Ever since the passage of the EU General Data Protection Regulation, or GDPR, all companies that handle the Personally Identifiable Information of EU citizens must take the necessary steps to protect the data they are responsible for – including small and medium-sized businesses.
Unfortunately, professional cyber criminals are constantly on the lookout for new vulnerabilities, such as a flaw in a commonly used OS program or application. When a flaw is discovered, attackers will typically have an exploit written to take advantage of the vulnerability in two weeks or less, often selling these exploits on the dark web.
Once this occurs, cyber criminals scan the internet for systems that remain unprotected against the new exploit. If they find a vulnerable system in your organization, they can then go on to hold your data hostage with ransomware, exfiltrate it for their own use, or install software to mine cryptocurrency.
Any of these outcomes can harm your business and damage public trust, but under the GDPR they can also result in massive fines of up to 4% of annual global turnover for grave infringements, or 2% of annual global turnover for lesser infringements. Major fines have already been levied against large organizations like British Airways and Marriott International, but most data breaches are opportunistic attacks against smaller companies unprepared for a sophisticated cyber attack.
The good news is that fines are not inevitable, even if you have been the target of a security breach. Three factors can affect a fine under the GDPR:
1: The amount of personal data compromised by the breach.
2: What steps the company took to prevent the breach from happening, such as putting detection capabilities in place.
3: What steps the company took after the breach occurred.
In other words, taking steps to defend against a breach not only makes a cyber attack less likely, it also protects you against large fines even if a breach occurs.
Defending Against a Data Breach
If you want to keep a data breach from harming your organization, traditional prevention tactics are no longer enough. You need to be able to predict, prevent, detect & respond against potential threats. For small businesses, this comes down to acquiring basic expertise in all these areas and the solutions to support your IT staff.
Predict Cyber Attacks
This includes the ability to scan your systems, identify internal and external threats, report on potential risks, determine your own ability to comply with regulations like the GDPR, and gain visibility into shadow IT. F-Secure Radar, our turnkey vulnerability management platform, can provide you with these capabilities.
Prevent Cyber Attacks
This includes the ability to defend against traditional threats such as malware, ransomware, spam, and online scams using an endpoint protection platform such as F-Secure Protection Service for Business.
Detect & Respond to Cyber Attacks
This includes the capability to detect an attack that has already succeeded in getting past your existing defenses, to respond to such an attack effectively, and to ensure it can never happen again. Detection & response is your best defense against attackers using innovative tactics or a zero-day exploit no one has seen yet. F-Secure Rapid Detection & Response is an easy-to-use, effective and automated way to stop cyber attacks before they can hurt your business.
Download our whitepaper How to Stop Data Breaches & Prevent GDPR Fines: A Data Breach Toolkit for Small and Medium-Sized Companies to find out how to predict, prevent, detect & respond to data breaches and the fines that they can cause. We’ll also tell you how F-Secure products and services can help you do so.