Does GDPR Apply to American Companies?

The General Data Protection Regulation (GDPR) is a new data privacy and security law in Europe that comes into force next year, but does GDPR apply to American companies? As many U.S. companies have recently discovered, not only does GDPR apply to American companies, doing business within the EU is likely to be extremely costly for companies that do not comply with GDPR.

Any organization or individual that does business within any of the 28 EU member states (Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Romania, Slovakia, Spain, Sweden and the United Kingdom) must comply with GDPR or face heavy penalties.

The penalty for non-compliance with GDPR for enterprises is up to 20,000,000 Euros ($23,138,200) or 4% of the annual global turnover of the company for the previous fiscal year, whichever is the greatest. An enterprise found not to have complied with GDPR will also be subjected to regular, periodic data protection audits to ensure its policies and procedures are updated and the firm continues to comply with GDPR.

So, what is the regulation and how does GDPR apply to American companies? What do U.S firms need to do to comply with GDPR?

How Does GDPR Apply to American Companies?

The main purpose of GDPR is to give EU citizens greater control over how their personal data is collected, protected and used. While the legislation applies to EU companies, it also applies to any company that chooses to do business in the EU. That includes any online business that owns a website that is accessible by EU citizens if that website collects user data.

Since the definition of personal information includes online identifiers such as cookies, GDPR has implications for huge numbers of U.S businesses. GDPR applies to all companies that do business with persons based in EU member states, with the exception of law enforcement agencies or when data are collected for national security activities.

To continue to do business in the EU, most companies will have to implement additional privacy protections and adopt end-to-end data protection strategies.

The EU classes personal data as “Any information relating to an identified or identifiable natural person,” which includes a wide range of information from names, addresses, telephone numbers and email addresses to bank information and credit card details, photos, posts on social media websites, medical information, and even an individuals IP address.

Even when controls have been implemented to keep data secure, it may still be necessary to overhaul systems to ensure sufficient protections are in place. Companies must be aware where data are stored and employees must be trained to ensure they are aware of their responsibilities with regards to the use of data.

Organizations will need to provide customers – and website visitors – with detailed information on data that are collected and how data will be used. Consent must be obtained before any data are collected and consent must be obtained from a parent or custodian of a minor.

There must be a legitimate and lawful reason for collecting data and limited to the minimum necessary information for the purpose for which data are collected. Data must be deleted when that purpose has been achieved.

Organizations must appoint a Data Protection Officer who is knowledgeable about GDPR and will oversee compliance if their core activities are data collection, storage or data processing. That individual must also have a thorough understanding of the company’s organizational and technical infrastructure.

Organizations also need to implement appropriate policies, procedures and technologies to ensure that the data of EU citizens can be permanently erased. GDPR includes the right to be forgotten – termed ‘Right to Erasure’.

The legislation that GDPR replaces only required data to be deleted when it caused substantial damage or distress. However, from next year, an EU citizen can request that all data collected on them be permanently deleted if the information is no longer needed for the purpose that it was originally collected. Data must also be deleted if consent to use the data is withdrawn or if the processing of data is unlawful and breaches GDPR.

Many U.S. companies already have technologies in place that will comply with the data protection requirements of GDPR, but the right to erasure requirement could pose problems.

Symantec recently conducted a survey that revealed 9 out of 10 businesses were concerned that they would not be able to comply with the right to erasure requirement of GDPR, with only 4 out of 10 businesses already having a system in place that could potentially allow all data to be deleted.

Compliance with GDPR in the United States

A recent survey conducted by PricewaterhouseCoopers on large multinational companies in the United States shows efforts are already underway to ensure compliance with the EU regulation. More than half of surveyed firms said GDPR is now their main data protection priority, with 92% saying compliance with GDPR is a top priority this year.  The cost of compliance is considerable. 77% of surveyed firms said they are planning to spend more than $1 million on GDPR compliance, with one of the main spending priorities being improving their information security defenses.

Many companies are starting to ask how how does GDPR apply to American companies, but a study conducted by NTT Security suggests that three quarters of U.S. businesses are ignoring GDPR because they do not believe the regulation applies to them. Ignorance could prove very costly indeed. Further, time is running out. For many companies, compliance with GDPR will not be a quick process and the deadline is fast approaching. GDPR comes into effect on May 25, 2018. Miss the deadline and fines await.

Further Reading:  Read a more detailed explanation of the GDPR regulations for US companies here.

Law Firm Ransomware Attack Locks Data for Three Months

A law firm ransomware attack has resulted in business files being left encrypted and inaccessible for three months, causing considerable billing losses for the firm.

Why did the law firm not simply pay the ransom demand to regain access to their files? Well, they did. Unfortunately, the attackers took the money and did not supply viable keys to unlock the encrypted files. Instead, they had a much better idea. To issue another ransom demand to try to extort even more money from the law firm.

The law firm, Providence, RI- based Moses Afonso Ryan Ltd, was forced to negotiate with the attackers to gain access to its data. It took more than three months and ransomware payments of $25,000 to finally regain access to its files. However, the ransomware payment represented only a tiny proportion of the cost of the attack. During the three months that data were locked, the firm’s lawyers struggled to work.

Moses Afonso Ryan made a claim against its insurance policy for lost billings as a result of the attack; however, the insurer, Sentinel Insurance Co., has refused to pay the bill. The law firm claims to have lost $700,000 as a result of the attack in lost billings alone. The firm has recently filed a U.S. District Court lawsuit against its insurer claiming breach of contract and bad faith for denying the claim.

The law firm ransomware attack involved a single phishing email being opened by one of the firms’ lawyers. That email has so far cost the firm more than $725,000 and the losses will continue to rise.

Important lessons can be learned from this law firm ransomware attack. First, the importance of training all staff members on the risk of ransomware attacks and teaching security best practices to reduce the risk of attacks being successful.

Since phishing emails are now highly sophisticated and difficult to identify, technical solutions should be implemented to prevent emails from reaching employees’ inboxes. Endpoint protection systems can reduce the risk of ransomware being installed and can detect infections rapidly, limiting the damage caused.

All businesses should take care to segment their networks to ensure that a ransomware infection on a single computer does not result in an entire network being impacted.

It is also essential for backups to be performed regularly and for those backups to be tested to ensure data can be recovered. This law firm cyberattack clearly demonstrated that organizations cannot rely on attackers making good on their promise to unlock data if the ransom is paid.

There have been cases where the attackers have not been able to supply a functional key to unlock data, and numerous examples of attackers issuing further ransom demands in an attempt to extort even more money out of companies.

Healthcare Ransomware Attacks Accounted for 50% of All Security Incidents

Hackers are continuing to attack healthcare organizations, but healthcare ransomware attacks are the biggest cause of security incidents, according to the NTT Security 2017 Global Threat Intelligence Report.

Healthcare ransomware attacks accounted for 50% of all security breaches reported by healthcare organizations between October 2015 and September 2016 and are the largest single cause of security breaches.

However, healthcare is far from the only sector to be targeted. Retail, government, and the business & professional services sector have also suffered many ransomware attacks during the same period. Those four sectors accounted for 77% of global ransomware attacks. The worst affected sector was business & professional services, with 28% of reported ransomware attacks, followed by the government (19%), healthcare (15%) and retail (15%).

NTT Security reports that phishing emails are the most common mechanism for ransomware delivery, being used in 73% of ransomware and malware attacks. Poor choices of password are also commonly exploited to gain access to networks and email accounts. NTT says just 25 passwords were used in 33% of all authentication attempts on its honeypots, while 76% of authentication attempts used a password known to have been implemented in the Mirai botnet.

Zero-day exploits tend to attract considerable media attention, but they are used in relatively few attacks. Web-based attacks have fallen but they still pose a significant threat. The most commonly attacked products were Microsoft Internet Explorer, Adobe Flash Player, and Microsoft Silverlight. Exploit kit activity has fallen throughout the year as cybercriminals have turned to phishing emails to spread malware and ransomware. There was a steady decline in exploit kit attacks throughout the year.

With phishing posing the highest risk, it is essential that organizations ensure they have adequate defenses in place. Phishing attacks are sophisticated and hard to distinguish from genuine emails. Security awareness training is important, but training alone will not prevent some attacks from being successful. It is also important to ensure that training is not just a one time exercise. Regular training sessions should be conducted, highlighting the latest tactics used by cybercriminals and recent threats.

The best form of defense against phishing attacks is to use anti-phishing technologies such as spam filters to prevent phishing emails from reaching end users. The more phishing emails that are blocked, the less reliance organizations place on end users being able to identify phishing emails. Solutions should also be implemented to block users from visiting phishing websites via hyperlinks sent via email.

Cyberattacks on Educational Institutions Increase Sharply

Cyberattacks on educational institutions are occurring at an alarming rate. While the education sector has not been as heavily targeted as the financial services and healthcare in recent years, that is no longer the case. Cybercriminals and state-actors now have the education sector in their crosshairs.

Cybercriminals have realized that cyberattacks on educational institutions can be highly profitable, with this year seeing a sharp rise in attacks.

Schools, colleges and higher education institutions hold vast quantities of data that can be used for fraud and identity theft. As we have already seen this year, cyberattacks on educational institutions are now much more common. The first quarter of the year saw a rise in W-2 phishing attacks, with criminals managing to obtain the tax information of many thousands of staff members. Those data were used to file fraudulent tax returns. Student records can be used for identity theft and can be sold for big bucks on darknet marketplaces. Attacks aimed at obtaining the personal data of students have similarly increased.

Educational institutions also conduct extensive research. The past year has seen a sharp rise in espionage related cyberattacks on educational institutions. Criminals are also conducting attacks to gain access to bank accounts. This year, two major cyberattacks on educational organizations have resulted in bank transfers being made to criminals’ accounts. At the start of the year, a phishing attack on the Cleveland Metropolitan School District resulted in more than $100,000 being obtained by the attackers. Denver Public Schools was also attacked, with the attackers redirecting $40,000 in payroll funds to their own accounts.

The recently published Data Breach Investigation Report from Verizon clearly shows the new attack trend. Over the past year, there have been 455 incidents reported by educational institutions, 73 of which have resulted in the theft of data.

While many industries see cyberattacks conducted for financial reasons, in education, financial gain was only the motive behind 45% of cyberattacks. 43% of attacks involved espionage and 9% of attacks were conducted for fun. Out of all reported data breaches, 26% involved espionage. Last year the percentage was just 5%.

Attacks are coming from all angles – Internal attacks by students; attacks by cybercriminals looking to steal data, and state-sponsored actors looking to steal research. The latter accounted for more than half of data breaches in the past year.

The Verizon report indicates hacking is the biggest threat. 43% of breaches were due to hacks, although social attacks and malware were also common. Verizon reports that almost 44% of breaches involved social and around a third involved malware. Social attacks and malware have increased considerably over the course of the past year. The most common social attack was phishing via email.

As long cyberattacks on educational institutions remain beneficial or profitable, cyberattacks will continue.  Educational institutions therefore need to take steps to improve their security posture. Since social attacks such as phishing are commonplace, and malware infections commonly occur via email, educational institutions need review their email defenses.

Password policies should be introduced to ensure strong passwords are set on email accounts and policies introduced to ensure passwords are regularly changed. Spam filtering solutions should be implemented and all staff and students should receive training on security awareness. Verizon suggests staff and students should be encouraged or rewarded for reporting phishing and pretexting attacks.

Web-Based Attacks Fall: Ransomware Attacks on Businesses Soar

There was some good news in the latest installment of the Symantec Internet Security Threat Report. Web-based attacks have fallen year on year, but ransomware attacks on businesses have sky rocketed. Sabotage and subversion attacks have also risen sharply in the past 12 months.

The Internet Security Threat Report shows that exploit kit and other web-based attacks fell by 30% in 2016, but over the same period, ransomware attacks on businesses increased by 36%.

Ransomware has proved popular with cybercriminals as attacks are easy to perform and money can be made quickly. If an attacker succeeds in encrypting business data, a ransom must be paid within a few days. In the United States, where the majority of ransomware attacks occur, 64% of businesses pay the ransom.

Web-based attacks on the other hand typically take longer and require considerably more technical skill. Cybercriminals must create and host a malicious site and direct end users to the site. Once malware has been downloaded, the attackers must move laterally within the network and find and exfiltrate sensitive data. The data must then be sold.

Ransomware attacks on businesses are far easier to conduct, especially using ransomware-as-a-service. All that is required is for criminals to pay to rent the ransomware, set their own terms, and distribute the malware via spam email. Many ransomware authors even provide kits with instructions on how to customize the ransomware and conduct campaigns. The appeal of ransomware is clear. It is quick, easy and profitable to conduct attacks.

The Symantec Internet Security Threat Report charts the rise in popularity of ransomware. Symantec detected 101 separate ransomware families in 2016. In 2014 and 2015 the count was just 30. Symantec’s ransomware detections increased from 340,665 in 2015 to 463,841 in 2016. Ransomware as a service has played a major role in the increase in attacks.

Ransom demands have also increased in the past year. In 2015, the average ransom demand was $294 per infected device. In 2016, the average ransomware demand had increased to $1,077.

Fortunately, good data backup policies will ensure businesses do not have to pay to unlock their data. Unfortunately, even if data can be recovered from backups, ransomware attacks on businesses are costly to resolve. Cybersecurity firms need to be hired to conduct analyses of networks to ensure all traces of ransomware (and other malware) have been removed. Those firms must also check to make sure no backdoors have been installed.

Ransomware attacks on businesses typically see computers locked for several days, causing considerable loss of revenue for companies. Customer breach notifications may also need to be issued. Ransomware attacks can cost tens or hundreds of thousands of dollars to resolve, even if no ransom is paid.

Since ransomware is primarily distributed via spam email, businesses need to ensure they have appropriate email defenses in place. An advanced spam filter with an anti-phishing component is essential, along with other endpoint protection systems.

Symantec’s figures show that spam email volume has remained constant year on year, with spam accounting for 53% of email volume in 2016.

In 2016, one in 2,596 emails involved a phishing component, down from one in 965 in 2014. Phishing attacks may be down, but malware attacks increased over the same period.

Malware-infected email attachments and malicious links to malware-infected websites accounted for one in every 131 emails in 2016, up from 1 in 220 in 2015 and 1 in 244 in 2014. In 2016, 357 million new malware variants were detected, up from 275 million in 2014.

The decline in web-based attacks is certainly good news, but it doesn’t mean the threat can be ignored. Last year there were 229,000 web-based attacks tracked by Symantec. While that is a considerable decrease from the previous year, web-based attacks still pose a significant threat to businesses.

Web-based attacks could also increase this year. The Symantec Internet Security Threat Report indicates 9% of websites have critical bugs that could be easily exploited by cybercriminals allowing them to hijack the websites. Worryingly, Symantec reports that 76% of websites contain bugs that could potentially be exploited.

The Symantec Internet Security Threat Report shows data breaches have remained fairly constant over the past two years. In 2014, widely reported to be ‘the year of the data breach’, Symantec recorded 1,523 data breaches. The following year that fell to 1,211 breaches. Last year, there was little change, with 1,209 breaches reported.

The halt in the rise in data breaches suggests organizations are getting better at protecting their networks and data. However, large data breaches are increasing. Last year there were 15 data breaches that involved the theft of more than 10 million records, up from 11 in 2014.

Protecting against data breaches and cyberattacks requires comprehensive, multi-layered security defenses. TitanHQ offers a range of cybersecurity solutions for SMEs to help them improve their security posture and protect against web-based and email-based security threats.

For more information on how you can improve your security posture, and information on the best spam filter for business use, contact the TitanHQ team today.