By Alyn Hockey is VP of Product Management at Clearswift
When GDPR came into force in May 2018, it was the biggest change to data privacy regulation in a generation.
While it was long overdue in terms of keeping consumer data safe and secure, it did create a set of fresh challenges for the organisations that hold that data. Now they are required to gain the consent of subjects for data processing, anonymise collected data, provide data breach notifications and adhere to many other stipulations with the regulation.
GDPR has also left organisations vulnerable to data breaches, with cybercriminals keen to exploit GDPR for nefarious purposes and using attacks such phishing, malware and ransomware to do so. With the UK now set to leave the EU on 31 December 2020, this challenge could be about to become even greater. While UK organisations that hold data on EU citizens will still be required to be GDPR-compliant, there could be UK-specific legislation around the corner.
There is also the need for organisations to prioritise email-based attacks, which are still among the most common type of cyber-attacks facing organisations in 2020, and also the most impactful. Could the post-Brexit landscape be even more challenging for UK organisations to keep data safe and secure?
The Brexit threat
Clearswift commissioned research in 2019 revealed that since Brexit was announced, more than half (53%) of UK businesses have increased their cybersecurity spending. Organisations felt that Brexit will increase threats to data protection, with the data showing that the top three threats to organisations post-Brexit will be malware attacks (49%), phishing attacks (40%), and ransomware attacks (40%).
The threats identified by the senior IT decision-makers we surveyed are reflected in the kinds of investments that are being budgeted for by organisations. With many of the threats focused on malicious players gaining access to sensitive information via targeted attacks, respondents identified data loss prevention (DLP) technologies (49%), regulatory compliance solutions (49%), and endpoint security (44%) as the top investment areas post-Brexit.
It’s clear to see that organisations have long felt that Brexit could be an issue from a cybersecurity perspective. The top three attacks identified in the research can be outlined as follows – and all could grow worse when Brexit actually happens:
Malware – this is a broad term encapsulating the myriad of techniques cybercriminals use for gaining access to critical data – whether a Trojan horse, spyware or another form of malicious code. The objective is always the same: gaining access to a corporate network to steal data. A compromised network is not that hard to detect, with symptoms including missing files and changed login credentials. But these can be written off as ‘business as usual’, especially if a firm is adapting to post-Brexit changes.
Phishing – these attacks epitomize the ‘cast a wide net’ approach to cybercrime. An example of this is ‘spear-phishing’ attacks on targeted firms. This involves an email being sent to employees at a firm – ostensibly from the CEO or CFO – asking employees to share sensitive bank account information or requesting funds be transferred into a spoofed bank account. These are significantly less effective than hacking but make up for that in sheer scale.
Ransomware – this is one of the fastest-growing forms of cyber-attack and poses a serious threat to firms post-Brexit. Ransomware is malicious code loaded onto a network to isolate critical data, which the hackers then demand a ransom to either release back to the firm, or in some cases destroy it. Once Brexit has finally happened, one method of attack could involve would-be hackers posing as ‘official’ comms or Brexit-orientated advisors, in an attempt to gain entry to a corporate network.
The inherent risk within email
While email remains the default method of business communication, it will also be the default method of attack and its use is also becoming more creative. Cybercriminals increasingly deploy images (JPGs, PDFS and more) to hide malicious content in emails. Receiving an image that contains unauthorised sensitive information could cause a non-compliance breach, which, under GDPR – or a new UK-focused regulation – could see an organisation face substantial fines.
To mitigate this risk, organisations must have advanced email and web security solutions deployed to ensure these attacks do not disrupt business, as well as threat detection systems to assist in the identification and quarantine of malware. Advanced email and web solutions can mitigate the risk, as they can automatically remove malicious links detected in email and attachments, or from documents downloaded from the web before the threat executes within the corporate network. This protects the organization from staff mistakenly clicking on malicious links which is the most common reason behind cyber-attacks being successful.
In addition, employing technology such as Adaptive Redaction will ensure that any employees who might take the ‘bait’, are incapable of sharing critical information or credentials as the technology will automatically redact sensitive information being sent to a recipient that not authorized to receive it.
The post-Brexit regulatory landscape is shrouded with uncertainty, which creates a perfect environment for attackers to target organisations across the UK. To counter this, those organisations will require the right technology, but will also need to provide ongoing cyber training, covering areas such as signs to look out for in a phishing email, and a top-level awareness of GDPR and other new data protection regulation.
About the author
Alyn Hockey is VP of Product Management at Clearswift. Alyn has had an extensive career in cybersecurity, co-developing the MIMEsweeper range of products and working across departments within Clearswift, managing technical support, research and currently product management.
Clearswift supplies IT security software to protect business’s data from internal and external threats, enabling secure collaboration and compliance by delivering a world-class adaptive data loss prevention (DLP) solution