Expert warns UK companies to strengthen cybersecurity amid Sony's ransomware attack

The ransomware gang have stated that Sony refuses to pay the ransom, and instead are threatening to sell it on the 28th September. In the past, Ransomedvc have asked for between $54,000 and $218,000 in ransom, which they state is cheaper than a GDPR fine.

A GDPR fine for Sony could set them back €20 million or 4% of annual global turnover, whichever is highest. In this case, 4% of Sony's annual turnover would be $3 billion, which is a huge fine to pay.
Compliance training service, Skillcast warn that SMEs face heightened vulnerability due to weaker security infrastructure and advise that cybersecurity should be prioritised.

SMEs are often seen as easier prey for malicious actors and the rising threat of ransomware attacks can often cripple smaller organisations. To help prevent this, Skillcast have provided ten essential safeguarding tips that SMEs should consider:

1. Regular Backups - Frequently backup critical data to offsite locations. Ensure backups are secure and regularly tested for restoration.
2. Educate Staff - Train employees on recognising phishing emails and suspicious links. Employee awareness is your first line of defence, without this they know what to be aware of and can fall prey as phishing emails become increasingly more sophisticated.
3. Update Software - Keep operating systems and software up-to-date with security patches. Cybercriminals often exploit outdated software as it is easier to bypass.
4. Multi-Factor Authentication - Implement MFA wherever possible. It adds an extra layer of security against unauthorised access and will often deter cybercriminals as they search for easier targets.
5. Network Security - Invest in robust firewall and intrusion detection systems to monitor network traffic for anomalies.
6. Incident Response Plan - Develop a comprehensive response plan for cyber incidents and make sure employees know what to do when an attack occurs. This can help a business effectively mitigate, contain, and recover from cyberattacks.
7. Cyber Insurance - Consider obtaining cyber insurance to mitigate financial losses in case of an attack, as this can provide a safety net for unexpected expenses associated with system compromises.
8. Employee Access Control - Limit employee access to sensitive data to only what is necessary for their role and have a system in place to regularly review and update access permissions.
9. Regular Audits - Conduct regular security audits and penetration testing to identify vulnerabilities proactively. This is essential to help a business understand weak spots that cybercriminals may find easier to target.
10. Stay Informed - Stay updated on the latest cybersecurity threats and trends. The landscape can evolve rapidly, with new threats emerging and attackers constantly adapting their tactics to exploit vulnerabilities.
If Sony were to face a GDPR breach then there are a number of factors that influence the size of the penalty.

1. Gravity, nature & duration of breach
2. Personal data categories affected
3. Negligent or intentional infringement
4. Actions taken to mitigate the damage
5. Degree of responsibility of data controller/processor
6. Previous data breach infringements
7. Cooperation with supervisory authorities
8. Aggravating or mitigating factors (e.g. financial benefits gained from the infringement)