Over the last couple of years, we have seen several ransom-ware hacks, such as the WannaCry NHS hack, Sony Pictures Hack for publishing the interview, the SWIFT attack etc.
One thing that the above have in common is that they were all Ransom attacks. where-by the criminals demanded money.
The rise of Ransom Attacks is on the rise and it is estimated that the number of people who have paid to get their data back have in fact paid is also on the rise.
The WannaCry ransom attack on the NHS was the biggest ransom-ware outbreak in history – The mega trend that has made ransom ware a phenomenon is crypto-currency, i.e. bitcoins – Bitcoin is the way criminals / hackers can collect a ransom.
Bitcoin is used as a ransom tool, and more commonly a targeted attack – for e.g. a company gets hacked and databases are stolen or encrypted, and the company is contacted by the hacker to ask for a payment in the form of bitcoins. Now from a criminal’s point of view, they don’t really know what size is the right size for a ransom. How can a criminal monetize company information? A criminal will not know how valuable the data they have stolen is.
However, in May 2018, this all changed, as we have entered a new time of GDPR which is the “General Data Protection Regulation”, which states that every organisation that stores data about EU residents can be fined up-to 4% of their global annual turnover if their customer information is leaked or they haven’t taken care of their customer data or a £20million fine.
The general forecast is that criminals will try and seize this an opportunity and hack into an organisation and steal their data. This will give hackers an opportunity to monetize the data and demand half of what the fine the GDPR regulations will give, for e.g. 2% of the overall business revenue OR ~10million worth in bitcoin currency.
GDPR has now set a baseline on what criminals should request.
Companies now must enforce extra security measures to ensure they protect their data, such as Microsoft.
What are Microsoft doing to ensure companies remain compliant within GDPR.
Thankfully, Microsoft have several features / tools within Azure and Office 365 that help you track and manage your personal data within Office 365 and Azure. Below is a list of some of the features / tools that are available to you.
Below is a list of some of the features / tools available to you in relation to Azure:
- Azure AD – Helps ensure only authorised users can access environments, it includes features such as Multi Factor Authentication
- Azure Information Protection – This allows you to classify, label and protect, track usage and even revoke access. AIP also includes rich logging and reporting capabilities to monitor the distribution of data
- Azure Security Centre – Provides you with visibility and control over the security of your azure resources. It continuously monitors your resources and provides recommendations which help prevent, detect and respond to threats
- Data Encryption – Azure ensure your data is encrypted in transit and at rest.
- Azure Key Vault – Enables you to safe guard your cryptographic key, certificates by using security modules (HSMs) and is designed so that you maintain control over all your keys and therefore your data. Not even Microsoft can extract your keys
- Log analytics – Azure provides configurable security auditing and logging options that can help you identify and repair gaps in your security policies to prevent breaches. Additionally, Log Analytics helps you collect and analyse data generated by resources in either your cloud or on-premises environments. It provides real-time insights using integrated search and custom dashboards to readily analyse millions of records across all workloads and servers regardless of their physical location.
In relation to office 365; below are some features that can help you protect your data.
- Data Loss Prevention – Strategy for making sure that end users do not send sensitive or critical information outside the corporate network.
- Advanced Data Governance – intelligence to help you find, classify, set policies and act data
- Advanced Threat Protection – Help protect against sophisticated threats hidden in email attachments and links, and it provides cutting edge defences against zero-day threats, ransomware and other advances malware attempts.
- Office 365 Threat Intelligence – research threats from a dashboard, track phishing or malware aimed at your users, and search for threat indicators from user reports and other intelligent sources.
- Microsoft 365 is also an option for users. With Microsoft 365, everything is integrated. Microsoft 365 is available for Business, Enterprise and Education. With the Enterprise edition, you get a complete intelligent solution which brings the best out of Office 365, Windows 10 Enterprise, and Enterprise Mobility + Security, that empowers everyone to be creative and work together and
You can find out lots more information about being GDPR compliant here: https://www.microsoft.com/microsoft-365/partners/GDPR. The GDPR Compliance manager is a data tracking system designed to ensure companies adhere to GDPR, you can login the compliance manager here: https://servicetrust.microsoft.com/ComplianceManager. Compliance Manager enables you to perform real-time assessment on Microsoft cloud services. Provides actionable insights to improve data protection capabilities and simplifies the compliance process through in-built control management and audit-ready reporting.
With the growing number of customer moving to the cloud and the growing rate of cybercrime, there is a rising need for tools to help protect customer data. GDPR attempts to do this by enforcing organisations to remain compliant. GDPR is all about respect and encourages organisations to build better relationship with customers. The fines imposed on organisations will certainly sharpen the focus for many organisations out there to remind them to that they have a responsibility to look after customer data. It’s not just about confidentiality, it’s about integrity, accuracy and availability, and of course just plain good practice.
Source: https://www.youtube.com/watch?v=ZqNSoHFtGM0 – Mike Hyyponen.