The threat of potentially huge fines was one of the biggest talking points in the run up to the EU GDPR. Now, just over a year after the regulation entered into law, the Information Commissioner’s Office (ICO) has demonstrated that the fines were not a bluff, hitting British Airways and Marriott International with fines totalling almost £300m for major customer data breaches they suffered last year.

Whilst the GDPR is certainly not the first regulation to include financial penalties for non-compliance, it is the size of the penalties that has served as a wake-up call to the industry, especially as BA and Marriott are likely to be the first of many multimillion-pound fines for data breaches in the near future.

There can be no denying that regulatory fines now represent one of the biggest costs of a data breach, potentially overshadowing the expense of investigating and resolving the breach, as well as the impact to share prices and customer retention.

Putting compliance into practice

As with many other aspects of security, it’s common to find companies have paid lip service to various compliance demands but have failed to fully address them. Thycotic research found that around six in 10 organisations had some form of compliance requirements that they had to adhere to. However, only one in 10 companies had some form of privilege access management (PAM) despite it being a key component of most regulatory requirements.

For example, GDPR mentions access controls to data at several points including considering who within an organisation has access to data and specifically: “Data can be accessed, altered, disclosed or deleted only by those you have authorised to do so”.

GDPR compliance: Focusing on access controls

Indeed, implementing a strong access control policy can be one of the most effective early steps towards compliance, as this will address a number of requirements around privacy and security. This policy will manage what assets and information individuals and systems are able to access on the network, so strong access controls will greatly mitigate the risk of a data breach. In particular, following the principle of “least privilege”, where users can only access data and resources necessary for their jobs.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Once the basics have been completed, the next priority should be to address the security of privileged accounts. These accounts provide users with powerful administrative capabilities over critical systems, so any cyber-criminal getting a hold of them will be getting the keys to the kingdom. Our research shows that around a third of hackers say that accessing privileged accounts was the easiest and fastest way to get sensitive data.

These accounts cannot be protected through passwords alone. An organisation needs to implement a range of security controls for managing the use of privileged accounts including multi-factor authentication, password rotation and password complexity, as well as discovering all privileged accounts, who has access and when they are used.

Managing passwords

Password managers have been used for some years now by organisations, and indeed individuals, to help keep on top of all the differing login credentials needed for various accounts. These can generate complex passwords, keep credentials secure in a vault, autofill login pages and generally help reduce “cyber fatigue”. Some can even remind the user to change their passwords on a regular basis.

However, by themselves these are not good at managing privileged account access, as they need to be used alongside other security measures.

The value of multifactor authentication

Multi-factor authentication (MFA) is becoming more commonplace as organisations start to implement guidelines from regulators, such as the PCI DSS, which is concerned with those companies accepting, storing or transmitting credit card data. MFA combines one form of authentication, often a password, with at least one other, for example a passcode sent to a mobile number, to verify the identity of a user. This is most visible when making online purchases using a credit or debit card. The card details including the CVV number are required (the first factor) followed by a PIN or access code requested by the issuer.

Requiring users to provide a second element to verify their identity can greatly reduce the chances of a breach, for example making it much more difficult for an attacker to infiltrate the system with stolen credentials. However, Thycotic’s research still found that three-quarters of companies fail to require MFA for privileged accounts.

Account discovery and oversight

IT and security teams cannot readily control the access levels of accounts they aren’t aware of, and we often find companies have hundreds of unmanaged, forgotten accounts belonging to users and systems that are no longer required.

We found that four in 10 organisations do nothing to discover these hidden accounts, and those that do are likely to find the task increasingly harder and harder. This is due to an increasing number of devices connecting to a network, along with virtual accounts and cloud environments.

Even those organisations that are able to search for privileged accounts are failing in their duty if they must do so manually. Searching an entire network for these accounts by hand is time consuming, meaning the information is already out of date before it is completed. Instead, organisations need to use automated discovery, which can identify privileged accounts in real-time, allowing them to be protected more expediently.

Having such visibility also means that IT teams can monitor when passwords were last changed and when and how the account was last used. These records are also invaluable when it comes to conducting audits, another common demand of most regulations.

Compliance might not be the most exciting topic for many organisations, but they cannot ignore it. Getting the essentials right on access controls can be one of the most valuable steps a company can take in meeting their compliance obligations, potentially saving them from being the next example of a multimillion pound fine.

Read more: GDPR compliance is paying off for the minority of businesses who make the grade

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up