By Andy Bridges, Data Quality and Governance Manager at REaD Group
Why should you treat your passwords like your underwear?
It’s an odd comparison, but it’s simple really:
- You wouldn’t leave your Y-Fronts lying around for just anyone to find
- You certainly shouldn’t share them with others!
- And you change them on a regular basis (one would hope…)
Contrary to popular belief, human error and accidental loss are still the biggest contributors to data breaches in the UK – rather than attacks by cyber criminals. While it is perhaps unrealistic to expect people to change their passwords as frequently as their undergarments, good password management is incredibly important to information security. A simple 7-character password could take a hacker only 0.29 milliseconds to decipher, however, increasing this to 12 or more character will increase the potential hacking time to centuries rather than seconds.
Research conducted by the risk mitigation firm, Kroll, at the end of 2018 found that the number of data breach reports received by the Information Commissioner’s Office (ICO) has increased by 75% in the last two years. This isn’t necessarily indicative of more breaches, but more likely an increase in transparency as a result of GDPR. It was not previously compulsory to report a data breach, but the new data regulation requires that all companies must report a breach to the ICO within 72 hours.
Above all else, data security should now be a COMPANYWIDE responsibility. It does not rest solely on the shoulders of IT and compliance departments, but with everyone working within a business. Every effort should be made to incorporate information security into office culture so that it becomes second nature.
Embed into Company Culture
Staff should receive regular training to ensure that everyone understands best practice in the workplace. Company HR policy should also be altered to reflect the fact that responsibility lies with all employees to instigate better behaviour.
Everyone in the business should be on the lookout for potential threats to information security, such as leaving computer screens unlocked and leaving confidential paperwork unattended, and should be encouraged to self-police. Implementing a clean desk policy is good practice for safeguarding confidential information.
Companies need to better understand what information they have in order to protect that information. As well as ensuring that data is clean, viable and that all relevant permissions and consent are held for the data, companies must also ensure that the appropriate data protection and information security practices are in place. It states in Recital (100) of the GDPR that:
‘In order to enhance transparency and compliance with this Regulation, the establishment of certification mechanisms and data protection seals and marks should be encouraged, allowing data subjects to quickly assess the level of data protection of relevant products and services.’
Essentially these practices are entrenched in GDPR under Article 25 – ‘Privacy by Design’ and ‘Privacy by Default’. These concepts are by no means new, but are instrumental in incorporating information security into business culture.
Privacy by Design means businesses need to consider privacy at the initial design stages and throughout the development process of any new products, processes or services that involve processing personal data.
Privacy by Default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy friendly ones.
GDPR has presented a great opportunity for UK businesses to step up their data protection strategies and better protect themselves against data breaches. The regulation stipulates that companies must be more rigorous in their approach to collecting, storing and using customer data – which should correspondingly see a vast reduction in accidental loss. This increased transparency should ultimately result in more trusting and loyal consumers.
The more businesses understand their obligations and ensure they have implemented appropriate data protection strategies, the sooner we will see a significant reduction in the number of data breaches.