Please see comment by Industry leaders on the anniversary of GDPR. The comment focuses on how poor identity access management can lead to GDPR fines, and why organizations need to invest in Identity Data Fabrics.
Please see comment by Industry leaders on the anniversary of GDPR. The comment focuses on how poor identity access management can lead to GDPR fines, and why organizations need to invest in Identity Data Fabrics.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
It may have been four years since GDPR was introduced, but compliance is a process that must be adapted continuously.
To keep on top of this, companies must try to understand the regulatory requirements as much as possible and keep track of how it affects their own industry. Businesses should then conduct assessments to identify their own privacy risks, prioritise them and create an action plan to mitigate the most important risks. It’s also important for companies to review the security policies and procedures already in place, to stay compliant with regulations applicable to their business.
To ensure sustainable compliance, companies should also streamline and automate compliance processes and policies as much as possible. Technology like identity security can achieve this by regulating user access and keeping track of who is using various apps and data, and when. Doing this can save costs as well as valuable staff time, while reducing the risk of devastating data breaches due to manual errors.
GDPR set the standard for privacy, but this concept is relatively incomplete as it’s deeply intertwined and reliant on strong, resilient cyber security practices to keep data secure and well, private.
However, you can’t have privacy without security, and you can’t have strong security when passwords and traditional MFA are involved.
Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures. The ICO does note that any password setup that you implement must be appropriate to the particular circumstances of this processing and businesses should consider whether there are any better alternatives to using passwords.
A fundamental failing of common security tropes is that you can make passwords safe, and the longer and more complex they are the better. WRONG. To better protect privacy, governments must ensure businesses eliminate passwords.
Up there with the security failings of passwords is also the ease with which attackers can now bypass traditional MFA using off-the-shelf phishing and Man in the Middle exploits. Legacy MFA is redundant and will continue to prove unreliable. Legislation should be continually updated, and outdated password and MFA practices should be addressed. Government bodies must ensure that businesses are using phishing resistant, passwordless MFA to protect sensitive and critical data.
Since its introduction four years ago, GDPR has been perceived as the catalyst behind some of the most profound changes to global data protection laws. In a nutshell, GDPR is designed to hold organisations accountable for the information they store, process and share and anything that aims to create positive strides when it comes to data protection is a step in the right direction. However, one of the challenges of GDPR, is that it can often be seen as complex, confusing and challenging to implement. This stems from the rapid digitalisation that businesses underwent during the pandemic, and the new ways in which we plan to access and share data as we move forward.
As we continue to think about the future of GDPR, one of the most important aspects to its continued success will be about how it evolves.
After all, four years in the technology world can feel like a long time ago when it comes to innovation and new ways of working. In addition, a big part of the success behind GDPR will be about ensuring data protection is seen as working hand in hand with
the business and its goals. Too often we see security and legislation regarded as a trade off or a blocker to innovation. At the same time, many businesses struggle with having full visibility over who has access to customer data. As we strive to create a
more secure and digital Europe, the evolution of GDPR will play a critical part in this and it is at the center of ensuring we continue to think about data security practices. However, in order to get maximum success, we need to see business leaders embracing a digital culture that turns the spotlight on the value of our data, while also applying pragmatic data protection and cybersecurity methods that provide access at the right time and at the right privilege level when it comes to handling sensitive data. With the right platforms in place, businesses can support innovation and agility, without jeopardising on privacy.
As we approach the fourth anniversary of EU GDPR, it is a time to reflect on how this privacy law has changed the cyber landscape over the last several years. Since its introduction, GDPR has continually forced organisations to better evaluate how they store and collect user data while simultaneously requiring organizations to implement stronger security controls to protect and secure any data they do collect from potential exploits. While the GDPR law has without doubt given citizens more control over how their data is collected and processed, it has also presented opportunities to cybercriminals who have also adapted their methods and techniques, specifically through ransomware attacks. Ransomware attacks continue to cause ripple effects throughout the industry and cybercriminals now utilize potential GDPR violations as a means of forcing an organisation to pay their hefty ransom demands. An astonishing 83% of organizations admit to paying ransom demands, according to recent research.
While GDPR did force organisations to somewhat improve their security posture, it has not stopped cybercriminals from being successful. Organisations must remember that GDPR is only a standard and cannot supplement a robust security strategy, one that incorporates strong privileged access control, automated threat detection and response, zero trust principles and a security first company culture.