Don’t Let Static Passwords Undermine your GDPR Compliance
Regardless of geography, if your organization collects and stores personal data regarding EU citizens, then the General Data Protection Regulation (GDPR) applies. And the upcoming May 25 milestone marks more of a beginning than an end. May 25 only marks the beginning of enforcement, but the requirements laid out in GDPR will be ongoing.
Some key requirements of GDPR include “Privacy by Design” and “Privacy by Default”. These principles require companies to factor in data privacy during design phases of all projects and in their operational procedures. As long as organizations encounter change and implement new projects, GDPR will be an ongoing consideration, not just a one-time compliance date. Fail to be in compliance and you can expect to pay the greater number of either 4 percent of your global worldwide revenue or €25 million.
Authentication controls are a key component to protecting access to sensitive information. While GDPR does not require multifactor authentication, it does require sufficient security controls to be in place. If access procedures or controls are found to be insufficient, organizations could be found to be in breach of GDPR. This means you need to understand everywhere sensitive information exists, who has access to it and ensure that strong authentication controls are in place.
GDPR takes a risk-based approach by requiring organizations to perform ongoing risk assessments. Unfortunately, time and time again real-world scenarios have shown that passwords alone are insufficient to protect sensitive data. In fact, other regulations including PCI-DSS and FFIEC have gone as far as requiring multifactor authentication in specific situations and it is possible that a future iteration of GDPR could do the same. Passwords alone are simply losing their effectiveness as a sole line of defense.
To make matters worse, password complexity requirements have become so cumbersome that employees are actively undermining password effectiveness by writing passwords down or storing them in an insecure manner. A recent Sailpoint Market Pulse survey even found that one in five employees would sell their passwords to an outsider. The most common authentication control, the password, is increasingly appearing to be unfit-for-purpose. Implementing strong authentication tools like multifactor authentication can go a long way in addressing this risk.
The renewed focus on privacy prompted by the GDPR provides an excellent opportunity to revisit your authentication tools and procedures. As you plan and execute your GDPR approach, take the opportunity to eliminate static passwords wherever possible and replace them with next-generation authentication solutions that provide contextual, behavioral and more convenient options for your users.
The GDPR is here to stay and May 25th is just the beginning. Combining a “least privilege” approach to managing data with strong authentication tools will have you off to a great start with compliance. Deploying these tools will also help you move beyond the dated concept of a static password and prepare your organization for future regulations and requirements to keep sensitive data secure.
Author: Jeff Brown