Make your Service Desk GDPR Compliant
Lowering Risk Through State-of-the-Art Assisted Password Reset
In the long list of actions to complete on the road to GDPR compliance, password resets typically appear towards the bottom of the schedule.
Instead, the focus is typically placed on activities such as data classification and information governance process flows. I understand this emphasis, but companies seeking GDPR compliance should not lose sight of some of the elementary steps in protecting their organization. Passwords — love them or hate them — underpin the vast majority of organizations' processes and data, and preventing unauthorized access to personal data is a core principle of GDPR, as stated in article 5 (personal data shall be "processed in the manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing").
Indeed, much of GDPR is about doing basic security well. GDPR is not at all prescriptive about security processes and technologies and leaves the mechanics of security for individual companies to decide. The onus is on companies to determine appropriate processes and apply technical measures to support compliance. Importantly, companies must also evidence the fact that they are engaged in good practice. So how do password resets fit into this objective?
One of the main objectives of GDPR is to encourage organizations to prevent personal data breaches. But the 2016 Data Breach Incident Report (DBIR) by Verizon states that 63% of confirmed data breaches involve weak, default or stolen passwords. Passwords are not perfect, and the weaknesses are well documented. However, they persist because they are cheap, familiar and easy to use. In fact, most breaches associated with passwords are a consequence not of an inherent weakness in the passwords themselves, but in password management.
Poor password management processes could have profound consequences if they lead to data breaches. But it's not necessary even to have a data breach to be non-compliant with GDPR: A poor process, or lack of evidence of a process, is equally non-compliant. Poor password processes typically result from an extreme focus on cost. According to the Service Desk Institute, 35% of service desks have no authentication process at all when resetting passwords. Under GDPR, however, this cost equation must shift, given the high fines and other sanctions levied for non-compliance. Spend a little more to be fined a lot less.
It can be tedious to use helpdesk to reset a password, and so end users prefer a self-service approach. But user adoption rates of self-service resets are typically lower than 40%, with an average of 20% being typical for most organizations. When self-service approaches fail, a second person is involved, in a so-called assisted password reset process. This introduces an important vulnerability, that of privileged user credential abuse. There is usually no way to prove absolutely that an unauthorized administrator could know a user's password.
The FastPass solution to password resets addresses this issue by eliminating the possibility that a second person can know a user's password, even though they facilitate the reset. The assisted reset process also directs users back to the self-service process, thus reinforcing its usage and increasing adoption. It creates a virtuous circle of self-service password reset.
In the grand scheme of GDPR, password resets must seem the least of the worries of a compliance officer. But it is an indicator of attention to detail that an auditor or supervisory authority will note. It demonstrates a thoughtful consideration of identity and access control and helps to evidence the prevention of unauthorized processing of or access to personal data.
Stay on top of the latest updates in Corporate Password Security & Identity Verification
Subscribe to our Newsletter!