With GDPR now in force, it’s another day, another breach making headline news, says Sandor Palfy, CTO, LastPass.
Long gone are the days where companies like Uber and Yahoo! would wait months, or years before disclosing details of a breach – even if they’re already aware of it. Companies are now required to notify relevant authorities within 72 hours of the organisation becoming aware of it, and if the breach is sufficiently serious, the organisation must notify the public too. Unless they feel like paying up sums of money that can potentially bankrupt a company, transparency is now the status quo.
But data protection doesn’t just begin and end with breaches. The Cambridge Analytica and Facebook scandal has raised a number of questions about who owns our data, and how it’s being used. For many of us, especially millennials who have grown up alongside the rise of mobile phones and social media, our digital identity is no longer our own, and it can seem like an uphill, momentous task to try and reclaim it. Even with the new GDPR regulations, customer confidence in enterprises to ethically manage and protect data is arguably at an all-time low. Furthermore, the urgency to find a solution is becoming more important, with a recent report finding that data breach complaints are up 160 per cent since GDPR came into force. So, what can companies do to combat this? And what steps can customers themselves take to mitigate damage caused by data breaches?
Combine technology with risk assessment
Breaches occur when vulnerabilities within a company’s security architecture are exploited by attackers. To make things more challenging, enterprise cybersecurity is a moving target. Just because something protected a business last year, doesn’t mean it will keep the company safe this year. Similarly, cybercriminals are constantly adapting and evolving their techniques, so security teams have to be especially vigilant to stay one step ahead. Risk assessments should be regularly carried out to ensure that basic security measures, such as multi-factor authentication are in place, and that any weaknesses are identified before they become entry points. The recent Timehop breach, which affected nearly its entire customer base of 21 million users, occurred because the company hadn’t protected their cloud network with MFA, so having the basics in place can go a long way to protect customer data.
There are also some key policies businesses should have in place that can help defend against cyber-attacks. For example, implementing the SOC 2 or ISO 27001 compliance standards ensures that the company is aware of any risks and helps them take the steps needed to keep cyber-borders safe. However, simply investing in technology isn’t enough. The best technological defences can be unwound by a social engineering attack, so it’s important that all employees are trained to be both the first and last lines of defence. Guidelines should be issued to all staff, including information on how to spot phishing emails, password requirements, and the dangers of accessing company data on public WiFi networks.
Create a culture of transparency
Businesses should also foster a culture of transparency, both internally and externally, to reassure staff and customers alike that their data is being adequately protected. This can involve sharing the steps being taken, and regularly communicating any changes made and why. For example, if the company is introducing biometrics as a method of authentication, outlining why this step is being taken, and answering any concerns customers may have will go a long way with building trust.
Companies should maintain this culture of transparency if they fall victim to an attack. Reddit’s recent reluctance to share details of their recent hack was criticised by many, and by and large, companies who are upfront about the nature and seriousness of the breach and take swift measures to mitigate damage will build back customer trust far quicker than those who don’t.
Don’t forget about passwords
A lot of businesses are also struggling to manage the burden that’s been created by GDPR, both on implementation to ensure they’re compliant, as well as reportable data security breach incidents. Thinking about each customer as an individual and managing their security through password management is more appealing than ever for companies. Indeed, weak, reused and compromised passwords are the cause of many breaches.
When 81% of confirmed breaches are due to weak, reused, or stolen passwords, having unique passwords across accounts will ensure that even if one password is stolen in a breach, no other account will be affected. While memorising complex, unique passwords for every online account is nearly impossible, there’s technology available that can make managing passwords easier and more secure. By using password managers all the work is done for you, and data remains secure and protected. Multifactor Authentication (MFA) is also an effective way to add another layer of security to password protected accounts, as the hacker will be required to enter in an additional piece of information (a one-time code, fingerprint etc.), even if they do obtain the password.
Data is becoming increasingly valuable, and hackers aren’t slowing down with their attempts to access it. But as cybercriminals evolve, so do the technology companies and customers have in their arsenal to ensure they’re protected. We’re also seeing a shift in power when it comes to data protection. GDPR regulations, as well as awareness of password management, means customers now have a lot more control over how their data is used and secured. And with enterprises similarly stepping up their game, cybercriminals are falling further behind in the battle for data in a post-GDPR age.
