Research has shown that the fear of fines through GDPR is making some firms more likely to pay cyber ransom than report the breach. This is a very scary thought and extremely counterproductive. Why is this happening and what could be done to prevent this?
Serviceteam IT’s 2018 Beyond the Cloud research found 52.2% of respondents did have an allocated budget for the increased overheads for GDPR, such as access requests and minor data breaches.
However, a study commissioned by security firm Sophos found almost half of UK IT directors would “definitely” be willing to pay a random fee to hackers. This would be to avoid reporting a data breach and risking a fine under the new EU data protection law (General Data Protection Regulation).
The bad news does not stop there. A further 30% of the respondents mentioned that they would “possibly” consider paying the ransom if it was lower than the possible penalty for a breach under GDPR. Only 18% of respondents completely ruled out the paying off hackers.
If a specific article of the GDPR is breached in terms of an organisations obligations, data protection authorities can pursue a €10m or 2% annual global turnover fine. This is doubled if the breach infringed any individual’s privacy rights.
Prior to the 25th May deadline, Mikko Hypponen, chief research officer at F-Secure predicted that data breach fines could drive up cyber ransom rates as companies would be more likely to pay ransoms if they are lower than potential GDPR fines and reputational damage of reporting a data breach.
Serviceteam IT’s 2018 Beyond the Cloud research found that cyber-security incidents are increasing. In the 2017 research, 34% reported an increase in cyber-security incidents. In 2018, this figure had risen to 50%. Not only this, 38% reported concerns with their company’s GDPR compliance. Only 20% of respondents predict that they will have to report more data breaches to the ICO as a result of Brexit. Therefore, cyber-security incidents will not stop now GDPR is in force.
However, the Sophos study revealed that small businesses were least likely to consider the cyber ransom demand, with 54% of IT directors at UK companies with fewer than 250 employees ruling out paying their attackers.
The study also found that UK IT directors are significantly more likely to pay the cyber ransom than their counterparts in Western European countries. It is very concerning, especially during this Brexit period, that IT directors do not understand the seriousness of a data breach.
“Companies that pay a cyber ransom might regain access to their data, but it’s far from guaranteed and a false economy if they do it to avoid a penalty,” said Adam Bradley, UK managing director at Sophos. “They still need to report the breach to the authorities and would face a significantly larger fine if they don’t report it promptly.”
Bradley said it was surprising that large companies appear to be those most likely to pay a ransom. “It is a mistake for companies of any size to trust hackers, or to expect that they will simply hand the data back,” he said.
“Our advice is not to pay the ransom, to tell the authorities promptly and make sure you take steps to minimise the chances of falling victim again.”
With cyber ransom on the rise and concerns with compliance highlighted in our report, these findings are quite shocking. Help ensure your business does not fall into this trap and contact Serviceteam IT today.