Posted by Nigel Wright, managing director of Legal Futures Associate ConvergeTS
You’ve heard about ransomware – a hacker infiltrates your IT systems, locking them down until you pay a ransom. Some studies now estimate that over 50% of businesses have experienced this type of attack in the last year, and it’s particularly prevalent within the legal sector.
Previously, firms could protect themselves by having a solid disaster recovery plan in place to ensure they can get back up and running in the event of a disruption. However, the General Data Protection Regulation (GDPR) – the new EU-wide regime which comes in effect on 25 May 2018, irrespective of Brexit – means that this approach alone is no longer adequate and security measures must be strengthened to prevent attacks.
Ransomware is developing and hackers are now taking copies of data at the point at which they lock systems down – a practice the industry has dubbed ‘datanapping’. Being able to get your systems back quickly is irrelevant to the hacker; they already have your data and will threaten to release it publicly if you don’t pay up.
Rather than keeping it quiet when they’ve been a victim of such an attack, GDPR means businesses will have to report data breaches to the supervisory authority, with more severe penalties levied if they fail to do so. And with the added threat of data being released to the public, there’s the reputational damage along with the inevitable compensation claims from those affected.
Nowadays, little or no technical knowledge is required to launch an attack and the risk of getting caught is low as ransom payments are made in bitcoins, meaning they’re untraceable. Thousands of cyber-attacks are unleashed on UK businesses every day and GDPR only makes this a more attractive way for criminals to make money.
With significantly higher fines and stricter regulations, GDPR gives criminals power they didn’t possess previously as businesses are more likely to pay the ransom to avoid large fines if sensitive data is released online.
Cyber criminals are acutely aware of the potential negative impact on a firm’s reputation if data is released and will use this to demand a higher ransom. If your firm decides to pay out, it will rarely be a one-off, so you’ll need to fix your security vulnerabilities fast. It’s easy to see how this becomes a recurring cycle of paying up again and again, with hackers returning every few months for more.
But carrying out security investigations to fix issues as they arise can become much like plugging holes in a sieve and be quite costly in the long run.
Firms now have just over a year to ensure their systems are robust enough to meet their data security obligations. A business cannot outsource their responsibilities under GDPR, meaning the culture and mindset around how data is treated has to be modernised and law firm managers must take responsibility for ensuring data is safe. An external audit of a firm’s infrastructure and network security is the first step to assessing whether the appropriate measures are being taken to protect data.
The good news is that GDPR is likely to be the much needed catalyst for change, forcing firms to focus on prevention rather than cure for security attacks. The outcome is that our data is likely to be much safer as a result.