This question is tricky, because the answer isn’t as clear as with the previous question. The answer is: it depends. A company should take ‘appropriate measures’- but what is appropriate, who decides this? And how?
To answer the GDPR question we need to define what appropriate measures is. And a first place to look for answers is ENISA. The European Union Agency for Network and Information Security (ENISA) is a centre of expertise for cyber security in Europe. They provide guidelines and recommendations, such as GDPR compliant guidelines for SMEs (Small and medium-sized enterprises).
SMEs represent 99% of all businesses in the EU, and is defined as a company that has less than 250 employees or under 250 million euro in annual revenue.
Who decides what appropriate is? That would be you, the company, responsibility. However, ENISA has, based on expertise and experience, provided several documents for various types of assessment, to help you decide what appropriate measures are.
We need to think about the scope, nature, context, spread, volume and type of data when we do a risk assessment. In the risk assessment, you would identify the security threats and the data in question, and then score each item in terms of impact it would have, and a score for probability. The two scores combined yield what is referred to as a risk level- the calculated risk. And that calculated risk will be the basis for deciding appropriate security measures that should be implemented and maintained.
For access control and authentication, the recommended security measures are color coded to represent the risk level score. Green symbolizes basic measures such as
Avoiding common user accounts
Username and password should be required
Password should be complex
At the next level, yellow, the recommendation is that a password policy should be defined and documented. Also, passwords should be stored hashed.
When the risk level is high, color coded as red, two-factor authentication is recommended, and to take it even further, device authentication is recommended.
So….? Is two-fac required? Yes and no. I believe that for many companies the risk assessment will show that two-fac would be a recommended security measure.
What are your thoughts?