Data leaks have taken off like never before in 2020. Such is the conclusion of the new Data Breach Barometer. This study has been unveiled during a thematic breakfast hosted by the International Cybersecurity Forum in partnership with audit and consultancy firm PwC France and Maghreb, insurance broker Bessé, and with the contribution of the CNIL (National Commission on Informatics and Liberty).
How cyberattacks have evolved in France, how to avoid data leaks… here is a summary of the study’s teachings.
French data leak overview
The personal data of more than one million French residents has been compromised in the first semester of the year 2020. Such high numbers are unprecedented. In comparison, about 4.5 data thefts were recorded every day in 2018 versus 7 a day in 2020.
This increase can be put into context through various factors, the first one being the growing professionalisation of cybercrime. Potential data leak risks also reside in the digitisation of society. Another cause, this time from a positive source, is the rise in awareness from organisations, which report data leaks more frequently to the CNIL.
The most affected sectors are of course those owning or processing the most sensitive data. As such, the greatest victims of data leaks in 2020 were public services, followed by scientific and technological sectors (research centres, laboratories, universities…), banks and insurances, and the health sector.
While 52% of data leaks are indeed caused by malicious acts—a physical theft or a cyberattack—33% of the cases are born out of accidents, such as operational and programmer errors. Said percentage has increased by 7% since 2018.
Among all malicious acts leading to data leaks reported in 2020, the high increase of ransomware attacks is important to note. At times, in addition to taking organisations’ sensitive data hostage through encryption, the hackers also threaten to publish this information to put further pressure on the affected organisations. On this topic, the ANSSI (French National Cybersecurity Agency) has recorded a 92% increase of interventions for ransomware attacks.
Aside big companies, local authorities, SMEs and ETIs are frequently targeted by this kind of cyberattack, resulting in deeply stained reputations but also heavy operating losses. In some cases, their survival is even on the line.
Nowadays it is no longer a matter of if we will be subjected to data leaks but a matter of when. “As the cybercriminal underworld becomes more professional, everyone can be a victim today. Sectors and organisations in all shapes and sizes are concerned by this,” explains Gaston Gautreneau, expert from the Technology expertise service of the CNIL.
Data protection: rise in mass awareness
Put into law in May 2018 to strengthen the legislative framework, the General Data Protection Regulation (GDPR) granted new rights to citizens and to users and clients of digital solutions. Moreover the GDPR forced businesses to take into account the stakes of data protection.
Bertrand Pailhès, Technologies and innovation director for the CNIL, has positive feedback to share after three years of GDPR implementation: “The GDPR has convinced a very large number of people to comply with standards. As a result we observed that investments in data protection from organisations greatly increased. In addition, the GDPR has set an example for the entire world and is an inspiration for many territories, including India and California.”
The health crisis and the democratisation of teleworking have also caused an interest in data protection. Thus the number of DPOs (Data Protection Officers) rose from 11,000 in 2019 to 21,000 the following year in metropolitan France.
How to protect oneself from data leaks
Sandrine Cullaffroz-Jover, digital activities lawyer and partner at PwC Société d’Avocats (law firm), offers various measures to fight against data leaks:
- Enact a DPIA (Data Protection Impact Assessment):The goal of this assessment is to expand on how data is processed inside an organisation, evaluate risks, and study the effects of a potential data leak on the private life of users. Ultimately it serves to help to protect oneself against cyberattacks.
- Raise awareness: “Cyberattacks are frequently facilitated by a human factor and are not always maliciously brought about,” explains Sandrine Cullaffroz-Jover. Therefore raising awareness among all users in order for them to pick up good habits and to avoid accidental breach in the Information system (IS) of their organisation is crucial.
- Take appropriate technical measures: A few measures can be used to protect an organisation from data leaks, for instance encryption of sensitive data. It is of course imperative to frequently save the data to avoid being paralysed if an attack occurs. “Another simple measure to be put into practice is the minimisation of data. It works on the principle of deleting obsolete and no longer used data. The division of the network is also important,” continues Gaston Gautreneau.
- Lay down the necessary legal measures
A key factor in preventing data leaks is to keep up with current standardisation. Another key factor consists in appointing a DPO or in properly setting up the security for contractual relations with third parties.
- Write down a crisis management procedure:
To be truly prepared against data leaks, it is vital to establish a crisis management procedure. It must be put through the paces with the aid of system breach tests and simulated attacks. The tests will enable to streamline the procedure, but also to build muscle memory for optimal crisis management.
- Purchase cyber insurance:
“Cyber insurance contracts are built around shared frame revolving about 3 topics: providing assistance during a crisis, coverage of operating losses, and civil liability,” explains Christophe Madec, Client advisor and cyber expert for Bessé.
“Currently 87% of large businesses have purchased coverage from cyber insurance companies, in comparison to 8% of ETIs,” he comments.
Testimony of a victim: the city of Marseille
Data leak victims willing to talk publicly about their experience are few. Nicole Jamgotchian, DPO of the city of Marseille, has agreed to look back on the ransomware attack on the city of 13 March 2020, the day before the first round of the municipal elections.
The IS of the city of Marseille is very large: it is comprised of 1,300 servers, 450 apps and 270 interconnected websites… for 800,000 residents. “Database administrators have very quickly identified the encryption of some apps. Their first reaction was to shut down the entire network by disconnecting the servers,” relates Nicole Jamgotchian.
Despite these measures, 90% of the servers and 4,700 machines were affected. Thanks to intact backups, the data could fortunately be put back quickly into the various apps. The coordination between internal and external actors (providers, police departments, judicial services, the CNIL..) was instrumental in overcoming this crisis.
This new and educational edition of the Data Breach Barometer shows the scale of the rise of cyberattacks in France. The actors of the thematic breakfast shared their knowledge and experience to raise organisations’ awareness on good habits. This topic will be in a broader manner expanded upon at the FIC that will take place from Tuesday 7 to Thursday 9 September at Lille Grand Palais.