Best practice GDPR will reduce security breaches

Companies applying best practice GDPR will go a long way to thwart data breaches.

Companies applying best practice GDPR (General Data Protection Regulation) will go a long way to thwart data breaches.The recent high profile breaches of Instagram and Equifax create bad press and sap consumer confidence in the brands.   What can companies do to prevent such embarrassing headlines and damage to their brand reputation?

1. GDPR requirements will have a positive effect.

The forthcoming GDPR legislation that is coming in to force on 25th May 2018 will have a positive effect. However many companies are unprepared or unaware of the required changes. It will affect everything from privacy and cookie policies to the way data is managed within every organisation.  This is undoubtedly a good thing for consumers and will force a lot of companies to implement best practices. This will help to reduce the risk of a data breach.  It forces security by design to be engineered from the ground up. The challenge will be for organisations dealing with an old website/application that has evolved over many years and now needs to be brought up to date.

There is a lot of press written about GDPR which is pure scare mongering and sensationalising the new requirements. It is well worth a read of some of Elizabeth Denham’s the information commissioner’s blog dispelling some of the popular myths behind GDPR. At the heart of GDPR is fundamentally a good user experience. Consumers can understand clear common sense privacy and usage information on their data, correct data that is incorrect and take their data to new providers if they so choose.  This is all good for the consumer.

It also means that companies like Instagram and Equifax will have to become GDPR compliant to avoid facing punitive fines in the future. The Equifax site appears not to have the latest patches for the exploit (which was eight years old) that captured the data. All companies need to apply due diligence in their web apps and become more defensive with the data they control. A security/data audit of the Equifax site following the principles of GDPR would have certainly flagged some of these issues.

2. Use of cloud services and security by design.

A lot of organisations are moving from dedicated servers to using cloud services to host website and web applications and due to their non-local location security by design is essential.  Even in the worse case when a database is breached all the bad guys get is encrypted data that is going to be hard to impossible for them to decrypt. Pseudonymization is another fundamental principle of GDPR that will benefit the consumer.

Pseudonymization is the separation of data from direct identifiers so that linkage to an identity is not possible without additional information that is held separately.

Modern users expect connectivity with their desktop, laptops, tablets, mobile phones that access all the services and data.  We expect these services to be available and working with the minimum of configuration. The best companies will start to use these five basic principles of best practice:

a. Temporal – When can I collect and use data about you?

b. Spatial – Where can I collect and use data about you?

c. Functional – How can I collect and use data about you?

d. Identity – What persona should I use when I interact with you?

e. Social – With whom can I share your information?

There have been numerous examples of having 3-4 pieces of information allows researchers to identify individuals from anonymised data sets.  However using the GDPR principles above the risk is reduced.

3. The future of passwords and user authentication technologies will evolve.

Everyone hates to remember or change a password and with a multitude of devices at home and work requesting this information becomes a major headache.  There are some promising technologies on the horizon that could reduce the need to remember passwords:

1. Steve Gibson’s  SQRL (Secure Quick Reliable Login) technology which uses smart codes to securely transfer login credentials.
2. FIDO is another interesting alternative to a password-less future.
3. Biometrics offers some interesting options using fingerprints or even face scanning as announced by Apple recently.

Currently only the most security aware individuals are using two-factor authentication or secure passwords. Until there is a viable secure alternative to authentication for the masses other than the username/password challenge this is going to be a fundamental weakness in website security.

This responsibility remains with the consumer for the time being. Using a password manager in the short term is a good best practice and turning on two-factor authentication is highly recommended.

Conclusion

One thing is for sure we are going to see more data breaches moving forward, but GDPR offers some practical guidelines and protections for the consumer.  If you would like some help with your GDPR programme or assessment on next steps please get in contact via the contact form.