The IT industry loves a hot topic. Cloud, hyper-converged infrastructure and machine learning are all great conversation pieces, but two of the hottest topics that are currently debated around the IT watercooler are ransomware and the European Union’s (EU) General Data Protection Regulation (GDPR).
As hot as these topics are individually, what happens when two of these ideas collide? I was recently asked the question, “What is the impact of ransomware when it comes to the GDPR?” and it created the rare occurrence of a topic collision in IT.
Is there an impact?
The answer is most certainly yes. GDPR exists to protect our personal information. Therefore, if we are holding information regarding an EU citizen, then our primary concern is to ensure that we look after that data and make sure it is secured, protected and accessible.
As part of our requirements under GDPR, it is crucial that we ensure we avoid a data breach. What do we mean by breach? It is described within the GDPR articles as follows;
‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
If we look at the statement above, it becomes clear how ransomware leads to a potential breach under GDPR. By definition, ransomware is a malware that can prevent or limit victims from accessing critical data or even their entire systems.
So far, the response to a ransomware attack has been relatively straightforward — Either you have ensured your data Availability and can quickly recover compromised data, or you are exposed to losing data. If you don’t have a trusted data recovery solution in place, your options of resuming your business operations with no data loss are limited. Keep in mind that paying the ransomware is strongly advised against by all technology and cybersecurity experts, as well as government officials.
GDPR introduces a new challenge, as well as new opportunity to the cybercriminal. Rather than worrying about the pesky technicalities of ransomware, your friendly neighborhood cybercriminal now has a new threat in their arsenal. They can expose a ransomware-based breach of your data to relevant authorities — exposing your organization to heavy fines or other sanctions.
What are we to do?
What does GDPR demand from organizations? If we look at Article 32 we get some guidance on our key responsibilities as data owners to have:
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
While GDPR is not a technical regulation or an IT problem to solve, it requires an increased commitment from IT departments to ensure data security strategies exist, solutions are up to date and all stakeholders are well informed of their responsibilities. There are certain areas in which IT commitment is key:
- Helping ensure data integrity
- Helping ensure the Availability of data
- Providing a platform for effective and flexible testing
What would an appropriate technology look like then?
The reality is that no single technology is going to provide all that you need, but it is good to be aware of the types of technology that can help.
Ideally, a solution stack would include a level of intelligence to spot ransomware activity, with the ability to quickly shut it down and identify any datasets affected. IT would provide an option to take the information about compromised data sets and present it to my recovery solution to automate the recovery process. It would also include a recovery solution that can quickly recover data and maintain Availability, while also providing us the ability to build test environments, so we can practice our response to data destruction incidents such as a ransomware attack.
Does Veeam help?
While Veeam is by no means a GDPR compliance tool, or even a ransomware identification solution, the Veeam Availability Suite can play a significant role in ensuring your compliance program is effective in dealing with not only issues such as ransomware, but a wider range compliance program challenges.
However, the ability to interact with third-party tools for quick identification of, and recovery from, a potential breach brings tremendous value. If we consider Veeam’s overall strategy of ensuring Availability across multiple repositories, both on-premises and in the cloud, in order to maintain compliance and Availability of data across the entire infrastructure regardless of location, then this is valuable and essential to a modern business compliance strategy.
We began with the question, “What impact does ransomware have on GDPR?” Now we’ve answered that question by discussing how the impact and risk of ransomware needs assessing and mitigating, as with all other potential compliance risks.
Hopefully this has provided some useful background and ideas to ensure you can meet the need of your business compliance strategy.