GDPR

Blog, GDPR, Security, Technology, Uncategorized

Is The Password Dead?


2 Comments

My boyfriend was amazing me last weekend when he showed me how he could unlock his brand-new Google Pixel 2 using just his voice. I was seriously impressed until he laughed and showed me the index scanner on the back that actually unlocked it. To be honest, it’s a perfectly useless piece of hardware since I know his pin code anyway. Which isn’t much of a win- I just get full access to the albums upon albums of stupid memes that he stores for later consumption.

These days, it seems as though you’d need to live and work in the Pentagon to keep your data safe. And even then, you’d probably be safer by having a photographic memory and never writing or typing anything. Ever. For the entirety of your life- and chances are, you’ve ballsed that one up already, right? If not, there you go, cyber security problem solved. You can tell that annoying antivirus update pop-up reminder where to stick it because you JUST DON’T NEED IT. However, if you don’t have the privilege of a) living in the Pentagon or b) having a photographic memory, then keeping your data safe can be a smidge harder (and I’m betting that’s most of us). Back in the old days of computers and the internet, simple passwords were enough to keep sensitive data safe. Nowadays, the opportunities for cyber criminals to exploit this information are too good for these less-than-moral people to miss out on.

But, as with the Google Pixel 2, we’re quickly catching on to the fact that a simple password or pin number isn’t enough, especially when it comes to our accounts online. According to password management company Dashlane, a single email address can be registered to a whopping 130 passwords. This tells us that some people either have too much time on their hands or a terrible memory, or both. Let’s be honest, when we have a password that we can remember, has a capital letter, a special character AND contains more than eight letters, we all use the same one for the random things around the web. Deliveroo, Amazon, Tesco Delivery; so many things are online now and they all require an account. And it’s not much better in the workplace. ‘For security purposes’, passwords get changed every three months or so at work, but it’s just a case of using a particular word and going up the number line each time we get that annoying notification. I am definitely guilty of this (I wait until the absolute last minute to message around to all of our IT support techies to get it changed. So they all end up knowing my new password. I like to call it ‘herd immunity’). And 42% of workers admit to sharing their passwords with co-workers. So, in the age of GRPR and a heightened awareness of cybercrime, we have to ask ourselves; is the password dead?

A recent Verizon report states that two thirds of data breaches are caused by stolen passwords or misused credentials. So basically human error. And it’s not like we can remove that problem until AI progresses enough to create robots that can do the work for us- wouldn’t that be convenient? Maybe robots are the answer, but not in the short term.

Passwords are a lot like mayonnaise. You wouldn’t consume it on its own (or at least not more than a tablespoonful or two straight from the jar at a time), but it’s a nice little addition to a dish. So what would be the ‘piece de resistance’? We have biometrics that are starting to become popular. Even I managed to fall into the ‘high tech’ phenomenon of having a thumb scanner on my ancient iPhone. And how many times has NatWest bothered me about getting their banking app? “It’s so much safer!” they say. “I don’t trust mobile devices!” I scream back. “WE’VE NEVER HAD A SECURITY BREACH!” they holler. “I WILL NOT BELIEVE IT!” I finish. I’m paraphrasing, of course, the conversation I had with my, considerably older, banking agent. Shocked that a twenty-something would have so little faith in technology, he took out his fancy phone to show me. Needless to say, I won that argument. As it was, it took me a while to get into the idea of biometrics. Realistically, all it takes is some criminal genius to sever your finger to access your bank account. I don’t know about you, but having someone steal my money after stealing my thumb is, quite literally, adding insult to injury.

So what about removing the password altogether? I’m not suggesting we scrap the whole thing, of course. But multi-factor authentication has become something of interest recently. Microsoft shocked the world in May when they announced in a blog post that they were trying to rid the world of passwords for good. Promising a future where end users will never have to deal with passwords while also vowing that user credentials will never be ‘cracked, breached or phished’ seems too good to be true. But apparently, with 47 million users worldwide, Windows Hello is very much a thing. And it only needs one authentication method; facial recognition (luckily, you’re slightly less likely of having your face severed), fingerprint or retina scan. If you are absolutely adamant that fingerprint scan is the way you want to go, you can buy a tiny little USB device to plug into your laptop, a bit like the connection bit of a wireless keyboard. I’ve said it before, but starting my day like Tom Cruise in Minority Report sounds pretty cool. I might just start getting out of bed at the first alarm every morning. My ultimate favourite feature of Windows Hello is Dynamic Lock. It’s a fancy name for something pretty simple; essentially, your computer detects when you’re out of reach and automatically locks itself. And by ‘you’, I mean your phone. So you’ll never have to worry about fire drills, emergency pee breaks, or having your laptop stolen out of the window by sleuths with fishing rods. True peace of mind.

What makes Windows Hello so secure? If you use facial or fingerprint recognition, Microsoft does not transfer the raw data over the internet. So that’s already a huge chunk of potential Mission Impossible criminals who won’t be able to make latex copies to break in. Apparently, Microsoft doesn’t even store the raw data, creating a digital abstraction instead that can only be interpreted with a machine. And what user information does get transferred across the internet gets encrypted to almost-Pentagon standards. And all you need is the Windows 10 Anniversary Update- easy!

So, what do you think? Will you be chucking that little black notebook full of usernames and passwords? (Maybe burn it instead) Or will you insist on keeping the same password you’ve used since you had to put your social media profiles on private? Either way, you might be interested in hearing what our experts can do for you.

Speak to an expert

Directors-9619Missy Beaudelot – Digital Marketing Executive
With a background in journalism and an interest in all things tech, Missy keeps our social media in check while monitoring our websites and developing our digital presence.

 

Blog, GDPR, News, Our Upcoming Events

GDPR – That ‘light at the end of the tunnel’ might just be a train coming!


1 Comment

Having been asked to blog about GDPR; I decided to avoid the standard, attention-grabbing approach of stating the size of the fine for a breach of the upcoming GDPR regulation. If you’re not already aware – check your junk mail for GDPR workshop invites; it’ll be somewhere in the header or first paragraph.

I’ll start, instead, with a question: Are you struggling to get a handle on GDPR? Welcome to the club! As organisations of all sizes stand trapped in the headlights that are ‘the May 25th GDPR deadline’; who better to turn to than the Information Commissioner’s Office (ICO) for some clarity. The ICO provide a helpful ‘What’s New’ section; so, I thought I’d take a look at February’s ‘news’. It included such helpful guidance as:
The term “right” in the provision does not mean that Article 22(1) applies only when actively invoked by the data subject. Article 22(1) establishes a general prohibition for decision-making based solely on automated processing.

And:
Article 35(3)(a) refers to evaluations including profiling and decisions that are ‘based’ on automated processing, rather than ‘solely’ automated processing. We take this to mean that Article 35(3) (a) will apply in the case of decision-making including profiling with legal or similarly significant effects that is not wholly automated, as well as solely automated decision-making defined in Article 22(1).

So that was helpful.

Seeking even greater clarity, I turned to Elizabeth Denham, the Information Commissioner; who has been doing the rounds ahead of the May ‘deadline’. Ms Denham is clearly passionate about her mission, and speaks very clearly on the importance of GDPR; however, there is a degree of ambiguity in her messaging. In various blogs and speeches this year; she has provided the following guidance (which I’ve taken the liberty of categorising based on her perceived stance):

Very Hard: “Last year we issued more than one million pounds in fines for breaches of the Data Protection Act, so it’s not a power we’re afraid to use.”

Hard: “There will be no ‘grace’ period as organisations will have already have had two years to prepare.”

Vague: “Compliance should involve an ongoing effort in which organisations have to show they are putting the key building blocks in place”.

Soft: “While there will be no grace period – you’ve had two years to prepare – I know that when 25 May dawns, there will be many organisations that are less than 100% compliant.”

Very Soft: Ms Denham has said her organisation “is not planning to take a hard line on the 25 May implementation date for compliance with the EU General Data Protection Regulation”

I hope that makes things clearer for you? No? Don’t worry – you’re not alone. Cetus has run a series of GDPR workshops over the last year and they’ve been attended by a wide range of people, with an equally wide range of opinions on GDPR. These range from “it’s a disaster about to happen” to “thought I’d pop along to see what all the fuss is about”. The funny thing is that they were all correct – it’s just a matter of how well your preparations are under way that defines the potential impact to your organisation come the 25th May.

Common amongst many of our workshop attendees was the fact that ours wasn’t the first (or even second) GDPR workshop they’d attended. However, the post-workshop feedback pretty much unanimously agreed that our approach to explaining GDPR was the most helpful they’d had; but why?

Unlike others; we described how a multi-partner approach needs to be taken. We combined deep subject knowledge from a GDPR practitioner; with a holistic security approach that looks to redefine an organisations digital boundary. At the end of the workshop we’d provided clear, practical next steps to allow the attendees to prepare for the deadline.

So, is GDPR just a legislative thing? Once again, I would like to quote Elizabeth Denham – “Only one in five people in the UK trust organisations to look after their data”. That’s a pretty miserable statistic. You might ask yourself – are you one-in-five, or are you one of the untrusted 80%? It could be more important to the future of your organisation than ‘mere’ legislation.

Speak to an expert