Saturday, April 17, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Calendar
    • On-Demand Webinars
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Calendar
    • On-Demand Webinars
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

What if WannaCry Happened in the GDPR Era?

by Jason Allaway
June 13, 2017
in Data Privacy, Featured
skull and key

Mitigating Risk to Enhance Data Security

In this article, Jason Allaway, RES Area VP for the U.K. and Ireland, reveals what the true cost of a ransomware attack like WannaCry will be in the GDPR era. As many organizations struggle to prepare for the upcoming regulation, Jason shares the three pillars of risk that must be integrated into organizations’ GDPR strategies to protect and secure sensitive data without hindering productivity.

Over the last few weeks, there have been numerous news stories around the WannaCry ransomware attack and the disruption that it has produced. WannaCry has caused major issues and compromised personal data around the world in a very short period of time.  It was reported that more than 200,000 computers were hijacked in more than 150 countries, with victims including hospitals, banks, telecommunications companies and warehouses.

Today, data is worth a lot of money, and cybercriminals know it. This is one of the key reasons why the EU has established requirements around doing more to protect data from breaches with the impending GDPR legislation. In fact, the GDPR compliance deadline of May 25, 2018 is less than one year away.

What if WannaCry Was Released on May 25, 2018?

Nobody can be sure what will happen after something like WannaCry strikes once the GDPR compliance deadline passes. It is assumed the governing bodies would jump into action, and it is inevitable that there will be a breach at some point after the compliance deadline. Based on the EU’s regulations, an investigation will begin to see if the organization met all the requirements and took the appropriate measures to secure the data.

For example, if an organization that experienced a data hijacking from malware was found to be out of compliance with GDPR, the consequences would be steep. There could be many reasons for noncompliance: maybe they didn’t have the right processes in place or they didn’t have a way to enforce their policies. Or maybe they didn’t report the breach within the 72-hour requirement. No matter where they fall short, it’s likely the organization will be made an example of – and it will be expensive.

GDPR has set forth some hefty fines between €10 million and 20 million, or up to 4 percent of a company’s total worldwide annual revenue. This is not to mention reputation damage and any disruption they already experienced from the breach itself. In the case of an attack like WannaCry, organizations would be hit hard on multiple fronts. The potential of getting struck with compliance fines on top of the breach means that organizations must take their approach to increasing data protection very seriously, and they must act quickly.

The 3 Pillars of Risk

There has been countless commentary and advice on how to protect and lock down systems and what should have been done by organizations to ensure they were protected from ransomware like WannaCry. However, one thing not being discussed is the amount of risk that something like WannaCry presents when it comes to compliance. Because a ransomware attack can cause this much disruption on such a large scale, it must be part of an organization’s GDPR strategy. To be effective, every organization should evaluate their level of risk across three key areas: technology, people and processes.

Technology

In an ideal world, organizations have the latest technology updated with the latest patches and security. The perimeter and the internal entry points would be secured without compromising user productivity. Also, technology would enforce policies so users do not open or read files or websites from unknown senders. In this secure world, risk is mitigated though technology. But many organizations are still utilizing legacy systems because they are “good enough” or haven’t implemented modern technology yet due to lack of resources (budget, time, etc.).

People

People will follow human nature, at times doing things that do not follow the rules. For example, how many times have people driven over the speed limit to get somewhere faster? With the uncertainty of being caught and the knowledge it is illegal, people still do it. It is human nature to do what is necessary to get where we are going. Same goes for the workplace: users want to be productive, have a consumer-like experience and get their needs fulfilled immediately or they will go around IT, resulting in shadow IT.

Processes

There are many processes that must be put in place to mitigate risk around GDPR. One example of a poorly defined or poorly enforced process might be how users manage their files – everything from deleting to locking their files. How many files are encrypted or contain personal information? Is data stored where it shouldn’t be? It is easy to assume there are a lot of people who – although not with malicious intent – store data in unsecure locations outside of the core network because it is simply easier to access and manage. And that is just one example of how a process that is not well-defined or enforced can lead to risk.

Mitigating Risk as the Cornerstone of GDPR Strategy

An organization’s GDPR strategy should address risk in all three of those areas: technology, people and processes. Organizations must not only ensure employees can carry out their jobs without disruption, but also enforce the processes and rules that need to be applied based on the context of the user (who they are, where they are, what device they are using, etc.). Then they must decide if the action they are trying to do is unusual or outside the rules. If controls are implemented correctly and automated, an organization will end up with a productive and secure environment.

When it comes to GDPR, the largest mountain to climb is mitigating risk around people and processes, without hindering productivity. Organizations need to make sure processes are strong and complete enough to ensure GDPR requirements, but flexible enough to let people still do their jobs. If not, workers will go around the system and open the organization up to even more risk. With self-service, context-aware technologies, and by automating the rules around processes, organizations can leverage technology to set boundaries (where files can be saved, automatic encryption, preventing rogue or unauthorized applications with whitelisting, etc.) and protect the infrastructure and data from vulnerabilities.

This piece was originally shared on RES’s “RES*OLUTION blog” and is republished here with permission.


Tags: cyber crimeGDPRransomware
Previous Post

Revenue Recognition, Cybersecurity and PCAOB Inspection Reports Found to be Influencing Forces on Companies’ SOX Compliance Efforts

Next Post

Sovos Introduces Intelligent Compliance Cloud

Jason Allaway

Jason Allaway is Area VP for the U.K. and Ireland. As a registered GDPR data protection officer, he helps customers move their compliance strategy forward, mitigate risk and solve complex enterprise IT challenges.

Related Posts

Business professionals stand in silhouette in a conference room.

How Far Will You Go?

April 16, 2021
allustration of a man looking at a moon through a telescope

Periodic Reporting for Public Companies in 2021: What Lies Ahead

April 14, 2021
A view of the Veriff mobile app

Estonian Identity Verification Service Veriff Raises $69M in Series B Led by IVP and Accel

April 13, 2021
President Joe Biden.

The Biden Administration Is Ramping Up Numerous Cross-Border Enforcements. Compliance Teams Should Take Note.

April 13, 2021
Next Post
Sovos Introduces Intelligent Compliance Cloud

Sovos Introduces Intelligent Compliance Cloud

2Behavox and CCI webinar: Power of Ai in F
OneTrust offers download to demonstrate privacy management leadership
Top 10 Risk and Compliance Trends

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management culture of ethics cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence ESG fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2021 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Calendar
    • On-Demand Webinars
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe

© 2021 Corporate Compliance Insights