The NEW GDPR Compliance Overview

First, what is GDPR and am I affected by the new compliance regulations? GDPR is the new General Data Protection Regulation that was adopted by the European Union (EU) in April 2016 and will be enforceable starting May 2018. The new GDPR compliance applies to everyone who provides goods and/or services to citizens in the EU, regardless of whether or not there is a physical location in the EU. Here are a few examples of what companies and organizations will be affected:

  • You have a boutique clothing company based out of New York City, New York that also has an online website. Residents of the EU have purchased items from your website.
  • You have an online consulting company for Search Engine Optimization based out of your home in Orlando, Florida. You have had at least one customer whom you have helped that resides in the EU.
  • You have a manufacturing company with multiple offices throughout the entire world, one of which is located in the EU.
  • You have a company or organization that provides goods and/or services to residents of the EU and your only location is in the EU.
  • You have a photography website where members create a personal profile about themselves with a username and password in order to share photographs with others. At least one of your members of this free website is a resident of the EU.

The ultimate goal of GDPR compliance is to keep sensitive personal information protected for residents of the EU. Let’s clarify what constitutes as personal data. Personal data can be anything, such as a name, email address, physical address, medical information, banking details, photographs, computer IP address, and anything other pieces of information that can identify a resident of the EU.

Power has shifted to the residents of the EU by now being able to file lawsuits against a company who breaches their personal data. A company has 72 hours from the time of the breach to notify any affected individuals. Penalties for not being in compliance with GDPR can be either €20 Million or 4% of global annual turnover – whichever is greater. This is the most important change in data privacy regulations in over 20 years. This is not an option, but a requirement. The EU hopes that the rest of the world will follow in their guidance.

At nFront Security, we applaud the new regulations that the EU has passed. This is a very wise choice for the EU to require all companies to protect their citizen’s personal information to the highest standards. By being GDPR compliant, your customers will be able to have trust and confidence in your company that their personal data is being protected. In a digitalized economy, this is very important. There are many topics in the GDPR compliance article related to breach notifications, consent, data portability, and privacy by design. However, one of the most important trends in all of the requirements is protection from data breaches. Most companies know that the threat of a data breach is very prevalent in today’s time. If there are not certain security measures in place, the question isn’t if they will be hacked, but when.

One final note, we encourage companies to reevaluate their password policies. Having a strong password policy is your first line of defense to protecting your company’s most treasured assets… your customers. Many companies are Windows-based and the default password settings for Windows will not keep your company secure with the ability to use Password1 as a password. The result of a data breach could cause your company to pay a minimum of €20 Million if you are regulated by GDPR compliance. Do your company a favor and implement a Windows Password Filter to ensure that no weak password will be used on your company’s network. For more information, please click here.

We Support Carnegie Mellon University’s Password Research

Carnegie Mellon University released a study in 2013 called “Measuring Password Guessability for an Entire University.” CMU has over 25,000 faculty, staff, and students with a single-sign-on password. With this research study, CMU wanted to analyze how guessable the passwords would be in a password attack by standard password cracking tools and algorithms. A standard password policy was enforced at CMU – a minimum of eight characters and four different character sets. CMU’s password policy meets guidelines that are established by the InCommon Federation. InCommon provided insight for educational and research institutions in the United States and relies on NIST guidelines for providing security standards.

The researchers collected all 25,000 hashes and analyzed their guessability with a commonly used algorithm. According to CMU’s research, many times with password studies the researcher would ask users what their password is or ask them what type of password they use. Self-reporting information is not always reliable.

A few key findings in the study were:

  • Users associated with the science and technology colleges made passwords 1.8 times stronger than those associated with the business school
  • Users who reported disliking the password policy made weaker passwords
  • Male users created stronger passwords than female users
  • Passwords with more numeric, symbols, and uppercase letters were stronger
  • Passwords with numeric characters or symbols are least effective when placed at the end of the password
  • Passwords with uppercase letters at the beginning of the password are least effective
  • The passwords that were released from the Yahoo! breach most accurately resemble the passwords of CMU users

Furthermore, here are a few insights that the researchers were able to make after completing the study:

  • Users would have been able to create stronger passwords if they received instructions on how to do so
  • Users that do not feel like creating stronger passwords because they do not feel it is necessary to do so would have benefited from education information
  • Users who complained about the password policy would have benefited from education information

After the completion of this study, the researchers want to continue by further investigating password habits. Here are a few of their ideas:

  • Look to determine password strength when reducing the number of character sets in a password if users create a longer password
  • Prohibiting special characters at the beginning or end of a password
  • Changing the dictionary check to skip dictionary checking if users include symbols or numerical characters

With the nFront Password Filter, companies are able to successfully integrate their findings. We believe that in tandem of implementing a password filter, an educational document should be given to end users explaining how to create a stronger password and the importance of doing so. In addition to the educational material, users are able to receive coaching as they create a password using the nFront Client. When a user goes to change their passwords and it is not in compliance with the company’s password policy, a detailed message will appear on the screen as to why the password change was unsuccessful.

All three of their further research ideas can be completed using the nFront Password Filter. The first idea is called the Stanford Password Policy which was a recommendation by Stanford University. Users are able to create shorter passwords if they use all four character sets and longer passwords are required if the user wishes to use one character set.

Second, the nFront Password Filter allows the password policy administrator to prohibit the use of numeric or special characters at the end or beginning of a password.

Finally, we offer a variation of the third recommendation for dictionary checking. The nFront Password Filter allows you to skip dictionary checking for passwords that are longer than the desired length. Most companies will set this to 15 characters since Rainbow Tables normally target passwords that are 14 characters or less.

Hard Facts: Data Breaches

Joseph Demarest Jr., Assistant Director of FBI’s Cyber Division states: “You’re going to be hacked.” Do you have a plan for when this happens? Furthermore, are you enforcing the necessary precautions to ensure that your end-users are not making poor password choices? Password1 and Welcome1 are the top 2 business passwords and are both accepted by Windows Password Complexity.

Put Password Rules In The Hands Of The User

This topic might seem to alarm you since the fate of your company will be placed in the hands of your employees. When I talk to many prospective customers of nFront Security, I hear the common problem of end-users selecting the company name, seasons (Summer, Winter, Fall, and/or Spring), months (January, February, March, etc.), or even the word password as their password. Therefore, the idea of giving end-users the choice of their own passwords would seem like a horrible decision. We agree! That’s why we set boundaries.

We have created two different options for IT Administrators to safely put passwords in the hands of their end-users without the threat of being hacked.

Do keep in mind that with the use of the nFront Password Filter, end-user passwords will be subject to dictionary checking. The dictionary is 100% customizable by your company and can be as restrictive as you set it to be.

The first option is through the Stanford Password Policy. In April of 2014, Stanford University created a unique way for their end-users to create passwords. The end-users now have control over the password complexity requirements based on the length of passwords they select. Shorter passwords will require more character types and longer passwords will require fewer character types. This concept is now called the Stanford Password Policy and has specific requirements.

Here is how the Stanford Password Policy is structured:

  • 8-11 character passwords require the use of upper case, lower case, numeric, and special characters
  • 12-15 character passwords require the use of upper case, lower case, and numeric characters
  • 16-19 character passwords require upper and lower case characters
  • 20+ character passwords only require lower case characters

With the nFront Password Filter, you may enforce the Stanford Password Policy with one easy step. All that is needed is to select the option for “Enforce Stanford Password Policy” as seen in the image below:

The second option is through Length-Based Password Aging. Length-Based Password Aging allows you to enforce different maximum password ages for different lengths of passwords. Essentially, it rewards end-users who select longer passwords because it allows them to keep their password for a longer period of time. This option is only available with the nFront Password Filter Multiple Policy Edition.

With Length-Based Aging, you are allowed up to 4 different password aging tiers. The different password aging tiers are customizable by your company. Here is an example of how you could set up 4 different password aging tiers:

  • 8-11 character passwords will expire every 90 days
  • 12-15 character passwords will expire every 180 days
  • 16-19 character passwords will expire every 270 days
  • 20+ character passwords will expire every 365

As I previously stated, you are rewarding end-users who want to create a longer, more secure passwords by requiring a password change less frequently and punishing end-users who want to create shorter passwords by changing it more frequently. Here is a link to our YouTube Channel where we have a short video on how to configure the Length-Based Aging Password Policy feature.

Placing passwords in the hand of end-users is not only a smart option, it also provides employee empowerment. Employee empowerment has been known to increase productivity and morale in the workplace.

Hacker and Cyber Insurance 101

Let’s talk about insurance and what it’s actually intended to do. According to Google’s dictionary, insurance has two meanings:

1. A practice or arrangement by which a company or government agency provides a guarantee of compensation for specified loss, damage, illness, or death in return for payment of a premium.
2. A thing providing protection against a possible eventuality.

From what we can gather on the definition of insurance, insurance is protection. Insurance does not replace anything or anyone; it is there to provide assistance when an event occurs. This is a common misconception about insurance. Insurance does not always replace 100% of the losses caused by an event – whether that be life insurance, car insurance, health insurance, or any other type of insurance.

One of the more recent types of insurance that companies are purchasing is hacker or cyber insurance. Some companies think that by purchasing this type of insurance, they will be protected by hackers. This is not the case. In fact, Heartland Payment Systems faced a huge loss in 2009 from a massive data breach. Heartland Payment Systems thought that their $30 million cyber insurance policy would completely cover their company in the event that a breach occurred. The total cost of the data breach was $139.4 million. Heartland Payment Systems did recover their $30 million insurance policy; however, they were still hit with an additional $109.4 million in expenses from the breach. Keep in mind that Heartland Payment Systems also has to pay yearly premiums for the policy as well as a deductible to file the claim and collect the $30 million policy.

With any type of insurance, companies pay yearly premiums. The $30 million that Heartland Payment Systems received was due to a yearly premium that they paid. To give you an idea of how much premiums cost, Unbrokerage provides a $100,000 policy for $250 per year. In the event that there is a need for a claim, there is a $1,000 deductible.

Let’s do some quick math, if you had the policy for 4 years before the breach occurred, here is how much your company would actually receive:

($250 X 4 years) + $1,000 deductible = $2,000
$100,000 insurance policy – $2,000 cost = $98,000

Your company would actually receive a benefit of $98,000. In essence, you did profit since you only paid in $2,000. Furthermore, according to IBM’s 2016 Cost of Data Breach Study, the average cost for 2016 was $3.8 million – $4 million. The $98,000 isn’t looking very beneficial anymore and is less than 3% of the total cost of the average data breach in 2016.

One last topic to note is that just like homeowner’s insurance and car insurance, not all events are covered by cyber insurance.

Insurance is not there to replace your network security, it is merely a supplement. It is there to assist you in the event that a cyber-security breach or hack occurs. Assistant Director of the FBI’s Cyber Division states: “You’re going to be hacked. Have a plan.” What is your plan? Your plan should not be cyber insurance. Your plan should be security measures that prevent even the remote possibility of a breach. One of those security measures should be to have a system in place to prevent weak passwords. Be sure to check out the nFront Password Filter for more details.