Since coming into effect May 25, 2018, the European Union’s General Data Protection Regulation, or GDPR, has substantially changed the way businesses around the world are required to operate. At its heart, the law is designed to protect the sensitive data of EU citizens and impacts any company handling this data, whether they are in the EU or not. Given the severe penalties that can be levied against companies for failure to comply with GDPR regulations, it is essential for any company handling the private data of EU citizens to have a robust set of security procedures in place. These procedures will want to cover a range of different areas of concern in an organization’s security environment, from more traditional security practices such as protecting network traffic and guarding against threats on endpoints. With the importance placed on having best security practices in place at an organization to stay compliant with GDPR, it is worth looking at why strong password policies are important and look at some specifics that can be applied to an organization’s password policy which will help meet this compliance.
It’s important first to get a quick understanding of what exactly entails a violation of GDPR, the consequences of a violation, and how a robust organizational password policy can help in the fight to protect user data. As previously mentioned, GDPR is concerned with the collection, processing, and protection of sensitive personal data for citizens of the EU. Under GDPR, personal data is considered anything that may be able to identify directly or indirectly an individual. This would include basics like names and addresses, but also encompasses data such as ID numbers, IP addresses, phone numbers, health records, and biometric data. Under GDPR guidelines, users must be notified of what data is being collected and the reasoning behind the data being collected. Given the wide scope of data that GDPR applies to, it should not be surprising that there are multiple ways a company may be in violation of GDPR as well as severe penalties for failure to comply with the regulations. Some of the more common ways that organizations have found themselves in violation of GDPR are for collecting data without user consent, for collecting data with no legal reasoning to do so, failure to notify regulatory authorities within 72 hours of discovering a data breach, or for being found to have security practices that were not sufficient for protecting data.
If an organization finds itself in violation of GDPR then they will be looking at one of two levels of fines: a low-tier fine or a high-tier fine depending on the severity of the violation. A low-tier offense carries a penalty of up to €10 million, or 2% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher. A high-tier offense carries a fine up to €20 million, or 4% of the firm’s worldwide annual revenue from the preceding financial year, whichever amount is higher.
Looking at some real-world examples and the consequences they carry there was the case of Marriott which was fined £99,200,396 after reporting a data breach in November 2018 that included the loss of guests’ personal data, payment info, and passport numbers. The attack was known to Marriott in September 2018, violating the GDPR requirement of reporting the breach within 72 hours. Another example was British Airways which was fined £183.39 million in July 2019 after data of passengers including names, addresses, and credit card numbers were stolen. They reported within 72 hours of discovering the breach but were found to have poor security management practices leading up to the breach, resulting in a record fine for the time.
Given the importance placed on having best security practices in place at an organization to stay compliant with GDPR, it is worth looking at why strong password policies are important and look at some specifics that can be applied to an organization’s password policy which will help meet this compliance.
According to the 2019 Verizon Data Breach Report, the most significant single factor leading to the breach of an organization are weak passwords, which they found to be the cause of 29% of breaches. Weak passwords are easily obtained by threat actors and used for credential stuffing and password spraying attacks which the European Data Protection Board has issued guidance saying are reportable breaches. If either of these happens, the organization will be held to the 72-hour reporting period and must notify all users that are potentially impacted by the attack that their data may have been compromised. Given the risks involved with allowing weak passwords and the potential repercussions of what may happen, it is essential strong password policies are not overlooked.
Passwords should be required to be at a certain minimum length. The longer the minimum length the harder it will be for threat actors to potentially brute force a user’s password. Consider adopting a 16 character or longer minimum as part of a password policy.
Passphrases instead of simply a password should be encouraged. Combining a phrase of multiple unrelated words is harder for an attacker to crack and easier for a user to remember than a collection of random characters. The latter is important because it will lead to less frequent password resets and eliminate the possibility of the user potentially writing down a password somewhere.
There are several requirements that can be enforced that will eliminate the possibility of a user creating a weak password.
Multi-factor authentication should be required to reset any password. This will ensure that it is truly the proper user resetting the password and not an attacker imitating a user.
Passwords should only be reset when they have been discovered to be compromised. Forcing frequent password resets causes many users to create weak passwords by simply modifying a previous password or will lead them to write down the new password in order to remember it.
Proactive screening of all accounts in the organization should happen on a continuous basis to ensure no compromised credentials exist.
All employees should be properly trained on general best security practices so that they can recognize risks and understand the consequences of not following organizational security policies. Proactively educating users is one of the cheapest and most effective ways to immediately improve organizational security.
Comprehensive password policies should also cover the storage of passwords in databases. Best practices are to have passwords hashed when stored in a database and to be hashed with a strong encryption algorithm such as SHA-256 or SHA-512. Weaker encryption algorithms could lead to the possibility of an offline attack, where the attacker already has access to the storage location and then uses varied methods to crack the passwords such as a brute force attack or dictionary attack looking for common passwords. A more complex hashing algorithm combined with the recommendations above will make these types of attacks far less likely to succeed.
Compliance with GDPR and other data privacy laws is a reality that almost every organization is going to continue to have to factor into their overall organizational planning. Failure to do so can have serious financial consequences for any organization that ends up in violation of the law. One of the quickest and easiest ways to help protect an organization from these violations will be to implement a strong, comprehensive password policy to ensure that threat actors do not have the ability to access sensitive user data in the first place.