Data protection weak spots businesses must address
Many South African businesses – particularly SMEs – are failing to properly protect sensitive data, putting them at risk of data theft, leaks and penalties.
This is according to Ian Nel, Strategic Planning and Programs Director, Canon South Africa, who says organisations are not gathering, storing or managing sensitive data adequately.
“We see data being put at risk all the time,” he says. “The most common threat is phishing attacks, but data can also be leaked or stolen due to non-compliant processes, a lack of awareness on the part of staff, or through pure negligence.”
Nel notes that sensitive data comprises more than documents – it also includes photos, scans, videos and other content. “It all needs to be managed securely and in compliance with the POPI Act,” he says.
Nel says many organisations and individuals fail to properly secure their home and office WiFi networks, have weak passwords or re-use passwords across multiple accounts.
“Having outdated software on systems also makes it easier for cyber criminals,” he says.
Nel adds that physical security is often overlooked too: “Organisations have to make sure computers are locked and sensitive documents aren’t exposed.”
Another often neglected vulnerability arises in printing and scanning, he says. “In the office automation industry, we often see cases where people use a multifunction printer to scan sensitive information such as a credit application for a bank. They scan their ID and financial information, unaware that the device they are using doesn’t encrypt or delete the file after it's scanned, so it remains on the hard drive. Many people are not aware that the data can be retained on the device.”
Bringing in cyber security best practice
He says businesses should have the benefit of encryption and deletion of information on multifunction printers, avoiding the risk of data being exposed through these devices. “For Canon, data privacy is crucial, so we provide software and information management solutions to control data in a structured way, with features such as encryption and password protection. When we engage with our clients, we educate and train them to address these vulnerabilities and ensure cyber security best practice. This includes proper network security, firewalls, intrusion detection, encryption protocols and multi-factor authentication.”
Best practices should also include having a proper incident response plan in place to address any breaches, he advises.
He adds: “Organisations also need to start looking at policies and procedures to prevent staff from putting sensitive company information into generative AI environments that could put data at risk. They can’t just assume these new tools and environments are safe and secure.”
CMS to enhance compliance
Nel believes many organisations approach POPIA compliance as a ‘tick box exercise’; however, he warns that responsible data handling should be a top priority. “You have to manage people's personal and sensitive information responsibly, ethically and in a transparent way,” he says.
He points to content management systems as a key enabler of better data protection. “In a content management system, data is safer than in a standard Windows environment. When you create a document in a content management environment, metadata can be attached to it to protect it from being viewed, to set document sensitivity levels and ensure that only the authorised people can see the data. Content management systems also offer full audit trails and security measures so organisations can determine when content was viewed, exported, downloaded or mailed,” he says.
“Organisations can now get proper cloud-based content management systems that are very secure, at a reasonable cost.”
He notes: “Over and above getting a new content management system, it is important to implement best practices to help manage and reduce the risk. These include having regular data audits to identify and classify sensitive data; encrypting sensitive data and invoices; and backing up data regularly. Organisations should have an inventory or register of their information assets, so they know what type of data is stored and where it is stored. They should also have proper records of processing activities and privacy impact assessments.”
Nel says: “The regulator is clamping down quite a lot on data privacy, and one of the key elements is privacy impact assessments.”
To make it easier to be compliant, organisations can set up electronic forms that ask the right questions and are automatically forwarded to the right people through the right workflows.
Nel says: “Some multifunctional printers’ content management systems have rapid development tools to make it easier for organisations to build compliant processes. For example, they may automatically require consent, and then go to a proper repository with the correct metadata, policies, procedures and workflows in place. As the business changes, you need the type of solutions that change with your needs, which is why our rapid development tools allow organisations to easily adapt the process. Canon and its partners are working very hard to support better data security and protection for our customers.”