It will probably come as no surprise to hear that the public sector is frequently ravaged by ransomware attacks. According to bankinfosecurity, 27% of UK councils have confirmed that they have been the victim of at least one ransomware attack. One reason why the public sector is particularly vulnerable to such attacks is that they hold large amounts of sensitive personal data.
General Data Protection Regulation (GDPR) will come into effect on 25th May 2018. This new EU regulation will make it mandatory for local authorities to notify the ICO for every data breach that may affect the rights of EU citizens. As soon as a breach has been identified, it must be reported within a 72-hour timeframe. Should local authorities fail to comply with the GDPR, they may be subject to fines of up to €20 million, or 4% of annual global turnover. To avoid such hefty fines, local authorities need to start preparing now – assuming they have not already done so.
They will need to start by developing an incident response plan and paying close attention to how they engage with third-party contractors/data processors. Under the Data Protection Act 1998, data controllers – those who determine the purpose for which data is processed – are required to have a formal contract with their data processors. However, under the GDPR, there is an increased number of provisions that must be included in the contract. For example, the controllers must ensure that the processors have implemented the appropriate measures, and are themselves compliant with the GDPR. Many data breaches are going unnoticed because the processors are not reporting the breaches to the controllers. As such, any contracts that exist between controllers and processors should include a breach notification clause.
Local authorities will also need to implement certain technical measures, in order to protect their sensitive data such as firewalls, encryption, pseudonymisation, real-time auditing software, and other measures. Contrary to popular belief, insiders are today’s biggest security threat. To make matters worse, insider threats can go undetected for years as they are hard to spot and easy to cover up. It is therefore imperative that local authorities be able to detect, alert and respond to critical changes made to the files, folders and user accounts on their network.
While it is theoretically possible to scrutinize the server logs to find out what critical changes have been made, this would not be the recommended approach. After all, the last thing you want when you’re under pressure following a data breach is to spend hours sifting through large volumes of cryptic data. Instead, you will need to install some form of real-time event detection and reporting software, such as LepideAuditor. Such solutions enable you to detect, alert and respond to permission changes, suspicious file and folder activity, account modification and deletion, inactive user accounts, non-owner mailbox access, and ensure that passwords are rotated regularly.