Johannesburg, 15 Aug 2016
Lessons learned from helping customers deal with malicious ransomware has given networking company three6five an advantage in handling security issues that will arise when the South African Protection of Personal Information (POPI) Act comes into force later this year.
"The POPI Act is going to force companies to completely change the way they do business, says Eric Holmes, Security Engineer at three6five. "For example, no unsolicited telephone calls will be allowed under the act. Changing processes and even strategy to fit in with the new law could be very difficult, and in some cases applications connected to databases may have to be re-written to ensure compliance.
"Many companies who store data in the cloud will find that you cannot always be compliant without implementing new policies and procedures," he continues. "It is best to start doing the due diligence sooner to ensure that POPI will not catch you off guard."
Recently, three6five has learned valuable lessons when helping customers to clean up their security systems against the threat of ransomware.
"This is a noisy disruptive malware attack that is catching everybody by surprise," says Holmes. "Ransomware takes your data, encrypts it and puts a bold message on the screen (or file system) demanding the payment of a specified amount to get your data back. However, even if you pay the ransom there is no guarantee this will occur."
Whenever ransomware takes hold of a system, it is important to also find out what other malware is on the system. The chances are good that if ransomware has made its way through firewalls, it is likely that there is other malicious activity occurring.
"It is important to limit the damage and take preventative actions," says Holmes. "Many people believe that backups are the answer, but they too often find that their backups are also corrupted! When ransomware is found on systems people generally ask themselves: why did we not proactively prevent this problem upfront?"
Holmes believes that the experience gained by three6five in dealing with malicious attacks and in cleaning up data, puts it in a position to assist customers with POPI compliance.
"The nominations for positions with the POPI Information Regulator are expected to be confirmed by Parliament in August this year. Thereafter, we foresee public and private sector bodies going into overdrive in order to address the many organisational and technical compliance measures required to comply with the POPI Act," he says. "It will take about 12 months before 'data subjects' such as disgruntled employees, customers and even job applicants will be able make claims for compensation for breaches of the individual rights that come with POPI."
It is important that action is taken to minimise the risk of non-compliance. The main focus of activities to become more compliant with the act will be to remove as much personal data as possible. This will often require a 180 degree turn in policy and procedures.
In future, prudent companies will store personal data required for business use for as short a period as possible and as securely as possible.
The POPI Act is complex and technical. All responsible parties, and the responsibility normally defaults to the CEO, are required by the act to understand the implications of this legislation and take appropriate measures to minimise the risk and consequences of non-compliance.
"The implementation of POPI is a positive prospect," says Holmes. "It is seen as one of the best privacy regulations in the world - and that is something that should fill us all with pride! It ensures that everyone has the right to privacy. Individually, all South Africans stand to benefit from the POPI Act."
He adds that as we are all going to gain from POPI, it is important for companies to see this as the ideal opportunity to improve their security and to ensure that their employees' rights are afforded the respect they deserve.
For more information, contact Kelly Rodger on kelly.rodger@three6five.com
Share