GDPR is taking many of us by storm --- but this is one storm Information Security can enjoy. (At least, I am.)
The early warning signs were the webinars --- courtesy of ISC2, ISACA & other such organizations --- which provided a pretty good idea of what to expect & how to deal with it.
The organization I'm with and its related 3rd parties aren't affected by GDPR, so I didn't see much change in my working environment. But thanks to online services, location isn't a limiting factor.
A major change in 'the weather' has been in my inbox, with email requests to update profile settings related to privacy, courtesy of GDPR. All people using online services whose providers must comply with GDPR are likely to be getting such emails, and this is where an opportunity crops up...
No doubt everyone here knows about phishing. The old style was to lure victims in with offers, including cash and jobs, but nowadays, most people have a decent level of awareness & would disregard such things. What might be harder to see through is an email asking you to update your settings on a site --- you'll often have to validate sender addresses & the like to detect a deception --- so attacks using this have a better chance.
GDPR could give hackers a card to play here, as users having some idea of GDPR are very likely to respond to emails that cite it. Someone getting a flood of emails from organizations requiring profile updates to comply with GDPR might not be too cautious when dealing with these, as opposed to dealing with a single email.
Organizations hurrying to ensure that they are compliant should to take note of this, & bolster their employee awareness campaigns, while end-users should to keep up their cautiousness.
Anyone concluding that this post's title should have started with the words 'Con artists' is absolutely right.
Shannon D'Cruz,
CISM, CISSP
www.linkedin.com/in/shannondcruz