Top security threats of 2018: Part 1 - GDPR

The EU's GDPR regulation is supposed to help focus business leaders' minds on security. But will it help cyber criminals more than CIOs and CISOs?

2017 was the year when ransomware came of age. With high-profile casualties including large swathes of the NHS, FedEx, Nissan, Hitachi and others, no security threats generated more headlines than WannaCry and NotPetya.

If one good thing came of the attacks, it was the increased importance of security to CEOs.

In recent Computing research, seventy-seven per cent of respondents agreed with the statement, 'More than anything else, ransomware has made the board sit up and listen to IT security professionals'.

One of the most frightening aspects of the spate of ransomware attacks was that they seemed to come from nowhere. Ransomware had previously been seen as a low-grade form of attack. An irritant, rather than something liable to slash share prices and topple business leaders.

What threats and trends are liable to rise to the fore in 2018? In this first part of our series, we examine the EU's General Data Protection Regulation (GDPR).

GDPR: Help or hindrance?
With the GDPR coming into force on 25th May this year, and bringing with it fines of up to four per cent of global turnover of the parent company, or 20 million Euros (whichever is the greater), the profile of security concerns at board level has never been higher.

And whilst many firms are well down the path toward compliance, more than 60 per cent of Computing's research respondents had, at best, only just started to prepare.

In conversation with various CIOs at large, well-known organisations at a recent event, Computing found most to be at a loss as to how to comply with data discovery regulations, which require firms to know where to find all instances of personally-identifiable information within a reasonable time frame.

But more worryingly still, some cyber criminals are looking to exploit the size of potential fines for their own gain.

"Threat actors could extort companies using leaked information, rather than dumping the leaked data publicly," says Rick Hemsley, managing director, Accenture Security. "They could also use smart contracts tied to crypto-currency blockchains to assure the breached organisation that the stolen data will be permanently deleted once payment is received. Organisations may therefore be motivated to pay extortions that are less costly than GDPR regulatory fines," he adds.

And there are other ways of ‘weaponising' GDPR. Hacktivists, or anyone with a grudge and a loose code of ethics, could steal information not to extort, but in the hope that the organisation will be fined.

"Or they could submit hundreds of ‘right to be forgotten' requests which would then grind the organisation to a halt when they are being responded to," says Guy Bunker, SVP of Products at Clearswift.

Some organisations may be moved to offer bug bounties - giving financial rewards to an external party who confidentially warns them of any vulnerability in their systems, according to Cisco's Martin Lee.

Though presumably that will rely on the bug finder preferring to receive a few hundred pounds from the vulnerable organisation, rather than attempting to extort them for a few million.

[Next page: The Solution]

Top security threats of 2018: Part 1 - GDPR

The EU's GDPR regulation is supposed to help focus business leaders' minds on security. But will it help cyber criminals more than CIOs and CISOs?

So what's the solution?

It can't be to simply remove all vulnerabilities, that's impossible without unplugging all the computers and bolting the doors. And even then you can bet there'll be a determined hacker hiding in the stationary cupboard, and a malicious or plain incompetent insider leaving briefcases in taxis or faxing confidential data to everyone but the intended recipient.

In fact the impossibility of guaranteeing security has seen some senior people choose to leave the industry.

"The general feeling of unease is quite sickening," said a security analyst in the finance sector who preferred not to be named.

"I know a guy who used to be a CISO and in the end he had to give it up because he said he couldn't get anybody to believe that he and his team weren't doing a good job. No matter how much he looked and how much money he spent, he could never guarantee that [a serious breach wouldn't happen] and he just said: ‘I can't do that, I can't live like that, it's too stressful.'"

In fact the solution is likely to be that most regulators will prove reluctant to use the full force of the fines available, at least at first.

Some leeway will have to be given to firms who are at least on the way to compliance, and who can prove they have a plan to work towards full accordance with the law. That should hopefully leave the hacktivists and extortionists empty-handed.

But significant negligence or plain incompetence will be rewarded with record fines, and for that reason the GDPR itself can be viewed as arguably the biggest threat of 2018.