GDPR Could Lead to an Increase in Cyber Attacks

Posted by Geraldine Hunt on Wed, Jun 27th, 2018

The General Data Protection Regulation (GDPR) has been in existence for a month now and many companies are still scrambling to meet the newly required set of compliance regulations despite a five-year preparatory window.  Newly legislated regulations always bring added costs and management initiatives. However, they also bring newfound opportunities for informed professionals, entrepreneurs, and hackers.   As C-level managers go about discerning the impact of GDPR on their organization, other individuals are evaluating ways to benefit from it financially.

The Data Protection Officer

If you go to Indeed.co.uk and search for “Data Protection Officer”, you will find over 3,000 job listings in England alone. That is because DPO job listings on the Indeed job search site have increased by more than 700 percent over the past 18 months.  If you have the required knowledge base and skills outlined for this position then times are good.  In fact, they are more than good.  Article 37 of the GDPR requires companies that collect or process EU citizens to have a Data Protection Officer.  According to the Association of Privacy Professionals (IAPP) more than 28,000 DPOs will be needed in Europe and the U.S. and as many as 75,000 worldwide. Demand is especially high for industries such as digital marketing, finance, healthcare, and retail.  Large tech corporations such as Microsoft, Twitter, Facebook, and Airbnb are clamoring for DPOs.  According to ITJobsWatch, the average salary for GDPR related jobs, which includes DPOs, is as high as EUR71,584 a year.  The DPO position is drawing a global median salary of $106,500.  In the U.S., a DPO can garner salaries as high as $150,000.  Those candidates who are Certified Information Professionals (CIP) garner the highest salaries as well as bonuses.

Article 37 does elaborate on the exact credentials a DPO must carry other than that the level of expert knowledge “should be determined in particular according to the data processing operations carried out and the protection required for the personal data processed by the controller or the processor.”  GDPR Article 37 does provide insight into some of the responsibilities of the DPO.

• Educating the controller or processor and its employees of their GDPR compliance obligations as well as training data processing staff in proper cybersecurity hygiene.
• Monitor GDPR compliance, conduct audits and address potential issues proactively
• Serve as the point of contact between the organization and the GDPR supervisory authority
• Serving as the point of contact for inquiries from data subjects concerning their personal data and how it is used, data protection practices and their personal rights
• Maintaining comprehensive records of all data processing activities

Hacking Opportunities

One aspect of GDPR that is on the minds of C-level managers is the potential fines that can be levied due to a company’s lack of due diligence pertaining to the prevention or reaction to a data breach of third party personal data.  Under GDPR, companies can be fined as much as 4% of annual global turnover or €20 Million (whichever is greater) for the most serious infringements.  A lower tier levies a fine of 2% for lesser infractions.  While the public at large feels that such fines should be substantial in order to motivate companies to take their obligations to protect personal data seriously, the mammoth scale of these potential fines opens the door of opportunity for the hacking community.

Companies will be encouraged to conduct regular penetration tests by experienced white hackers who can provide insight into how a malicious perpetrator could breach their data storage infrastructure.  On the other end of the spectrum, hackers with malevolent intentions will recognize the opportunity to target GDPR compliant companies.  Hackers will breach companies to confiscate data only to charge management an extortion fee to hide the breach rather than frisk punitive fines that could escalate into the tens of millions of dollars.  Just like with ransomware, cybercriminals will figure out the sweet spot at which companies will willingly pay the hush money. 

Imagine the potential fines concerning breaches we have witnessed in recent years such as Equifax and Yahoo.  We have also seen companies like Uber work cooperatively with hackers in order to cover up the breach and make it go away.

The Uber hack is the perfect example of how hackers could operate under GDPR. The hackers blackmailed Uber, it’s reported Uber paid  £750,000  – which saw the data of over 57 million customers stolen – kept a secret. Under GDPR Uber would have breached the regulations. A lot of the media attention around GDPR has focused on the potential fines – 2-4% of global turnover,  but less so on the strict reporting requirements set out by the ICO. The potential opportunity of hackers to attempt these types of quick payoffs will prove very enticing.

Multi-Layered Security is the Answer

No company can protect their data from every possible attack nor can they guarantee the security of their hosted data.  What they can do is to perform their due diligence to implement a multi-layer security plan including the vital DNS layer of protection to combat likely attacks.  Two of the most effective tools in an enterprise security arsenal are email and web content filtering solutions.  Email continues to be the primary deployment method for hackers to launch their sinister attacks to penetrate a targeted enterprise.  The web is a close second with hackers hosting their own malware deployment sites or damaging infecting legitimate sites with malicious code.  A robust enterprise-grade firewall is essential along with activated local firewalls on all of your devices, which are protected with some sort of endpoint security solution.

Opportunities present themselves in many forms.  Both cybersecurity professionals and hackers alike will find potential rewards with GDPR.