GDPR compliance needs more incidents than fines

Everyone will remember the psychological terrorism based on “fines of 4% of the world turnover” which accompanied the entry into operation of the GDPR and which, in the ideas of many, would have generated a widespread “compliance”. However, this deterrent has turned out to be little more than a scarecrow, because if we exclude the fines (which are, however, proportionally little afflictive) imposed on some giant of the banking or telecommunications sectors, at “human” levels, the figures are so low as to induce the data controller to take risks. I will never forget the words of a CEO of a company who, fined for thirty thousand Euros, said to me: “Counselor, had I done in full what the law required in the past twenty years, I would have spent over four hundred thousand Euros. In this way, with less than a tenth, I got away with it: it’s okay, and we do not even appeal”.

On the contrary, in a sort of collective suicidal madness, the “accidents” – or rather:  attacks based on superficial management of information systems and relations with suppliers – have increased the reports of data-breach even in cases where it would not be mandatory to declare to have accused the blow. It is almost as if confessing security mismanagement was a boast rather than a confession of failure.

Why is this happening, and why now and not before?

Firstly, thanks to the internet, the results of these actions become public and cannot be swept under the carpet anymore. It is hard to deny that something happened when the perpetrators spread the news of their achievements, or when half of Europe or half of Italy are shut down, and you can not blame someone who inadvertently disconnected the UPS’s plug of the CFO’s computer. Unlike in the past, imposing the delivery of silence serves very little purpose. 

The spread of the news of an “incident”  inevitably generates a SODDI defence (possibly, the supplier or consultant). At the same time, facing a real probability of an official inspection and/or legal action, the race also starts to fix policies and papers, in the widespread – and erroneous – belief that the official checks and legal disputes can be managed by proving evidence of “paper-based compliance”.

In conclusion, and paradoxically, if substantial attention to information and information systems security grows, this will be thanks to (thanks, not “by fault of”) LulzSec_ITA, Anonymous and many other people exposing the hypocritical fragility of public and private infrastructures. By the way, these groups should be credited (and paid) for carrying out real penetration tests, whose results are factual and not, as usual, made by glittering, colourful reports – but fake and useless.

Little has changed in the last thirty years since this is the same approach that led the German Chaos Computer Club to expose the insecurity of ATMs at the time, or many other geeks (including Italians) to naively publish the discovery of vulnerabilities of appliance and software, in exchange for billions of damage claims (never put into practice, for the fear to be exposed) from the “guilty” manufacturers.

It must also be said, however, that old habits die hard and therefore, despite the “unfortunate accident”, rather than doing something to improve their own condition, many entities will return to “business as usual” made of “definition of a risk assessment framework based on AI algorithms that implement threat-prediction functionalities in an evolutionary redesign of a GDPR-compliant high resilience cybersecurity infrastructure”.

Thus, once the shock of the moment is gone, the merry-go-round starts again as before: come on, ladies and gentlemen, another round, same emotions!

Leave a Reply

Your email address will not be published. Required fields are marked *