Skip to main content

How GDPR influences the behaviour of cybercriminals and the tactics they use

(Image credit: Pixabay.com)

Since the General Data Protection Regulation (GDPR) came into force, it has had a significant impact not only on how companies collect and use data, but on how they protect it. GDPR has shaped not only cybersecurity in Europe, but the business world at large, and as threats continue to advance, we look at how GDPR has shaped cybercriminal behavior. Cybersecurity has become an increasing priority at a C-Suite level as GDPR holds companies accountable for keeping individuals' personal information safe. According to the government’s Cyber Security Breaches Survey 2020, almost half of businesses (46 per cent) and more than a quarter of charities (26 percent) have reported experiencing cybersecurity breaches or attacks in the last 12 months.

Cyber threats are becoming more targeted, better implemented, and much more complex. Business leaders understand the importance of cybersecurity, especially as digitalization became more paramount to business success during Covid-19. However, with stretched IT departments and limited expert employees, there’s plenty of opportunities for cybercriminals to take advantage of any gaps in an organization’s armor.

As businesses scrambled to meet the initial GDPR deadline, many saw it as a box-ticking exercise. But data privacy does not mean your business is cyber secure – and cybercriminals can take advantage of the false sense of security that businesses may feel.

The value of data has never been more apparent. Since the GDPR came into effect, there has been a major shift in the way that data is regarded, utilized and protected. This is highlighted in recent high-profile data breaches, such as EasyJet discovering the personal details of nine million customers were accessed, or more recently the hack of high-profile accounts on Twitter. It’s clear that companies who are regularly trusted with sensitive personal data are successfully targeted by hackers – GDPR or no GDPR.

Getting tougher on GDPR

As high-profile leaks and breaches continue to make the news, we are likely to see authorities across the EU get tougher on GDPR violations and data breaches in the coming year. The penalties are real, and they are significant. Organizations need to take recent cases as a wake-up call to address their data security and privacy compliance. From a reputation protection standpoint, being in the spotlight for data protection transgressions and data breaches is not at all good for business – and during this critical time business leaders simply cannot afford for anything that might further impact the bottom-line. Pressure may be mounting on business leaders to cut costs and make savings – but security spend needs to be ringfenced, as cybercriminals are certainly not cutting their budgets to limit the impacts of the global pandemic.

One thing to note is that in some ways, the reporting of breaches can aid a cybercriminal. Contained within an incident report are often indicators and vectors of compromise offering other potential attackers’ important feedback on the nature and efficacy of a given attack method.

With the unprecedented shift from office to remote work due to Covid-19, businesses must review their remote work policies for data protection as well as security. They should be prepared for a variety of different work environments as most office-based employees are working from home and accessing password-protected business accounts outside of the office. Opportunistic cyber attackers are on high alert to take advantage, meaning users need to be even more careful with their passwords than usual. Businesses also need to play their part to ensure robust cyber hygiene is in place and that individuals remain vigilant.

This begins with security awareness training and ensuring that strong password policies are in place. In addition, it is vital that staff and funding are dedicated to the enforcement of GDPR and that roles and responsibilities are clearly defined. Practice runs or ‘wargames’ of what an organization would do in the event of a breach should be commonplace and right now is absolutely the best time to review those plans to take account for the unprecedented shift in where people are working from and on what devices/networks.

Maintaining trust

In this age of digital transformation and globalization, new innovations always introduce new risk, and cybercriminals are constantly coming up with advanced strategies to defraud and damage institutions and organizations. However, training goes a long way to reduce that risk. The growing field of preventive cybersecurity education (security awareness training) is highly effective at reducing security incidents related to social engineering, such as phishing, which are often the starting point for serious breaches. As the first line of defense, trained individuals help protect sensitive data, intellectual property, and the viability of the organization itself. Statistics coming out of the Irish Data Protection Commission (DPC) point to as many as 83% of reported data breaches could be due to human error or lack of GDPR awareness.

To maintain trust and protect reputations, a multi-layered security strategy is needed which also incorporates transparency. Businesses should maintain an open and constructive dialogue with customers to educate them on how their data is being used and protected, and GDPR should serve as a reminder to ensure that their processes stand up to scrutiny. Businesses should be mindful of not just the ever-growing number of vulnerabilities, but also of the cybersecurity threats that are being leveraged at any given time. Rather than view data protection as a box-ticking exercise, it should be a key priority and integrated into every aspect of a robust cyber resilience strategy. Cybercriminals are increasing their resources during the pandemic, so cybersecurity budgets must be a top priority, and it’s crucial to make sure the network is strongly defended to prevent ransomware attacks and avoid GDPR violations.

Nick Emanuel, Director of Product, Webroot, an OpenText company