© 2019 SourceMedia. All rights reserved.

Avoiding threats and complications arising from stringent GDPR provisions

Cyberattacks have been running rampant. Unfortunately, even large organizations have been remiss in taking precautions to safeguard user data. Security breaches that stole data from companies like Equifax and Facebook expose users to a slew of other possible risks including fraud and identity theft. Companies are also rarely held accountable for such breaches until now.

Regulations like the European Union's General Data Protection Regulation (GDPR) change this. The new rules oblige businesses of all sizes to ensure that they protect user data at all times. Non-compliance could result in serious consequences. The GDPR can require companies to pay up to €20 million or 4 percent of annual global turnover, whichever is higher, should they be found non-compliant to the regulation.

However, while these regulations should be a welcome development for users, they also put significant pressure on companies to work on compliance. Prior to the effectivity of the GDPR last May, about half of companies surveyed said that they weren't ready for compliance.

ransomware and gdpr.jpg
Employees read a ransomware demand for the payment of $300 worth of bitcoin on company computers infected by the 'Petya' software virus inside a retail store in Kiev, Ukraine, on Wednesday, June 28, 2017. The cyberattack similar to WannaCry began in Ukraine Tuesday, infecting computer networks and demanding $300 in cryptocurrency to unlock their systems before spreading to different parts of the world. Photographer: Vincent Mundy/Bloomberg

What makes this worse for companies is that cybercriminals are now incorporating the GDPR in in their modus operandi. Enterprising criminals use the threat of being reported for GDPR violations and non-compliance against businesses. Given the gravity of the fines, attackers are hoping that businesses will pay the ransom in order to avoid scrutiny. Companies in Bulgaria have already reported receiving such threats.

Still, compliance is a must for all organizations. Their efforts must also be able to mitigate these new risks. Fortunately, businesses can prevent such issues from arising as they work towards data protection readiness.

Investing in security

Potential GDPR-based attacks are not only made possible by non-compliance but also by lax security. Vulnerable infrastructure exposes companies to attacks including cyber-vandalism where hackers could deface websites to make them non-compliant. So, companies should be investing in security to minimize these risks. Yet, companies are still in the habit of neglecting fundamental preventive measures.

Hackers often breach networks through vulnerable endpoints. This is typically done using exploits in outdated and unpatched software and firmware. For companies, using endpoint management solutions such as Cloud Management Suite (CMS) could prevent exploit-based breaches from occurring. These solutions can automatically patch client computers to the latest versions of operating systems, drivers, and applications to plug known vulnerabilities. CMS can even deploy firmware updates to Internet-of-Things (IoT) devices which are now becoming a new vector of attack for hackers.

Adopting web application firewalls like those offered by Incapsula and Sucuri could also help prevent malicious traffic from reaching websites and services. Employing such measures help companies deter not only breach attempts but even the initial probes that scan networks for vulnerabilities in the first place.

Performing comprehensive audits

Successful compliance efforts hinge on having a comprehensive and accurate inventory of all things related to data. Companies must audit the following to see how they fare against the rules:

Customer data. Companies must check if they are storing customer data and their backups in secure locations. They must also check if they have consent from the users whose information they keep. Proof of consent includes information such as the date, time, and the channel through which consent was given. If lacking such proof, they must make the effort to obtain consent again.

Third-party processors. The GDPR considers third-parties such as analytics, payments, and cloud services as data processors. Companies must verify that the processors they use also conform to the GDPR and that these services also have robust security measures that protect the data companies pass on.

Customer-facing channels. The GDPR mandates that users’ consent must be provided explicitly and willfully. Using pre-ticked check boxes or simply placing consent clauses in terms and conditions aren't considered compliant. As such, customer-facing channels must be reviewed to make sure that consent is given when users are asked to provide their information.

Making protection central to business activities

Once companies get an accurate picture of how they fare according to provisions, they must then work towards implementing measures to ensure compliance. Knowing what organizations lack would allow them to make the necessary changes. Incorporating consent into all aspects of the user experience is crucial moving forward.

Aside from working on these essential aspects, organizations must also keep a vigilant eye out for threats. Cybercriminals are getting creative by using these same provisions that seek to protect ordinary users and turning them against companies. Fortunately, there are solutions available that could help mitigate and minimize the chances of malicious acts to succeed.

It would greatly benefit everyone concerned if organizations put security and protection at the center of their business activities. They must guarantee that data is protected as it flows through their channels. It is always better to be safe than sorry.

For reprint and licensing requests for this article, click here.