GDPR – How A Single Password Could Cost Your Business €20 Million

You have no doubt read or heard about the new EU General Data Protection Regulation, otherwise known as GDPR. Put simply it is a new law that was approved by the European Parliament on 14th April 2016 and supersedes the current EU Data Protection Directive. Here is what you need to know …

This new law gives power to fine an organisation €20 million in damages, or four percent of global revenue, whichever is higher. But it doesn’t end there because the inevitable naming and shaming could cause even greater damage to brand and the bottom line.

One of the headline-grabbing aspects of the GDPR is the requirement to be able to notify the appropriate supervisory authority of a personal data breach within 72 hours. However, this is often far easier said than done. Often, even larger enterprises do not have the means to detect a data breach within the allotted timeframe. The vast majority of SMEs with limited IT security expertise stand almost no chance.

Many businesses are concerned about the GDPR legislation and are unsure of how they will comply with it. Other than reading the information on this page, businesses can get in contact with gdpr assessment audit consultants to protect their companies from the pitfall of non-compliance. You can have a peek here if you want to find out more about what this is all about.

So what can you do? There is, in fact, a huge amount that you can do to protect the personal data of your customers and in doing so, the financial wellbeing of your business. The best place to start is to look for the weak points and strengthen them. For many organisations, the weak link in the chain is the password and more specifically how people use them. Don’t believe me? Then take a look at this short clip from Jimmy Kimmel Live.

To start, you can use our Company Password Breach Check tool, to see if your company passwords have been exposed on the dark web.

You can try to solve the problem by enforcing password policies so that employees need to change their password on a more frequent basis, but as Graham Cluley points out, this can actually make the situation worse, as people default to simpler passwords. Then you have the risk of employees sharing passwords or even selling them – as SailPoint reported last year – one in seven would consider disclosing their password for just $150.

Of course, you want to make sure that only the right people have clearance to access to the right data in the right way, but at the same time, you don’t want to put barriers productivity in the way. Again this is a failing of passwords, where making them supposedly ‘strong’ results in frequent and costly calls to the helpdesk for a reset.

This is yet another nail in the coffin for the stubborn password. Often IT department or boardrooms fail to make the move away from password-based authentication (despite many well-proven alternatives now on the market) because cannot see a clear return-on-investment, or it is perceived as too ‘risky’ to switch, or they are waiting to see what everyone else will do. However, with these new laws coming in to force, many of these arguments hold even less weight than before. And, be sure that it has taken many years for the GDPR to come into being, so it will not be forgotten about.

Organisations have until July 2018 to get their houses in order. But a word of extreme caution if you are reading this in a non-EU country. Do not think the GDPR does not apply to you! If your organisation collects and stores personal data regarding EU citizens, then this new EU law still applies.

For more information about GDPR visit: http://www.computerweekly.com/guides/Essential-guide-What-the-EU-Data-Protection-Regulation-changes-mean-to-you