Using hardware to help your GDPR password compliance
GDPR compliance is a huge area for many businesses. Especially those firms who hold sensitive data and have a number of remote staff. Many small businesses fall down in simple areas of IT security as they don’t have the resources to cope with the latest cyber threats. Staff are vulnerable to phishing attacks, social engineering or malware such as keyloggers.
A member of staff may not even have realised they’ve been hacked, and their password usually becomes the focal point of any data breach. In small businesses it’s unlikely that data is segregated on a permissions basis and that may mean that they entire scope of the companies data is vulnerable to a breach.
In order to prevent these attacks many small businesses are taking a more stringent approach to data protection and passwords have been identified as a high risk area. Many businesses have been implementing new password structures with greater strength to brute-force attacks or phishing. These are generally complicated alphanumeric passwords which are case sensitive often including special characters. Changes like this can often leave staff annoyed and confused, especially when using characters such as the “top hat” ^ .
A robust measure would also reset the passwords regularly with a 3 month period not uncommon. Such changes may also be met with resistance and it would not be uncommon to see staff writing these down on pen and paper and sticking them by their machine. Such actions clearly make the data protection worse not better!
A potential solution?
As we access the majority of our data through a web browser and many other businesses will do so where they operate a remote desktop environment, password managers have been a solution. Services such as lastpass have been used extensively but they offer a significant single point of failure, the master password. This may eliminate the need for remembering multiple complex passwords, but the onus is still on the user to remember and regularly update this master.
All online passwords are vulnerable to hacking, but hardware wallets are not. Originally designed to store cryptocurrency, the Trezor device was built and designed to ‘be your own bank’. That level of security is now used to protect passwords and could be the ultimate way to manage your password security, whilst removing the burdensome memory exercises.
How does it work?
When you setup your wallet you are given a secure 24 character seed word and create a pin number. Once your wallet is created it’s time to configure your password manager. This links your Trezor to a dropbox or google drive account, this is where your Trezor will store your encrypted passwords. The level of encryption means that even if someone else gains access to that data, it is completely useless to them. Secure.
You will create and store your passwords as required and from the password manager screen you can login to any services you require. In order to access the password manager you must have your Trezor plugged in & have entered your pincode. A manual button push is then required when logging into the service, the hardware device confirming that you are happy to decrypt that part of the data.
Your Trezor acts as a manual key to your online world and it will only work if you they know the pin code. It’s a fantastic, easy piece of security.
What if I lose my Trezor?
Remember the 24 character word we mentioned at the start? You store this offline and usually use something robust to protect this data such as a Billfodl. This is your recover method and with that data you can recreate the account on any other Trezor.
This physical aspect of a digital world removes a great deal of risk & offers a great deal of protection, especially when the fines for a data breach are so punitive. As the devices can be reconfigured and transferred to new members of staff the costs of setting up and maintaining this security program are miniscule, with the hardware (including the backup solution) costing less than £200 per person.