Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Crime doesn’t pay… unless you’re in the ransomware business

Ransomware victims shouldn’t use their insurance firms to pay to get their data back because they’re inadvertently funding organised crime. That was the harsh message from Ciaran Martin, former head of the UK’s National Cyber Security Centre. As long as companies have incentives to pay ransoms, the problem won’t go away. In an exclusive with The Guardian, he said ransomware was “close to getting out of control”. The data supports his argument. Figures from Emsisoft indicate more than 2,000 organisations fell victim in the U.S. alone last year. 

Brian Honan endorsed Martin’s comments, saying that paying ransomware attackers “simply fuels an industry that targets other victims”. In a Twitter thread, he said: “Paying ransoms provides criminals with more funds to further develop their tactics. It also further motivates criminals to target more victims and to become more bold in their attacks.” Insurance firms or security companies that pay ransoms are “subtly endorsing” the criminals, he added. Ransomware isn’t just a threat by itself: it can also be a smokescreen for other kinds of attacks or intrusions. That was the warning from Matt Lock of Varonis, in an op-ed published on Help Net Security. And while we’re on the subject, you can download our free ransomware white paper here. 

Data protection developments

There’s so much data protection news this month, we’re rounding up some of the biggest developments in one place. First, the European Data Protection Board has introduced practice-oriented guidance on data breach notifications. It covers common scenarios like ransomware, data exfiltration; and lost or stolen devices and paper documents. The document is open for public consultation until Tuesday 2 March. Meanwhile ENISA released its report on pseudonymisation for protecting personal data. It explores advanced techniques, and use cases in healthcare and information sharing. 

Data breaches and international data transfers are the biggest concerns for in-house lawyers at corporates in Ireland. In a survey covered by the Irish Independent, 20 per cent don’t know if they process data about minors. Consequently, they can’t tell if they have suitable safeguards in place. Lastly, it looks like privacy advocates were right to worry about mass gathering of data to combat the Coronavirus. ZDNet revealed that Dutch police uncovered COVID-19 patient data for sale on criminal underground. 

Introducing BH TV. (Does this make us YouTubers now?)

We are delighted to unveil the BH Consulting YouTube channel. with content ranging from short informative videos to replays of longer webinars and presentations where we tackle a subject in more depth. To mark Data Protection Day in late January, we posted a series of videos on relevant topics like the role of a data protection officer, what is a data processing agreement, and data protection impact assessments. Our other videos look at subjects like cybersecurity risks, CEO fraud, and more. We will regularly update the channel, and we’re releasing a brand new video today, 9th February, to mark Safer Internet Day. 

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here