Comply With New Data Protection Laws

The latest legislation, such as General Data Protection Regulation (GDPR), and  NYDFS Cybersecurity Regulation (23 NYCRR 500) will have a big impact on companies both large and small. Lack of compliance and breaches of data can lead to fines of up to €20 million in damages or four percent of global revenue.

One of the headline-grabbing aspects of the GDPR is the requirement to be able to notify the appropriate supervisory authority of a personal data breach within 72 hours. However, this is often far easier said than done. Often, even larger enterprises do not have the means to detect a data breach within the allotted timeframe. The vast majority of SMEs with limited IT security expertise stand almost no chance.

What changes do I need to make to my security processes?

Regulations, including GDPR, follow some common principles which could also easily apply to best practice when implementing a corporate security policy. The following steps will make you more secure and reduce your risk of being negatively affected by data protection legislation.

1. Determine if the legislation applies to you. If you do business or handle personal information for citizens based in the area affected by the legislation, then its highly likely that the regulations apply to you. Systems that hold personal or financial data are highly likely to be covered by new guidance.

2. Determine how to apply the legislation. Be aware of all aspects of the legislation, such as any requirement to encrypt certain data and how decryption keys should be stored. GDPR explicitly mentions the principles of “privacy by design” and “privacy by default”. Determine the parties responsible for applying this legislation.

3. Make sure the basics are in place first. Ensure that desktop machines are password-protected and have a good anti-virus package installed. As we saw with the WannaCry incident, ensure they’re up-to-date with the latest Microsoft patches. Ensure your password policy complies with the latest regulations from NIST and that users do not have a password that has been compromised on the web.

4. Augment and improve existing security. In the event of a security breach, it is usually up to the company to prove that modern and all reasonable best practice has been followed. Poor password management makes it easier for attackers. Multi-factor authentication greatly reduces the risks associated with a password-only approach to authentication.

5. Ensure you have robust auditing and accountability. Legislation around data protection such as GDPR requires that companies show that they use a framework to continuously monitor compliance, as opposed to a single ‘point in time’ audit process. This turns out to also be a sensible approach to data security. Ensure that your systems are able to continuously report the status of items such as password compliance and usage of multi-factor authentication.

Comply and Secure with Authlogics

Password Policy Agent has been specifically designed to meet NIST SP 800-63 guidelines for password compliance, out of the box. Password Policy Agent can be deployed in minutes on corporate network serves and enforces the correct password policy as soon as a user changes their Windows login password, without requiring any desktop software rollouts.

It ensures that users have set and continue to use a secure password, that has not been compromised in any data breach online, removing one of the most common problems with legacy password usage. Password Policy Agent provides reporting on the quality of user passwords, which is very useful part of a framework of auditing and accountability for GDPR compliance.

Authentication Server coordinates the provisioning and management of identity information to allows users to log in securely from desktops, cloud-based software, mobile and 3rd party applications. It provides a consistent and fully featured layer of security, using multi-factor authentication, wherever users authenticate with identity storage. A self-service portal allows users to set passwords that comply with the latest security guidance and lets users add and remove devices used for two-factor authentication. Each action is logged in detail and can be reported on for compliance purposes.