By Lecio De Paula, data privacy director at KnowBe4
The GDPR has been in effect since May 25, 2018, which has sparked international organisations into a compliance frenzy. Data protection authorities have reported that the amount of reported data breaches has increased significantly.
In regard to data protection law, not all data breaches need to be reported, however, they should all be documented. This is a strong feature in data protection law because if every single data breach had to be reported, the data protection authorities would be inundated with data breach reports. Currently, organisations only need to report data breaches to the authorities if the data breach is not likely to result in a risk to the individuals.
Many organizations are over reporting data breaches that do not need to be reported, but the problem is that for the breaches that should be reported, organisations are underestimating the risks associated with those breaches.
Now, how does this present a problem? Well the term “risk” is highly subjective. Organisation A may think that one breach scenario may present no risk due to its risk tolerance while Organisation B firmly believes that the breach presents a high risk. Where do organisations find balance?
That is one of the current issues with reporting data breaches under the current guidelines. Organisations rely heavily on their internal information security and privacy teams or outside consultants to help them determine if a data breach is reportable or not. However, a majority of infosec teams and consultants are also very subjective in their approach and could steer an organisation in the wrong direction.
In many cases, it is a toss-up on whether a data breach may have significant impact to the individuals affected. In other cases, it’s pretty clear that the breach should be reported, such as those concerning the financial or health information of an individual.
The majority of data breaches that go unreported are usually due to an organisation’s underestimation of the data risk. Sometimes a data breach that can appear to not have significant impact, can wind up having far reaching, lasting impact for the individuals affected. Sometimes the risks of those affected can be financial fraud or it could be that an unreported breach is made public months later and the organization then has to face a PR nightmare.
Recently, the Irish Data Protection Authority released practical guidelines on how to approach personal data breaches. A few case studies highlight situations where organisations underestimate the risks associated with a personal data breach.
One specific example is when the organisations underestimated the risks to individuals when the organisation was subject to a simple phishing attack. The organisation had reported that the phishing attack led to an employee’s email account being compromised, which held the personal details of 400 other individuals — the organisation reported this breach as having “low” impact.
Due to the compromise, one of the individuals was subject to financial fraud, which ultimately had a high impact on the individual’s personal wellbeing. It’s interesting to see how something as simple as a phishing attack, leading to business email compromise, can easily have a high impact on individuals. Based on this guidance, we can see that it is crucial to assess all risks to an individual who is a party to the data breach. Organisations cannot just assess the impact a personal data breach has to their business. Instead, they must put more focus on how it will affect the individuals who are affected by the breach.
Interestingly enough, the Irish Data Protection Authority found that organisations in the telecommunications sector are becoming increasingly vulnerable to social engineering. One case occurred when an organisation reported that perpetrators were using legitimate customer details to initiate a SIM swap.
They leveraged legitimate customer details that they may have acquired through a data breach and used it to pass the validation process and then gain control to the customer’s account. Not only did this organisation not have appropriate technical and organisational security measures in place to prevent the fraud from happening, but more than likely, the employees weren’t trained well enough to be able to spot a social engineering attack. Since this is technically considered a personal data breach, organisations need to assess the risks associated with the unauthorized access.
These problems are not easy ones to fix. Phishing attacks are the most common and most successful types of attacks today. In fact, social engineering as a whole has been going on since the beginning of time. As organisations progress through the GDPR landscape, they need to be able to understand the real impacts of phishing attacks and learn how to prevent and mitigate them.
A mixture of technical controls such as email filtering, firewalls, and ensuring users receive adequate security awareness training are just some of the controls that organisations can implement to prevent attacks like this from heavily affecting their organisations.
If organisations do not implement these controls and continue to underestimate the impact of a simple phishing attack, they might face fines of up to 4% of their global revenue.
The post #Privacy: Realising the threat of phishing and the impact it has under GDPR appeared first on PrivSec Report.