A leading cyber security expert has predicted that GDPR 2 could be coming – on the same day the long-awaited General Data Protection Regulation finally became law.
GDPR gives people more rights over how their personal information is used but companies breaching the law risk being fined up to 20 million euros or 4 per cent of a company’s global turnover.
Entrepreneur Stina Ehrensvard is the CEO and founder of Yubico and told BusinessCloud she wants to see the GDPR evolve from guidance to practical advice.
“In the future, I think there will be a GDPR 2.0 that will specify what you need to do in order to avoid being breached,” predicts Ehrensvard.
Her company has worked closely with the likes of Google, Microsoft and Facebook to create support for physical security keys, which users carry on their person to reduce ‘phishing’ attempts.
“80 per cent of breaches are due to weak credentials,” she explained. “The internet was not designed for security, just like car wasn’t designed for safety.
“50 years ago there were no seatbelts and people were dying like flies on the highway.
“Safety became a problem, and an engineer at Volvo came up with the idea of the three-point seatbelt.
“He went to Volvo’s board, and told them they had to give seatbelts to the world by opening up the patent.
“Now you can’t buy a car without a good seatbelt and the government has fines for not wearing one. It’s the same story with GDPR.
“It’s the first attempt by the government to recognise that responsibility needs to be taken for personal data.”
It’s estimated that billions of stolen passwords are available on the internet, and without another way to confirm a user’s identity, these stolen logins could lead to data breaches and GDPR infringements which mean heavy fines.
“I think the current GDPR is a really good start, but it’s woolly and it’s not clear yet what you need to do,” she said.
“It doesn’t tell a company that it needs to implement two-factor authentication, or that you need to have hardware security. It doesn’t describe the actual technologies or actions you need to take.”
Two-factor authentication is a security method which helps to stop cyber attackers from logging in to your account, even if they have access to one of the many leaked passwords on the internet.
Two-factor authentications can be done either with a confirmation code text to your phone or a confirmation email to your inbox.
Hypothetically, this means that a cyber attacker can’t login to your account without also having access to your phone or email address.
But modern phishing attacks can get past two-factor authentication by also manipulating users into entering confirmation codes or by hacking into emails.
Ehrensvard’s company Yubico, and its YubiKey, hope to solve this problem by bringing things back into the physical world.
Instead of relying on a smartphone and SMS to complete the two-factor login, the Yubikey provides a dedicated piece of hardware which holds an ever–changing password.
The keys vary in size and look like a USB stick. They can be plugged in or scanned like a contactless payment. The devices verify the owner’s identity by scanning their fingerprint.
If the cyber attacker doesn’t physically have a users’ YubiKey, they can’t confirm a login.
“In the future, this technology will be built into computers and phones,” explains Ehrensvard.
“Rest assured, not everyone will have to carry a key, but it’s good to have a backup.”
The company boasts over four million customers in over 160 countries and zero ‘account takeovers’.