Subscribe

Forget POPI: GDPR is coming

The European Union's General Data Protection Regulation will impact companies that trade with EU businesses.

Tallen Harmsen
By Tallen Harmsen, Head of cyber security at IndigoCube.
Johannesburg, 01 Mar 2018

While everyone's busy worrying about South Africa's Protection of Personal Information (POPI) Act, another piece of even more onerous legislation will make itself felt come 25 May.

The European Union's General Data Protection Regulation (GDPR) imposes even more stringent controls around the protection of personal information than SA's POPI legislation, and, crucially, will impact companies that trade with EU businesses.

GDPR will likely act as a catalyst to speed up the implementation of POPI in SA, and could even result in amendments to POPI to align it with GDPR.

The rules of GDPR apply to both controllers and processors, so that means clouds will not be exempt.

The EUGDPR organisation shares this important inclusion, among others: "The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU."

Another crucial aspect of the legislation is data portability that will require some form of open application programming interface (API) so companies can transmit personal data directly to rivals when customers request it. Since APIs offer access to the information, they become a prime target for hackers and must be secured.

Here's another key aspect of the legislation, again from the EUGDPR organisation: "Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay." Notifications presumably must be made to the European Commission.

Mind the gap

Before companies can notify anyone, they have to know there's been a breach, the extent of the breach, and then collaborate with law enforcement to analyse, apprehend and prosecute.

Cyber attackers almost never strike suddenly, successfully penetrate systems, and then disappear into the ether. Attacks most typically occur in stages, where hackers test defences and keep returning with ever more sophisticated probes until they penetrate. They're successful because most current cyber defence systems are static, while the criminals are fluid. And they usually leave many warning signs that are missed by the static defences and the administrators who maintain them.

GDPR will likely act as a catalyst to speed up the implementation of POPI in SA.

These more onerous GDPR regulations and stipulations (and their South African equivalents that will bring the country in line with global standards) are all about making companies more responsible. There was a recent case in SA where property title deed holder data was made openly available through administrator negligence. There has been neither prosecution nor any kind of consequence for the actors that I'm aware of. But that's changing - and quickly.

While that data exposure was pure negligence, sophisticated cyber attacks are mounting, even on South African businesses. But, there are ways companies can proactively defeat them or just make it easier for the crooks to go elsewhere.

Take heed

The warning signs I mentioned earlier typically surface in deep Web chatter, which is where the property title deed exposure was accidentally discovered. But, they also surface in unstructured data in internal reports, which are usually so laborious that nobody checks them.

They also come up in social media feeds. But, unless the company hires a security expert - or several at enormous cost - it won't know about these and it will remain exposed.

Now companies have the software tools that keep forensic tabs on systems, and all of these other sources too, to ensure tiered security with intelligent analyses. These form sophisticated barriers to help them pivot faster than the bad guys. Firewalls are important, anti-virus too, as is event correlation, so companies don't let systems break the one-minute card rule, which essentially checks and balances to ensure the equivalent of a single ATM card being used to withdraw money from different machines more than 5km apart within a minute doesn't occur.

Then third-tier human intelligence is needed, with automated help that visualises associations and feeds intelligent, human questioning. And companies need to present that to CXOs in a visual dashboard, which gives them a total view to properly allocate necessary resources as threats escalate and recede.

Given these capabilities of smart, tiered cyber defences that inform executives to empower the experts to proactively monitor and engage hackers before there's a problem, companies won't encounter any issues, no matter what legislation is enacted. But, remaining static in the traditional firewall, anti-virus, and roles-based blocking will eventually land good people in bad trouble.

Share