Comply With New Data Protection Laws
New legislation, including General Data Protection Regulation (GDPR), and NYDFS Cybersecurity Regulation (23 NYCRR 500) has been introduced to help protect consumer information. Lack of compliance with these regulations and breaches of data can lead to fines of up to €20 million in damages or four percent of global revenue.
The indirect consequences of a breach in security should also be considered. The direct financial impact and fines from non-compliance are often coupled with the loss of consumer confidence in a company or brand, which could be even more costly.
What changes do I need to make to my security processes?
Regulations, including GDPR, follow some common principles which could also easily apply to best practice when implementing a corporate security policy. The following steps will make you more secure and reduce your risk of being negatively affected by data protection legislation.
1. Determine if the legislation applies to you. If you do business or handle personal information for citizens based in the area affected by the legislation, then its highly likely that the regulations apply to you. Systems that hold personal or financial data are highly likely to be covered by new guidance.
2. Determine how to apply the legislation. Be aware of all aspects of the legislation, such as any requirement to encrypt certain data and how decryption keys should be stored. GDPR explicitly mentions the principles of “privacy by design” and “privacy by default”. Determine the parties responsible for applying this legislation.
3. Make sure the basics are in place first. Ensure that desktop machines are password-protected and have a good anti-virus package installed. As we saw with the WannaCry incident, ensure they’re up-to-date with the latest Microsoft patches. Ensure your password policy complies with the latest regulations from NIST and that users do not have a password that has been compromised on the web.
4. Augment and improve existing security. In the event of a security breach, it is usually up to the company to prove that modern and all reasonable best practice has been followed. Poor password management makes it easier for attackers. Multi-factor authentication greatly reduces the risks associated with a password-only approach to authentication.
5. Ensure you have robust auditing and accountability. Legislation around data protection such as GDPR requires that companies show that they use a framework to continuously monitor compliance, as opposed to a single ‘point in time’ audit process. This turns out to also be a sensible approach to data security. Ensure that your systems are able to continuously report the status of items such as password compliance and usage of multi-factor authentication.
Comply and Secure with Authlogics
A secure password is the foundation on which all other security initiatives can be built. It is critical to ensure your passwords are both secure and compliant (including the fact that they do not appear in any password breaches) before adding multi-factor authentication and processes which can remove the password during logon for the user.
Password Policy Agent has been specifically designed to meet NIST SP 800-63 guidelines for password compliance, out of the box. Password Policy Agent can be deployed in minutes on corporate network serves and enforces the correct password policy as soon as a user changes their Windows login password, without requiring any desktop software rollouts.
Authentication Server coordinates the provisioning and management of identity information to allows users to log in securely from desktops, cloud-based software, mobile and 3rd party applications. It provides a consistent and fully featured layer of security, using multi-factor authentication, wherever users authenticate with identity storage. A self-service portal allows users to set passwords that comply with the latest security guidance and lets users add and remove devices used for two-factor authentication. Each action is logged in detail and can be reported on for compliance purposes.