• Home
  • /
  • Malware
  • /
  • Security challenges presented by POPI and the pandemic

Security challenges presented by POPI and the pandemic

Companies previously accepted potentially insecure devices within their environments as they weighed risk against productivity rewards. But the scales are tilting alarmingly.
Paul Stuttard
By Paul Stuttard, Director, Duxbury Networking.
Johannesburg, 03 Nov 2020

The COVID-19 pandemic has created a legion of remote workers around the world. Remote working is a trend that organisations and employees have embraced to the extent that online engagement with co-workers, customers, suppliers, agents and other stakeholders has become fundamental to business operations. It’s the “new normal”.

A recent survey conducted by research and advisory company Gartner revealed that around 50% of companies will permit employees to remain working remotely even as their offices reopen in the post-pandemic world.

In a report prepared by the South African Broadcasting Corporation, labour analyst Terry Bell says “working from home is going to become much more common”. He believes it’s a cheaper, more attractive option for employers as they don’t have to provide office space. “From a worker’s point of view, [as] they end up working as individuals, they will then end up being negotiated with as individuals,” he notes.

While organisations and employees may well benefit from these arrangements, there is one stumbling block – information security.

It is accepted that the use of technology outside the traditional workplace has placed companies and individuals in an invidious position. Due to a general lack of appropriate threat detection and response mechanisms in place, corporates are often unable to secure devices (endpoints) outside of their networks.

In addition to laptop computers and cellphones, these devices include scanners, printers, smart TVs, security cameras, smart lighting, digital assistants, AC systems, medical devices, manufacturing devices and more.

According to available research data, many organisations are unable to immediately identify – much less secure − around 40% of the devices in their environment. This number is said to balloon by 30% in 2021.

If personal information is at risk, could organisations unknowingly contribute to its compromise? Undoubtedly.

Users are thus increasingly faced with the possibility of their personal information being accessed and used illegally by nefarious entities.

In South Africa, it’s a situation highlighted by the Protection of Personal Information (POPI) Act. It was brought into law in June 2020, with organisations having until 1 July 2021 to ensure full compliance.

The objective of the POPI Act is to ensure SA is in line with existing data protection laws around the world. The Act’s stated goal is to protect data subjects from security breaches, theft and discrimination.

Obviously, security safeguards are an essential part of compliance with the Act which tasks organisations with securing the integrity and confidentiality of personal information. The Act places the onus on organisations to apply appropriate security practices and procedures.

It’s worth noting that a contravention of the POPI Act constitutes a criminal offence by the business entity concerned. Crucially, the Act follows an approach whereby liability for damages can be established without a respondent having acted in a negligent or reckless way. This form of liability is referred to in law as “strict liability”.

If personal information is at risk, could organisations unknowingly contribute to its compromise? Undoubtedly. Personal data is held by a vast number of entities apart from the owner. It is stored by banks, suppliers and a host of organisations with which companies and individuals interact – on a once-off or regular basis.

It’s a widely-held view that SA is experiencing a significant increase in instances of personal information loss linked to the expanded attack surfaces associated with remote working.

In order to comply with the POPI Act, organisations must establish measures to ensure personal information is only collected, used, deleted or otherwise handled in prescribed ways.

Organisations are thus tasked with creating ethical standards for the processing of personal information and establishing standard operating procedures (SOPs) for its secure handling, processing and archiving.

Needless to say, the penalties associated with POPI non-compliance are severe − fines of up to R10 million and jail sentences of up to 10 years.

The fast-approaching final deadline for POPI compliance underlines the need to promptly establish SOPs and verify controls capable of meeting the requirements of accepted, proven security standards such as the NIST (US National Institute of Standards and Technology) Cyber Security Framework or the UK government’s Cyber Security Scheme.

SOPs must be able to identify the ever-increasing numbers of managed and un-managed devices associated with the corporate network. And the controls must be able to define, mitigate and manage the risks associated with these devices and take action as necessary to alleviate hazards.

Previously, organisations accepted potentially insecure devices within their environments because they weighed the risk factors against the productivity rewards. Today, the scales are tilting alarmingly. Targeted attacks are on the rise, boosted by many devices’ inability to be managed or updated. Traditional firewall, network and endpoint security solutions are no longer up to the task of effective threat mitigation.

Fortunately, technology is now at hand to assist organisations in their quest to implement POPI-compliant security frameworks. Promising solutions offer support for broad-spectrum coverage relating to the detection of security threats, their identification and protection via an immediate and appropriate response strategy. They aim to ensure transparency within the corporate environment in the broadest sense while ensuring unimpeded workflows.

This involves the monitoring of point-of-sale devices, personal computers, servers, Internet of things, mobile and unmanaged devices. It includes the supervising of wireless hotspots and network connections and − importantly – encompasses vital personal information transmissions such as credit-card-holder data to service providers.

In this light, corporate asset management visibility is key to the success of any security strategy. Every asset’s risk score, based on factors such as vulnerabilities, known attack models and behaviour patterns, will assist in defining and characterising the corporate attack surface.

Moreover, the continuous monitoring of the behaviour of devices on the corporate network and in its airspace for anomalies in comparison with similar devices in other environments − together withintelligence-driven threat hunting − will help organisations restrict access to suspicious or malicious devices.