Johannesburg, 29 Mar 2017
South Africa cannot pretend anymore that we are not victims of cyber crime and data breaches. South African companies are being hacked as much as any other organisation in any other county around the world. The general population may not think it is prevalent here because there is no law requiring data breaches to be made public, ie, it is hushed up. That is, until POPI.
Although POPI has been in the making for a few years now, hopefully it will start getting some teeth with the recent appointment of Pansy Tlakula as chairperson of the newly formed information regulator. This has been long outstanding and is in the interest of the South African people.
However, from my experience, companies have not been taking POPI too seriously; having either failed to adequately address data security, or having failed to even embark on a strategy to implement an enterprise-wide data focused security strategy, says Craig Moir, MD of MyDBA.
When we talk about data security, we are referring to the means of securing the data where it is physically kept. Typically, this will be in a database in a structured format, or in an unstructured format on file servers. This is where personal information predominantly resides and this is what hackers and insider threats are trying to get at. You can have as much security as you like surrounding your database, but not protecting your data within the database is akin to having electric fencing, burglar bars and locked doors in your house, but leaving your expensive jewellery in an unlocked box on a dressing table. You also need to put that jewellery into a safe.
A key factor to being able to protect your data is to know what data you actually have and where it resides. But, not all data is sensitive and in need of protection, and a lot of your data will have no value outside of your organisation. So, not only do you need to identify all your data, but you also need to classify this data.
Data can be generally classified into three categories. First is data that legislation requires you to protect, typically personally identifiable information (PII). Second is data that does not fall under legislative requirements, but is nonetheless of huge value to your organisation, and which you don't want to fall into the hands of your competitors. Lastly, the third type of data is that which is not protected by legislation, nor does it hold any value outside of your organisation and therefore does not need specific protection.
Before you can even embark on a data security strategy, you need an enterprise-wide data inventory so you know exactly what data you have got, what data requires protecting, and know where this data is physically residing.
The next step to protecting your data is determining who has legitimate rights to access this data. The principle of least privilege (POLP) needs to be applied to all your sensitive data, only allowing your employees the minimal access to sensitive data that will allow them to perform their normal job function. This often requires changes to access privileges as well as revoking excessive access rights.
Once you are able to determine what is authorised access to sensitive data, then are you able to determine what is unauthorised access to sensitive data. This includes privilege abuse.
It is only at this stage that an organisation is in a position to start building its data access policies and put in data security measures. Such measures would include monitoring and reporting on authorised access to sensitive data, but also monitoring and preventing unauthorised access. The same goes for identifying, reporting and blocking of privilege abuse.
As you can see, a great deal of work has to be done by an organisation before it can even think of implementing any data security solutions. This work is spread across many departments and requires the co-ordinated input from many people, and will take some time to complete.
The bottom line is that if large enterprises have not yet embarked on a data security project, then they could find themselves falling foul of legislation purely due to the fact that architecting and implementing a data security solution across an enterprise is no small task and could take at least a year or more to complete.
If legislation requires compliance to happen within one year, you are likely to see a lot of panic and disruption within the organisation, which will undoubtedly be caused by the shortage of experienced data security software vendors in South Africa, and a sudden surge in demand for their services. This will naturally be exacerbated by the current skills shortage in the IT security industry.
There is no time to lose!
Share