Page 51 - the SyI Quarterly 15
P. 51

concerned - and the public at large. Such publicity     3.  There is often a reluctance to destroy personal
     inevitably has a negative impact on the reputation          data that is no longer needed. Record
     of any organisation, potentially incurring fines for        management policies become of particular
     inadequate security measures in the storage of              importance as mentioned above, and therefore
     personal data, bringing a flood of complaints from          periodic housekeeping and destruction of personal
     unsuspecting affected parties, and even resulting in        data that have expired, are inactive or previously
     lawsuits from individuals.                                  acquired and kept for no specific purpose, is
                                                                 recommended.
     Things get more complicated when hackers proceed        4.  A simple and well-tested data breach response
     with a triple extortion. This is a scenario, where if the   plan should be in place beforehand, including likely
     victim does not succumb, the hackers now target the         data breach scenarios and corresponding actions
     affected individuals themselves since they have their       of coordination, for notification to authorities,
     personal data and threaten to reveal personal details.      communication with individuals affected and other
     If this data is sensitive, the extortion success rates      stakeholders to ensure transparency about the
     increase.                                                   incident. It is also of particular importance that
                                                                 the organisation is able to respond and notify the
     If organisations do their homework i.e. their risk          incident within 72 hours of the time it comes to
     and threat assessment they will be soon aware of            its attention, which can be particularly challenging
     the consequences they will be facing in case of a           when the breach occurs during holidays and
     successful Ransomware attack. The engagement of             weekends.
     sophisticated exploit methods and tools by hackers      5.  Finally, many organisations mistakenly fear the
     often backed by Artificial Intelligence becomes             cost of an in-depth investigation, not realising that
     a real challenge for cybersecurity professionals.           the investigation will allow them to quantify the
     Ransomware as a service becomes a notorious                 risk to the individuals and thus avoid unnecessary
     service for anyone with ulterior motives to engage          actions and fines that may sometimes exceed the
     such methods to profit. Therefore, in addition to           cost of the investigation. A detailed investigation
     the imperative cybersecurity measures the need              process at a legal, technical and operational level
     to implement to protect and prevent Ransomware              is considered of particular importance, mandated
     attacks, it is recommended that the organization            by the GDPR itself, and expected by competent
     focuses on increasing its resilience. On the one hand,      authorities as part of the principle of accountability
     this will limit the damage after a successful cyber-        following a data breach.
     attack, and on the other hand, it will significantly
     reduce the time it takes for the organisation to return   Clearly there is no easy way out for an organisation
     to normal operations. There are many things that an     that has been attacked by Ransomware and has
     organisation of any size can and should do. Below are  had personal data compromised. The losses in time,
     five basic and simple tips to reduce the risk of data   resources and reputation can potentially become
     breaches and improve resilience:                        enormous. The process from the moment the incident
                                                             is discovered is painstaking and tests the resilience of
     1.  The volume of personal data is a decisive factor,   any organisation of any size to a very high degree.
         both in the assessment of potential fines and
         in the organisation’s efforts to identify and       Drawing lessons from organisations that have been
         inform those individuals affected. Therefore, it is   affected by Ransomware attacks internationally,
         recommended that the amount of personal data        invariably forces organisations to up their security
         retained be kept to a minimum.                      game and plan to function at a high resilient state.
     2.  Encryption is a very important mechanism for        Admitting that sooner or later a security incident will
         the defence of the organisation, which is also      occur and disrupt operations helps the executives
         recommended by the actual Data Protection           to invest in resilience.  A resilient organisation is one
         Regulations. Therefore, the organisation should     that primarily has the capabilities to respond and the
         encrypt the personal data where possible            capacity to absorb the consequences of any security
         including data in backups and databases. Even if    incident. Anticipation, preparation, vigilance and
         the data are exfiltrated cannot be used since are   coordinated response are elements that increase the
         not in readable form.                               capacity of the organization and remain critical factors
                                                             for navigating today’s rising digital threats.
   46   47   48   49   50   51   52   53   54   55   56