How does lack of GDPR preparation affect ransomware


The Big Picture: Lack of preparation for GDPR can raise the liability exposure for a ransomware attack. Learn why during this short video with ESG's Sr. Research Analyst Christophe Bertrand.


- Hi Dave Littman, Truth in IT joined by Christophe Bertrand, senior analyst with Enterprise Strategy Group. Christophe, welcome.

- Hey Dave, how are you doing?

- Hey, I'm doing well. We have been talking about GDPR and data protection, and it sort of brings us into a bit of an evolution of the story of many of the data protection vendors who for the past couple years have really been focusing on ransomware, and now there's a GDPR story, right, for many of these companies because they want to help their customers and partners be prepared. But help us understand how the two are connected, ransomware and GDPR.

- Well, they are and they're not. Ransomware is a very different source of complexity for organizations. So obviously in GDPR because of its focus on data privacy and ensuring that the state of art is used in terms of technology, there is a very strong focus on security. Cyber security. But also the fact that you have to tell people if data about them has been breached in any way. There's a 72 hour requirement to do so. It turns out that if you've done all the right things, the data's been encrypted, even if a breach happens typically ransomware or some sort of cyber attack could be the source of that. Or one of the vectors and mechanisms. But yeah, if you've done your homework then you might be okay, you might still be compliant instead of having fended off the attack. So I think ransomware definitely will have this sort of domino effect of non-compliance for many organizations. That's why you still need to focus on ransomware, on protecting yourself from cyber attacks, this is security conversation here. But of course back up and recovery comes into play because again with GDPR one of the requirements is you have to be able to recover and protect data that way. And if you can't recover it because the data's been totally destroyed for example, maybe it hasn't been accessed but let's say the backup has been fully encrypted. Well then you are non-compliant potentially as well. So as you can see ransomware is probably not the main issue when it comes to complying or not complying it is going to be an important factor to consider as you look at how you design and devise your GDPR infrastructure from a storage perspective, from a data protection and backup perspective. You can't ignore the risk.

- Yeah, fabulous. Okay great, well, it sounds like it's like just another form of disaster planning. It's just another type of disaster, but many of our audience have been experienced in recovering from fires, floods and human error kinds of things. This sounds like it's along similar lines.

- Yeah, absolutely, it's a logical sort of disaster in many ways. The research we have here at ESG certainly points to the fact that the vast majority of organizations are very concerned about it somewhere. There's no doubt that it's at least 75% have told us that they've experienced a ransomware attack on a daily basis, which is a pretty amazing when you think about where we were only a few years ago. So I would say lots of concern in the market, we're seeing this from the research perspective on our end here at ESG. Lots of interesting GDPR. Lack of preparedness around GDPR, again if you look at who thinks they're actually prepared for GDPR and we're past the date already and we asked that recently and it was in the 12% already. Most organizations were not ready, that's what our research identified. So there's lots of works, concerns with ransomware. We know that ransomware is not stopping, it's only getting worse. We certainly have data that proves that. At the same time, lack of preparedness, not quite there yet on GDPR. Great opportunity to use GDPR as a way to improve, as a way to get better at fending off ransomware and of course protecting data, and in doing so by being compliant and improving the ability to make privacy requirements.

- Okay, fabulous Christophe, thank you again for taking the time to speak with us today. Again, Christophe Bertrand, senior analyst with Enterprise Strategy Group, I'm Dave Littman at Truth in IT. Thanks again Christophe for helping us get to the bigger truth on GDPR.

- Thank you Dave.

- Thanks for watching.