Cyber security, POPI and GDPR
Businesses can't afford even a single attack on their data, and with data protection legislation pending, it's just about to get that much harder to be compliant.
It's a phrase that all IT leaders dread: 'Your data has been compromised'. There have been countless reports in the media over the past year of massive data leaks, some local, some wider afield. The message is clear: data is under attack and companies need to take measures to protect it, particularly in the light of the pending Protection of Personal Information (POPI) and General Data Protection Regulation (GDPR) legislation.
Shailendra Harri, Business Development at CHM Vuwani, says: "Cyber criminals only need to succeed once to compromise a business's environment, yet cyber security companies protecting against these criminals need to get it right always to prevent data exploits."
Cyber security companies face a huge challenge globally owing to the rapidly evolving threat landscape as outlined above. Regulations such as POPI in South Africa and GDPR in Europe - not to mention the Patriot Act in the US - have literally kicked the doors open for discussions around how cyber security companies can assist in protecting client information.
Reputational risk and more
Businesses stand to lose more than money if they experience a data breach. While penalties can include severe fines and punishment, there's also the risk to the organisation's reputation. Harri says: "Companies have to ask themselves, can they place a value on their reputation and what type of data loss (e.g. customer, employee or intellectual property) would have the greatest negative impact on the organisation's reputation and brand."
The aim of POPI
Section 14 of the constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy, which includes a right to protect against unlawful collection, retention, dissemination and use of personal information. The Act was written to promote the protection of personal information processed by public and private bodies in South Africa. While it's not known yet when POPI will become effective, the processing of personal information must meet the requirements of the Act within one year after its commencement.
How does POPI relate to GDPR?
GDPR intends to strengthen and unify data protection for all individuals within the European Union, and will be enforced on the 25th May 2018. Countries outside of the European Union will be obligated to protect any EU citizen information that is stored outside the EU borders.
The South African data protection legislation, POPI aims to ensure that all responsible parties must secure the integrity of personal information in their possession or under their control. They must do this by taking appropriate, reasonable technical and organisational measures to prevent loss of, damage to or unauthorised destruction of personal information, and unlawful access to or processing of personal information.
While there is overlap between the two sets of legislation, South African businesses are well advised to comply with GDPR if they interface with EU citizens and collect and store their data.
Steps to data protection
Harri goes on to outline some measures that organisations can implement to ensure that their data is protected against data breach while remaining compliant with legislation.
* Framework and policies: This should be the first priority as the IT security framework and policies define the regulations that need to be enforced at entities.
* Visibility: Having visibility on data and the ability to identify who is accessing the data is a very important step to protecting data.
* IAM and PIM: Identity access management and privileged identity management tools are controls that restrict who can access sensitive data.
* Encryption: Protect your data either by encrypting the files, folders or the full disk. This could also reduce the risk of ransomware attacks.
* DLP solutions: Data leakage prevention helps organisations track and prevent sensitive data loss as well as implement control of sensitive data.
* Authentication; Two factor and multi factor authentication can be done both using soft and hard tokens reduce the risk of credentials being accessed by cyber criminals.
"The problem that organisations globally are faced with is the shortage of skilled IT security personal," says Harri. "For this reason, businesses are increasingly choosing to outsource this function to an IT security partner. My best piece of advice would be that they ensure that their partner has the skills and capacity to deliver the initial best practice configuration and implementation, while also being able to manage the solutions and provide ongoing maintenance and support."