files. Organisations use sandboxes to execute incoming files to learn more about their behaviour before letting those files in. If the examined file didn't show any suspicious behaviour, it will be allowed to advance to a user's inbox. If not, it's trashed – thus removing the employee “wild card” from the cyber-defence equation.
While there are advantages to sandboxes over anti-virus systems – sandboxes are not reliant on signature files to determine if code being observed is a threat – they are not the best answer to malware threats. There are an increasing number of malware agents that can detect a sandbox environment – and change their behaviour to “hide” their true intentions, sneaking through onto the network. According to a report by the SANS Institute, the number of malware capable of evading detection has risen by a shocking 2,000 percent since 2014.
3) Content disarm and reconstruction: A relatively new technology to fight undisclosed or zero day exploits embedded in files, CDR technology is usually implemented in the organisation gateway and acts as a buffer between the internet and the internal network. The process is done by disassembling files down to their basic objects and elements and individual code components and reconstructing a new version of the file while applying bit-level micro changes to all of the components, objects and elements; for example, an e-mail message with a PowerPoint attachment containing an image with malicious unknown payload would be disassembled to basic objects and elements. While applying the micro changes to the image the CDR will break the payload sequence so it would not be able to exist. The reconstructed image will be embedded into the reconstructed PowerPoint enabling the flow of work to continue with as little interruption as possible, and receiving a file that acts and functions just like the original one.
The first step towards getting at that corporate database – and the first step towards a potential fine by the EU – is that initial phishing message that seems to be so hard to resist. Organisations that want to protect themselves from big sanctions need to start with the small things – like that tiny, but powerful and troublesome image. Whichever protection system an organisation chooses, the key to saving money- and face - is vigilance, and being proactive in preventing hacker attacks.
Contributed by Itay Glick, CEO of Votiro
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.