It has been more than a year since the General Data Protection Regulation (GDPR) came into effect and businesses are starting to feel the impact. Recent fines issued by Information Commissioner’s Office (ICO), the UK’s data protection body, have been a wakeup call for organisations. This past July, ICO fined British Airways £183.39 million for a 2018 data breach that led to 500,000 of its customers’ personal data being collected by a fraudulent website. The following day, the ICO fined Marriott International over £99 million for a security breach during which 339 million guest records were exposed.
GDPR compliance in the UK
According to this GDPR Data Breach Survey, the UK has had one of the largest reported number of data breaches in the EU over the past year with approximately 10,600 notified breaches. A recent survey of UK GDPR decision-makers revealed that 52 percent of businesses are not fully compliant with GDPR. Over 35 percent admitted that the regulations has become less of a priority for their organisation in the last 12 months. Whether the relaxing in attitude is related to the impending Brexit or not, organisations cannot risk complacency as the UK will still have to comply with GDPR even after it leaves the EU.
GDPR or not, cyber security remains a challenge in the UK. Recent research by Gemalto found that nearly half of UK organisations can’t detect IoT device breaches. Even when UK businesses detect breaches, they delay disclosure, taking anywhere between three weeks to 142 days to report a breach.
The biggest threat to GDPR compliance
Passwords may be a small part of GDPR requirements, but they present the easiest way to gain unauthorized access to personally identifiable data. Even though GDPR doesn’t address password compliance specifically, it does state “personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data.”
To help organisations follow GDPR data privacy compliance, the ICO has updated its guidance to provide password recommendations under GDPR. ICO oversees the rollout of the GDPR and is committed to helping businesses meet GDPR requirements. Unfortunately, many organisations struggle to adopt new trends in password security.
A GDPR-proofed password policy
According to the ICO guidance, a good password system should not store passwords in a useable form, and should protect against brute force or guessing attacks. The system should do this without placing an additional burden on users. Complex password rules are ineffective against today’s password attacks and can even drive poor password practices.
The ICO recommends the following password policy settings:
- Password length: minimum length should be ten characters and there should be no maximum;
- Password complexity: allow special characters don’t mandate it;
- Password blacklisting: block the use of common and weak passwords. Screen passwords against a password blacklist of the most commonly used passwords, leaked passwords from breaches and guessable words related to the organization. Update the blacklist service annually and explain to users why their passwords have been rejected. A password blacklist could be a feature of the software you use or lists available online.
- Password expiry: get users to create strong passwords and only set password expirations when there are pressing reasons, such as data a breach
A free tool for GDPR
Besides having a strong password policy, you should proactively monitor any suspicious activities. GDPR requires organisations to detect and report breaches within 72 hours. This free tool, Specops Password Auditor helps you identify the following security vulnerabilities present in your organization with a quick scan:
- Accounts using compromised passwords
- Accounts with expired passwords
- Accounts with password expiration approaching
- Accounts using identical passwords
- Accounts not requiring passwords
- Accounts without a minimum password length requirement
You may use this tool to help you maintain your security compliance certification(s), or simply to reduce your organisational attack surface for better GDPR compliance. Click here for a free scan.
by Specops Software