The threat of potentially huge fines was one of the biggest talking points in the run up to the EU GDPR. Now, just over a year after the regulation entered into law, the Information Commissioner’s Office (ICO) has demonstrated that the fines were not a bluff, hitting British Airways and Marriott International with fines totalling almost £300m for major customer data breaches they suffered last year.
Whilst the GDPR is certainly not the first regulation to include financial penalties for non-compliance, it is the size of the penalties that has served as a wake-up call to the industry, especially as BA and Marriott are likely to be the first of many multimillion-pound fines for data breaches in the near future.
There can be no denying that regulatory fines now represent one of the biggest costs of a data breach, potentially overshadowing the expense of investigating and resolving the breach, as well as the impact to share prices and customer retention.
Putting compliance into practice
As with many other aspects of security, it’s common to find companies have paid lip service to various compliance demands but have failed to fully address them. Thycotic research found that around six in 10 organisations had some form of compliance requirements that they had to adhere to. However, only one in 10 companies had some form of privilege access management (PAM) despite it being a key component of most regulatory requirements.
For example, GDPR mentions access controls to data at several points including considering who within an organisation has access to data and specifically: “Data can be accessed, altered, disclosed or deleted only by those you have authorised to do so”.
GDPR compliance: Focusing on access controls
Indeed, implementing a strong access control policy can be one of the most effective early steps towards compliance, as this will address a number of requirements around privacy and security. This policy will manage what assets and information individuals and systems are able to access on the network, so strong access controls will greatly mitigate the risk of a data breach. In particular, following the principle of “least privilege”, where users can only access data and resources necessary for their jobs.
Once the basics have been completed, the next priority should be to address the security of privileged accounts. These accounts provide users with powerful administrative capabilities over critical systems, so any cyber-criminal getting a hold of them will be getting the keys to the kingdom. Our research shows that around a third of hackers say that accessing privileged accounts was the easiest and fastest way to get sensitive data.
These accounts cannot be protected through passwords alone. An organisation needs to implement a range of security controls for managing the use of privileged accounts including multi-factor authentication, password rotation and password complexity, as well as discovering all privileged accounts, who has access and when they are used.
Password managers have been used for some years now by organisations, and indeed individuals, to help keep on top of all the differing login credentials needed for various accounts. These can generate complex passwords, keep credentials secure in a vault, autofill login pages and generally help reduce “cyber fatigue”. Some can even remind the user to change their passwords on a regular basis.
However, by themselves these are not good at managing privileged account access, as they need to be used alongside other security measures.
The value of multifactor authentication
Multi-factor authentication (MFA) is becoming more commonplace as organisations start to implement guidelines from regulators, such as the PCI DSS, which is concerned with those companies accepting, storing or transmitting credit card data. MFA combines one form of authentication, often a password, with at least one other, for example a passcode sent to a mobile number, to verify the identity of a user. This is most visible when making online purchases using a credit or debit card. The card details including the CVV number are required (the first factor) followed by a PIN or access code requested by the issuer.
Requiring users to provide a second element to verify their identity can greatly reduce the chances of a breach, for example making it much more difficult for an attacker to infiltrate the system with stolen credentials. However, Thycotic’s research still found that three-quarters of companies fail to require MFA for privileged accounts.
Account discovery and oversight
IT and security teams cannot readily control the access levels of accounts they aren’t aware of, and we often find companies have hundreds of unmanaged, forgotten accounts belonging to users and systems that are no longer required.
We found that four in 10 organisations do nothing to discover these hidden accounts, and those that do are likely to find the task increasingly harder and harder. This is due to an increasing number of devices connecting to a network, along with virtual accounts and cloud environments.
Even those organisations that are able to search for privileged accounts are failing in their duty if they must do so manually. Searching an entire network for these accounts by hand is time consuming, meaning the information is already out of date before it is completed. Instead, organisations need to use automated discovery, which can identify privileged accounts in real-time, allowing them to be protected more expediently.
Having such visibility also means that IT teams can monitor when passwords were last changed and when and how the account was last used. These records are also invaluable when it comes to conducting audits, another common demand of most regulations.
Compliance might not be the most exciting topic for many organisations, but they cannot ignore it. Getting the essentials right on access controls can be one of the most valuable steps a company can take in meeting their compliance obligations, potentially saving them from being the next example of a multimillion pound fine.
Verdict deals analysis methodology
This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.
GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.
More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.