The cyber security industry has always been a hotbed of misinformation and falsehoods and it’s time to lift the lid on another of these – the incoming GDPR data protection legislation, coming into force in May 2018.
As an industry we have been selective to the point of deceit with referencing GDPR, clamouring ‘if you get breached you will be fined 4% of global turnover or £20m, whichever is greater’. This is simply not true. In addition, the legislation itself will drive organisations to assign resource incorrectly if their overall objective is to actually defend against a potential attack, while the hype around the fines may also fuel threat-actor motivation.
Fines? What fines
First let’s take a step back and look at GDPR as a whole. The vast majority of the incoming regulation pertains to gaining consent and then the collecting, processing and storing of personal data, and it is the disregard of these rules which carries the 4% fine. This has very little to do with being a victim of a cyber-attack so at first glance it seems unclear why the industry is championing GDPR so heavily.
However, if we look in more detail we find a (very) small part of GDPR related to ‘breach notification’, where an organisation needs to inform its regulatory body within 72 hours of being made aware of a breach (and where personal data may have been compromised). The penalty for not adhering to the 72 hour window is not 4%, it is only 2% – and furthermore a breach does not dictate a fine. In addition, a firm will only be fined if it misses the 72 hour window from when it first understood it had been breached, and not from when the breach actually occurred. So in summary it’s 2% not 4%, and you will actually have to try pretty hard to get fined.
“TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.”
The organisation may also be fined if it is found, post-breach, to not have the appropriate security controls for the value of the data it stores. As long as basic security (eg firewalls, AV, patching and intrusion detection) is in place and regularly updated then it is extremely unlikely an organisation will be found at fault unless it carries significant motivation for a targeted attack. Indeed, the GDPR will be administered in the UK by the ICO, who fined TalkTalk £400,000 in 2016. The ICO only levied the fine because “TalkTalk’s failure to implement the most basic cyber security measures allowed hackers to penetrate TalkTalk’s systems with ease.” Yet as an industry, we seem to implying that
a) The ICO fine levied a fine against a firm because ‘basic security controls weren’t in place’, and
b) GDPR is incoming – which will have zero effect on the ICO and their ability to assess what constitutes ‘basic security controls’
c) Firms need to spend millions on the latest cyber-security blinky boxes and products.
A+B does not equal C. Something does not add up.
Attackers vs Auditors
Furthermore, GDPR may make organisations inherently more insecure, as priorities are shifted from defending against attackers to defending against auditors. At board and executive level, the clamour over GDPR from the cyber-security industry has been such that it would be entirely reasonable for executives to assume that ‘we are GDPR compliant therefore we are safe from attack’. However, as we have seen, the bulk of work needed for GDPR compliance has little to do with security, and furthermore, the security controls needed to demonstrate ‘basic measures’ and therefore comply with ICO requirements under GDPR are trivial for threat actors to bypass. As MWR Infosecurity cyber-security red-team lead Dave Hartley recently put it “basic measures like firewalls, MSSPs and intrusion detection have never stopped me achieving my objectives in the past and will never stop me in the future”.
Organisations will divert all of their attention to becoming GDPR compliant in the face of auditors, and given the hype-adoption of GDPR by the cyber-security industry will assume that they are doing the right things to avoid a breach. In fact, all they will be doing is defending against an audit rather than an attack and its subsequent business and reputational impact.
“basic measures like firewalls, MSSPs and intrusion detection have never stopped me achieving my objectives in the past and will never stop me in the future”
The Law of Unintended Consequences
The final piece of this agenda-fuelled turmoil is that it is not just law-abiding firms who are being duped by the cyber-security industry into thinking they will be fined 4% of global turnover – criminal groups are buying the myth as well, or at least, recognise that their target organisations believe it to be true. In a world where extortion and ransom demands are already on an upwards trend, GDPR is leading some to believe that if a criminal group showed ‘Proof of Data’ (that they have exfiltrated private data covered by GDPR) then it would be cheaper to pay an extortion fee of say 0.5% than risk a fine of 4%, which by the law of unintended consequences, serves to drive breach attempts and their associated extortion demands ever higher.
As a final thought, all of this is not to dismiss GDPR, which serves its purpose in ensuring firms collect and process personal data appropriately, which will keep EU citizens safer – a good thing, and a major challenge for many organisations. However, its complete and utter hijack by the cyber-security industry may well be shown to increase the risk that firms face while causing many to question the integrity of those tasked with securing their organisation in the first place. Time, and May 2018 onwards, will tell.
This article was also published on LinkedIn