Tuesday, October 18, 2016

GDPR and ransomware

Even if Brexit comes to change everything, a lot will pretty much stay the same and the EU's GDPR (or just google it), that everybody will have to comply with by 2018, is just a good example.

I am not a legalist so I am missing a few things for sure. What I am not missing is the cyber security impact of GDPR. Now that it has been aproved, all sorts of implications are coming out.

One of them is about ransomware and the PCI council makes an interesting remark: if your company gets hit by ransomware, and you were not prepared (e.g., good backups and protected/offline backups) you will probably be advised to pay up because at least you have some chances of getting documents back. The trouble is ransomware will likely to be the least of your costs: the GDPR plans to fine businesses up to 4% of revenues upon a breach if your company fails to properly explain there was nothing, within reason, you could have done.

Interesting is that cyber security for GDPR is in effect inefficient if the idea is to specifically address compliance. My recommendation would be this: implement a broad cyber security programme on information security and then specifically trim and adjust it, via special gap and risk assessments, t GDPR.

No comments:

Post a Comment