New cyber laws will open up businesses to hacker blackmail
CYBER experts fear high-tech criminals will turn the authorities against everyday businesses – by hacking into their systems and then reporting the data breach unless a ransom is paid.
New laws called the General Data Protection Regulation (GDPR) come into force on May 25. Experts say it will be a game-changer as cyber extortion, or the kidnapping of personal data, is becoming one of the most lucrative tactics for hackers.
Personal information could be extracted from a company by hackers and the businesses given the opportunity to pay a ransom. If not paid, the breach is reported anonymously to the Data Protection Office, bringing the threat of large fines and regulatory nightmares.
Irish businesses need to protect themselves from an impending wave of cyber
extortion as a result of this, according to cyber security expert James Canty, of Magnet Networks. “After
several years of cyber crime attacks, from May onwards we will now have GDPR legislation punishable by law
if your business doesn’t have adequate controls in place to protect any PII [personally identifiable information] it
may be holding,” he said.
“This presents an opportunity for the ‘ordinary cyber criminal’ to obtain PII from a business and demand a ransom for not letting the authorities know they easily obtained your information.”
Businesses targeted in this way receive an email with the sort of information the hackers have been able to extract. “The demand would state that the appropriate protections are not in place in the company and that information was easily extracted,” said Mr Canty.
“The business will then be faced with three options – paying an extortion fee, taking the risk the criminals will report the stolen data anonymously to the Data Protection Officer, or self-declaring the data breach within 48 hours. Either of the latter two options will involve inspections, fines and a large amount of regulatory work.”
“Companies need to have a next-generation firewall along with advanced endpoint protection and local real-time analysis on each machine,” he added.