Ranswomware And GDPR

How to Fight Ransomware With the GDPR

WannaCry, Petya or Fusob – ransomware is software that blocks access to a user’s data and threatens to publish or delete that data unless the victim pays the large ransom. For most people, ransomware is a malicious trend that brings chaos into their lives. People and corporations around the world are looking for guidance in the face of possible disaster. We propose that the General Data Protection Regulation (GDPR) can take on both a cautionary and a protective role.

How Ransomware Works

Hackers today have sophisticated tricks up their sleeve. Various social engineering tactics have become popular to extract administrator passwords from oblivious users. Those admin passwords allow hackers to go deep inside networks and carry out their attacks without resistance.

WannaCry taught us that users are fundamentally unreliable. When your colleagues receive a Word document, for instance, they are eager to open it. There could be important information inside, after all! But when the text appears illegible they will gladly run an attached macro to fix it. All because of their human curiosity.

GDPR’s Big Stick Ideology

Ransomware keeps your data hostage, but intact. So does the GDPR apply? In other words, does ransomware lead to the 'accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed’?

The answer is clear: Yes.

And that changes things. In the UK, for instance, the Information Commissioner’s Office (ICO) can currently fine a maximum of £500,000 per data breach. Once the GDPR is enforced, the ICO will have the right to impose fines of up to 4% of the annual worldwide turnover of the company. Ouch.

Emily Carter and Jonathan Blunden claim in their article that, according to a Cyber Security Breaches Survey, 46% of British businesses have suffered a data security breach in 2016. That proportion rose to two-thirds among medium and large companies. Suffice it to say that your company’s data & network security better be spotless once the GDPR is in effect.

3 Constructive Data Policy Guidelines

Punishment is easy. Any good captain, however, also carries a carrot. The GDPR imposes large fines, but forces companies to take IT security policies more seriously. Security policies that should clearly define what you can and cannot do with personal data. Follow our 3 basic guidelines to strengthen your data policy instantly.

1. Limit admin rights

Giving admin rights to uneducated users has become a huge risk. Users don’t need admin rights to write, calculate or even check the status of their virtual machines. Admin rights are only necessary to change things. Every normal user should log in with user rights.

2. Monitor your admins’ behavior

Malware could be posing as one of your admins. A temporary computer administrator rights tool grants admin rights for a limited time only. Yes, at first the admins will complain that they cannot do their work properly. But once you remind them of the dangers of ransomware, they should support a system of checks and balances.

3. Use multifactor authentication

Two-factor and multi-factor authentication are amongst the most important tools to secure your admins’ rights. In essence, you combine something that you know (e.g. a password) with something that you have (e.g. a smartphone) to form a unique login. A small effort that drastically improves security.

Respect Both Sides of the GDPR

Implementing our 3 guidelines will make your job as an IT professional less stressful, without causing havoc in your budget. But what happens if you don’t have access to the necessary resources? The GDPR is, once again, on your side. Convince the decision-makers in your company by drawing attention to the huge fines and by selling the comfort of protection.

Secure Your Users and Your Cloud

SoftwareONE’s Managed Security services provides proactive protection from today’s security threats while enhancing compliance.

Discover Managed Security
  • Managed Security
  • GDPR, Ransomware, Security

Comment on this article

Leave a comment to let us know what you think about this topic!

Leave a comment


Blog Editorial Team

Trend Scouts

IT Trends and industry-relevant novelties

Related Articles

  • 15 Eylül 2021
  • Bala Sethunathan
  • Cybersecurity, Managed Security, Cyber Threat Bulletin, Cybersecurity User Awareness
  • Cyber Threats, Ransomware, Vulnerability Management

Cyber Security Update August 2021

Accenture and Bangkok Airways suffer from a LockBit Ransomware Attack. Learn why ransomware attacks have become a favorite form of attack.

Handling GDPR Authorities After a Breach
  • 16 Ağustos 2021
  • Bala Sethunathan
  • Cybersecurity, Managed Security
  • GDPR, Cyber Threats, Data Breaches

Handling GDPR Authorities After a Breach

If a data breach or ransomware attack occurs in your organization, you must contact GDPR authorities. Here’s what you need to know to prepare.

  • 09 Ağustos 2021
  • Bala Sethunathan
  • Cybersecurity, Managed Security, Cyber Threat Bulletin, Cybersecurity User Awareness
  • Cyber Threats, Physical Security Risks

Cyber Security Update July 2021

At least one in three reported data breaches involved an insider. Accidental and malicious insider risk can cost businesses 20% of their annual revenue.