This week marks the third anniversary of the General Data Protection Regulation (GDPR), which is arguably the most far-reaching data privacy and security law to date. Any organization that conducts business with individuals or organizations in the European Union must comply with the GDPR, even if the organization has no physical presence in the EU.
In addition to giving European consumers more control of how organizations can use their personal data, the GDPR mandates that organizations bake data security into their products, policies, procedures, and systems from inception; holds organizations responsible if one of their third-party vendors or partners is breached; and requires organizations to notify the authorities and affected customers within 72 hours of detecting a breach.
Organizations that run afoul of the GDPR can lose big; the EU’s Data Protection Authorities can levy fines of up to €20 million ($24.1 million) or 4% of annual global turnover, whichever is higher.
Poor Password Security At Fault for Most Breaches
At the time of its implementation, privacy advocates hoped that the GDPR would usher in a new era of data privacy and security, including a reduction in data breaches. Yet three years and millions of euros/dollars in fines later, data breaches are still a daily occurrence.
One of the largest GDPR fines to date — £20 million (over USD $28 million) — was levied against British Airways for a 2018 breach that compromised the personal data of over 429,000 customers. According to the UK Information Commissioner’s Office, the breach was caused by BA not following basic security best practices, such as limiting user network access to sensitive data and systems and implementing two-factor authentication (2FA).
BA is far from being the only organization with password security problems. About 81% of successful data breaches are due to weak or compromised passwords. Compromised credentials also play a role in about 75% of ransomware attacks.
Protect Your Organization from Data Breaches & GDPR Fines
To help prevent data breaches and GDPR fines, organizations need to deploy an enterprise password management (EPM) platform and institute a zero-trust security architecture that verifies all users and devices before they’re allowed to access corporate resources.
Keeper’s zero-knowledge EPM utilizes a unique encryption and data segregation framework that helps support zero trust by protecting against remote data breaches. Keeper uses PBKDF2 to derive authentication keys based on each user’s Master Password, then generates individual record-level AES-256 encryption keys locally on the device to encrypt each record, ensuring that only the user can access their Keeper vault.
Additionally, Keeper provides organizations the total visibility and control over employee password practices that they need to successfully implement a zero-trust security model. IT administrators can monitor and control password use across the entire organization, both remote and on-prem, and enforce password security rules such as strong, unique passwords, 2FA, role-based access control (RBAC), and least-privilege access. Keeper also has the following benefits:
- Ease of use for both IT admins and end users; rapid deployment on all devices with no upfront equipment or installation costs.
- Personalized onboarding and 24/7 support and training from a dedicated support specialist.
- Support for auditing, event reporting, and multiple compliance standards, including HIPAA, DPA, FINRA, and GDPR.
- Easy integration with SSO; no need for separate logins.
- Secure storage for sensitive files, documents, photos, and videos on unlimited devices.
- Private vaults for each employee, plus shared folders, subfolders, and passwords for teams.
- Complete flexibility; whether your organization is an emerging business or a multinational enterprise, Keeper scales to the size of your company
Keeper takes only a few hours to deploy, requires minimal ongoing management, and scales to meet the needs of any size organization.