The race to comply with GDPR is still on -which may be bad news for small businesses
23 May, GDPR panic officially took over — and crashed the UK’s Information Commission Office (ICO) website.
The General Data Protection Regulation (GDPR) sets new minimum standards for companies to protect personal data within the EU, giving people greater control. But 85% of businesses in Europe and the USA will not be ready to meet these new requirements on time, according to a recent report — and the deadline is tomorrow.
Could this last-minute panic increase the likelihood of cybersecurity breaches for small businesses?
Failure to meet these requirements comes at a heavy price: violating the EU-wide regulation carries a maximum fine of EUR 20 million (roughly GBP 17.5 million) or 4% of the company’s of annual global revenue from the previous year, whichever is higher. A price that many businesses may not be able to pay.
In fact, only 39% of businesses asked in a December 2017 survey say they are financially prepared to cover the fines once GDPR is in effect. The same survey found that 64% of respondents said they had suffered a data breach at least once in the last two years, all of which included personal data.
So, the race to comply is still on. And that could be dangerous — especially for small businesses.
“Small offices and usually businesses that cannot afford professional help (let alone hiring a data protection officer) will be tempted to download software to automate the compliance process,” Bogdan Botezatu, Senior Cybersecurity Analyst at Bitdefender, said in an interview with Naturally Inquisitive.
For small businesses, trying to find an easy and quick solution might sound attractive, but it could lead to serious cybersecurity issues.
“If they end up in bad neighbourhoods on the internet, they might get tricked into installing fake software (such as apps that do not actually do anything) or even applications rigged with adware / malware. It would not be the first-time users are conned into trojanized apps,” he said.
One example: the 2014 FIFA World Cup.
A key place to focus attention as a small business is your website
Over 30% of all sites across the web choose to use open source WordPress platform; it is the most popular Content Management System (CMS) in the world. It runs on an open-source model which means that developers around the world contribute to the platform.
Ensuring plugins are GDPR compliant is an issue that WordPress and contributors have been working to address — a difficult proposition when the developers themselves are unsure if they meet the new regulatory requirements.
But what about plug-ins that claim to help make your website GDPR compliant with one easy install? Could they pose a risk?
“Because of the vast array of developers (some experienced, some just starting off), plugins and themes have been historically used as attack avenues into websites or as infection vectors for the website’s visitors,” Botezatu said.
“Some of these vulnerabilities include SQL injection, for instance, which allows a hacker to leverage a vulnerability in order to dump the website’s database along with account names, unpublished posts and other types of private information. Some other vulnerabilities allow code injection (the addition of malicious code to the header or the footer of the website). Whoever lands on the respective page gets automatically infected via a web exploit or might end up mining cryptocurrency for hackers. Last, but not least, a hacker could leverage a bug in the plugin or theme to gain access to the webserver’s storage and upload malware, spam templates or even illegal content (such as child pornography) to be used in further malicious campaigns.”
All it takes is a single line of faulty code.
WordPress does update its software regularly, but it is up to individuals to download the latest version.
The prevailing advice is don’t panic: the regulators aren’t even ready!
“As the GDPR deadline approaches, I believe there will be any number of downloads and plug-ins available on the web claiming to make compliance ‘easy’ — some with less than honourable intentions,” Darren Hockley, Managing Director at DeltaNet International, in an interview with Naturally Inquisitive.
“Rather than searching for a quick solution, organisations would do well to think long-term about their data protection journey and view compliance as the ongoing journey it is.”
