The importance of ransomware protection for GDPR compliance: The NIST Cybersecurity Framework Profile for Ransomware Risk Management
Being victim of a ransomware attack is usually a sign of one or more vulnerabilities in organisations’ information technology security framework and it may have consequences for GPDR compliance purposes.
Ransomware is a type of malicious attack where attackers encrypt an organisation’s data until a ransom is paid to restore access. In some instances, attackers may also steal an organisation’s information and demand an additional payment in return for not disclosing the information to authorities, competitors, or the public.
Ransomware can be unknowingly downloaded onto a device by opening an e-mail attachment, clicking an advertising or a link, or even visiting an infected website. Once the malicious software is installed on the computer, it will lock access to the computer itself or data and files stored there. Most of the time, users don’t know their computer has been attacked when it happens. They usually discover it when they can no longer access their data, or they see a message on their computer letting them know about the attack and demanding the payment of a ransom.
Cyberattacks in the form of ransomware are ubiquitous and increasingly sophisticated, anyone with a computer connected to the internet is at risk. Ransomware not only can impact the business operation, leaving the organisation without access to the data they need to operate, it can also seriously hurt an organisation reputation. In addition to this, being victim of a ransomware attack may in certain circumstances expose organisations to the reproach of Data Protection Authorities for breach of data protection laws, which may even include substantial fines.
How does ransomware impact on GDPR compliance?
Security of data is a prerequisite to achieving GDPR compliance. One of the fundament principles of the GDPR is the so called “security principle”, which requires that personal data are processed in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The definition of data breach given by the GDPR reflects the security principle mentioned above as it is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. It is fairly clear from this definition that a ransomware attack and generally any inability to access data may constitute a reportable data breach.
It must be noted that the GDPR does not specify what the security measures that an organisation should have in place are and, instead, it calls for a level of security which the controller or the processor, as the case may be, should take the responsibility to evaluate as appropriate to the risks related to the specific processing activities carried out by an organisation. The appropriateness of the measures needs to be assessed in relation to the state of the art and costs of implementation, as well as the nature, scope, context and purpose of the processing activities carried out by the organisation.
Some organisations may find it difficult to understand what it means to implement “appropriate technical and organisational measures for security” pursuant to art. 32 GDPR. There are multiple sources of best practises generally related to cybersecurity (such those provided by ENISA in the EU) or specifically addressing a certain type of cyber-attack. With specific reference to ransomware, of relevance is the recently issued new draft of the Cybersecurity Framework Profile for Ransomware Risk Management by the National Institute of Standards and Technology (NIST) which can be found here.
The NIST Cybersecurity Framework Profile for Ransomware Risk Management
The NIST Cybersecurity Framework Profile for Ransomware Risk Management recommends steps that companies should take in order to prepare, respond and recover from ransomware attacks.
More specifically, the Guidance identifies security objectives that support preventing, responding to, and recovering from ransomware events. It includes references to other specific information security standards such as NIST 800-53 and ISO 27001:2013.
The Framework provides for five foundational pillars of cybersecurity:
- Identify: developing an organisational understanding to manage cybersecurity risk. It comprises the inventory and mapping of the systems, people, assets, data and capabilities, the risk assessment and the implementation of policies, procedures and processes in order to manage cybersecurity risk.
- Protect: developing and implementing appropriate safeguards aimed at limiting the impact of a possible cyberattack. It includes limiting the access to physical and logical assets and associated facilities only to authorized users, processes and devices, spreading cybersecurity awareness within an organisation through specific training.
- Detect: developing and implementing appropriate procedures to identify the occurrence of a cybersecurity event. This function includes the implementation of Security Information and Event Management (SIEM) solution and network monitoring
- Respond: developing and implementing appropriate activities to take action regarding a detected cybersecurity incident. This function includes following a precise response plan and the performing of activities to prevent expansion of the attack, mitigate its effects, and resolve the incident.
- Recover: developing and implementing appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to the cybersecurity incident.
These Functions considered together provide a high-level, strategic view of an organisation’s management of cybersecurity risk. But the NIST guidelines also contain some basic preventative steps that an organisation can take now to protect against the ransomware threat. These include:
- Use antivirus software at all times. Set your software to automatically scan emails and flash drives.
- Keep computers fully patched. Run scheduled checks to identify availablepatches andinstall these as soon as feasible.
- Segment networks. Segment internal networks to prevent malware from proliferating among potential target systems.
- Continuously monitor directory services (and other primary user stores) for indicators of compromise or active attack.
- Block access to potentially malicious web resources. Use products or services that block access to server names, IP addresses, or ports and protocols that are known to be malicious or suspected to be indicators of malicious system activity.
- Allow only authorized apps. Configure operating systems and/or third-party software to run only authorized applications. Establish processes for reviewing, then adding or removing authorized applications on an allowlist.
- Use standard user accounts versus accounts with administrative privileges whenever possible.
- Restrict personally owned devices on work networks.
- Avoid using personal apps—like email, chat, and social media—from work computers.
- Educate employees about social engineering. Don’t open files or click on links from unknown sources unless you first run an antivirus scan or look at links carefully.
- Assign and manage credential authorization for all enterprise assets and software, and periodically verify that each account has the appropriate access only.
- Make an incident recovery plan. Develop and implement an incident recovery plan with defined roles and strategies for decision making. This can be part of a continuity of operations plan. The plan should identify business-critical services to enable recovery prioritization, and business continuity plans for those critical services.
- Backup data, secure backups, and test restoration. Carefully plan, implement, and test a data backup and restoration strategy—and secure and isolate backups of important data.
- Keep your contacts. Maintain an up-to-date list of internal and external contacts for ransomware attacks, including law enforcement.
As mentioned above, privacy and cybersecurity are intrinsically linked. Organisations’ activities can create risks to individuals’ rights and freedoms when their personal data is used, collected, processed, maintained, or disclosed. The NIST Cybersecurity Framework Profile for Ransomware Risk Management is a reference tool in the hands of organisations and their legal and cybersecurity experts to set up and implement an IT infrastructure with reasonable and adequate security measures in accordance with the GPDR.
Each organisation has its own priorities and risks specific to its actual operation and the type of data processed. For these reasons, when it comes to choosing how and what cybersecurity measures to implement, it is important to have a clear understanding of the organisation’s business operations and needs, and the risks linked to the specific data processing activities carried out. It is also advisable to take into account all the possible privacy implications when setting up an organisation cybersecurity plan, by including data protection principles, such as data minimisation, transparency, integrity of data, into the organisation’s cybersecurity strategy.