Video


GDPR and cybersecurity - what can we learn by analyzing the previous cyber attacks?

Posted: by Jan Nawrot

Category: cybersecurity

The security of critical business information is a matter of appropriate procedures and documents, but – above all – the resource security in terms of technology. What did the latest cyberattacks look like and how can you protect yourself and your company from them?

In the article you can find:

  • information about cyberattacks and the role of the GDPR,
  • explain why Meltdown and Specter are a serious cyberthreat,
  • suggestions for action against cyberattacks.

The security of critical business informationis a matter of appropriate procedures and documents, but – above all – the resource security in terms of technology. Even a cursory case study of cyberattackscarried out to date shows that there are plenty of backdoors that cybercriminals can use to get to the company resources. That is why it is important to know the basic mechanisms of cybercriminals and keep up to date with information about the carried out cyberattacks.

Cyberattacks and GDPR

The majority of companies strongly focus on their security, in connection to the introduction of new European guidelines on the protection of personal data – GDPR (General Data Protection Regulation). It’s understandable and reasonable, but you need to keep in mind that protecting the personal information is not enough! Companies possess a lot of critical information and resources that should be particularly protected, e.g. know-how, contracts and data on employment procedures, non-disclosure agreements (NDA) and non-compete agreements (NCA), databases, payrolls, technologies and recipes, etc.

The imagination of cybercriminals knows no bounds. Every day, the Internet brings new technical safety information, which is used for various purposes – also to get through the security measures. Attacks are carried out not only for financial reasons, but often also for fun and to test one’s skills. One of the examples of such attacks was the activity of the LulzSec group, based on very simple mechanisms and obviously aimed at creating the media buzz.

Another example which can make us realise that nowadays nobody can feel safe was the Melissa virus – one of the first mail worms that infected a great number of computers and showed that, by exploiting human ignorance and naivety, you can break through almost anyresource security.

Cyberattacks – Meltdown and Spectre

The recent hot topic was the detection of Meltdown and Spectre vulnerabilities, posing a serious threat to devices using Intel processors, and partly – AMD and ARM. The flaws in the processors responsible for cache, existing for over 20 years, were reported by Google scientists. Thus, a debate about the security level of devices with these processors began. In a nutshell, Meltdown is a weakness that allows a direct access to the data stored in the processor cache, and Spectre is actually two threats classified as CVE-2017-575 (bounds check bypass) and CVE-2017-5715 (branch target injection). Meltdown patching is fairly simple, but requires security updates for operating systems, which may result in slowing down the computers (according to some estimates – up to 30% in case of operations on large databases or specific applications). The issue regarding Spectre looks a bit more serious, because in theory, it is not possible to patch one of its 2 variants.

Although Meltdown and Spectre attacks are unlikely to be experienced by the average Joe (provided that he has updated his web browser), cloud companies, providers of hosting or any other internet services should take such risks into account. In the case of those types of threats, it is good to follow the latest information and recommended resource security.

Cyberattacks - what actions to take??

Keeping track of the information about cyberattacks allows you not only to be up-to-date with existing threats and react efficiently, but also to anticipate and prevent dangers. That’s because most of them use similar general mechanisms and provide the basis for introducing special security measures. Characteristics of specific cyberattacks with an expert commentary and inspirations regarding the security of critical information can be found in the cybersecurity category on the Lemlock blog. The awareness of our own vulnerabilities, gained by studying the attacks, usually gives the answer to the following questions:

When looking for an answer, it is good to rely on consultations with experts. Either way, the knowledge about the types of threats to information security key resources is at your fingertips.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Udostępnij
Read more:
Step-by-step preparation for GDPR - checklist
GDPR

Step-by-step preparation for GDPR - checklist
An overview of the Regulation and its most frequently discussed issues
GDPR

An overview of the Regulation and its most frequently discussed issues
How was GDPR introduced? Facts.
GDPR

How was GDPR introduced? Facts.
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to [email protected], or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: [email protected].

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact