Businesses have gone to extreme lengths to become ready for the EU's General Data Protection Regulation (GDPR). Some have flooded in-boxes with opt-in requests. Others have swarmed mobile screens with pop-ups that users are forced to click through. There has been no shortage of website banners that consumers have been required to acknowledge.
Estimates from a Forbes article show that Fortune 500 companies have invested as much as $9 billion to achieve compliance. Other analyst firms and research groups estimate that readiness spending varies between $4 million and $25 million per business, depending on size.
Despite all of these efforts, early indications show that organizations still aren't compliant: Regulators already have hit Google and Facebook with more than $9 billion in fines. Some major news outlets, including the Los Angeles Times, ceased online operations in the EU due to noncompliance. UK officials are warning that 5.7 million small businesses there may be in violation of the law.
News outlets have published thousands of stories about GDPR unreadiness. It's hard to imagine that there is anything new to read about. There is. It's the reality of how criminals are going to use the size of GDPR fines to successfully bribe IT workers, with privileged users being their primary targets. A privileged user is an employee, contractor, or partner with access to almost every corner of the corporate network. Edward Snowden is one of the most notable examples of what happens when a privileged user goes rogue. Why is this class of insider going to become a bribery problem? Great question — read on …
GDPR mandates hefty penalties for companies that are breached. Penalties can reach as high as 4% of a violators' annual revenue. (Remember, Google and Facebook are already facing $9 billion in fines). This means that in many cases, penalties will far outweigh the actual cost of a breach, which criminals know.
Rather than auction stolen data to fellow crooks for pennies or try and exact a ransom to unencrypt it, criminals will start to ransom stolen data back to the organizations they heist it from in exchange for not exposing it publicly. The extortion price will be substantially higher than what could be earned on the Dark Web but significantly lower than an actual GDPR breach fine. Paying extortion may create an ethical dilemma for companies, but it will make smart business sense as it will be much lower than financial penalties.
Privileged insiders are central to this scenario. Cybercriminals will be motivated to bribe them, as holders of the kingdom's keys, into giving up their credentials. Once criminals have hold of these, they will have an opportunity to earn payouts way beyond anything ever seen in the past.
Bribing insiders will only get easier. According to Ian Thornton-Trump, cyber vulnerability and threat-hunting lead at Ladbrokes Coral Group, writing in Tripwire, GDPR privacy regulations will actually shield criminals' operations in some cases. Other studies have shown that employees are willing to sell passwords. The promise of a reduced risk of getting caught combined with getting a piece of a substantial extortion payment may be more than many people can resist. Luckily, there are steps that organizations can take to avoid falling into this trap. Here are four:
Step 1: Visibility. Privileged users have greater and deeper access to organizations' IT assets and data than anyone else. They also tend to be the savviest when it comes to understanding how systems work and, especially, how security controls and policies can be circumvented. Five years ago this month, The Guardian broke the story about the National Security Agency's powerful surveillance programs based on top-secret information supplied by Edward Snowden. It was eventually proven that Snowden used his technical expertise to avoid detection as he moved deeper and deeper into the agency's systems. Businesses that want to avoid becoming victims of GDPR-era Snowdens need to keep an eye out for what their privileged users are doing, both on and off the network.
Step 2: Alerts. Organizations need to have an early-warning system in place. Forensic investigations add value, but they follow incidents. To stop privileged users who may decide to go rogue before it's too late, businesses need tools that sound alarms when suspicious behaviors occur. There are some caveats. Many times, alarms end up being false positives. Effective early warnings must be powered by technologies that understand behavioral context and that know the difference between what's normal and what's not.
Step 3: Communicate. In the modern global enterprise, thousands of employees are spread across as many business units. Distributed employees include privileged users. Anyone with a stake in security and compliance within their organizations should work with HR and other divisions to understand how many privileged users there are, what they are responsible for, and how they are accessing data.
Step 4: Account. Knowing who and where privileged users are is only a first step. Organizations also need to know how many privileged user accounts they have and how they are being protected. In a recent survey published by privileged access account security provider Thycotic, it was revealed that up to 70% of respondents fail to fully discover privileged user accounts.
In most businesses, the vast majority of privileged users would never even think about cooperating with cybercriminals. Most are trusted, well-intentioned individuals who recognize the importance and sensitivity of the role they fill. The sad reality, though, is that there are some who will opt for a weighty payout. Security and compliance professionals need to be ready to defend against this scenario.
- 6 Ways to Tell an Insider Has Gone Rogue
- GDPR Oddsmakers: Who, Where, When Will Enforcement Hit First?
- GDPR, WHOIS & the Impact on Merchant Risk Security Monitoring
- A Data Protection Officer's Guide to the Post-GDPR Deadline Reality
Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Click for more info.