Visibility crucial for POPIA compliance
Gaining visibility of where data is, how it is handled and what risks organisations face as a result are an important first step in achieving and maintaining compliance with the Protection of Personal Information Act (POPIA).
This is according to Nick Maxwell, GM for UK and MEA at Ava Security, who was speaking at a webinar on 'Managing POPIA with human-centric solutions', hosted by Ava Security in partnership with ITWeb.
“Because you don’t know what you don’t know, first you need to gain visibility to identify where potential risks and threats are. You need to set the baseline and put a plan in place to mitigate that. For executive buy-in, it is useful to associate the risks with the potential penalties that could be incurred under POPIA.”
Maxwell said every company is at risk of data breaches, with ransomware a top-of-mind concern. However, insider risk is growing fast. He noted: “Eighty-one percent of companies were compromised by a cyber attack in 2020 and 80% of security breaches include personally identifiable information. When it comes to POPIA, this is a complete no-no.”
Because over 90% of attacks involve the human attack vector, mitigating risk has to start with the end-user, he said. “Organisations need to discover the risks and how users interact with the data, and involve users to help them understand what POPIA means for organisations.”
A poll of the webinar participants found their highest risk concerns centred on ransomware/zero-day attacks (46%), while 26% said a top concern was insider risk, 15% said privileged access management and 11% said endpoint protection. As many as 29% said they had no visibility into a data incident and the context of what the involved users were doing before, during and after; and on the question of how effective their cyber awareness training was to support POPIA compliance, 13% said their employees were not trained, 29% said they needed more executive sponsorship for compliance training to be adhered to, and 16% said their training had not been effective in supporting compliance. Only 40% said their training had been effective and all employees complied.
Ana Garcia, lead cyber security engineer at Ava Security, demonstrated the Ava approach, which secures data and improves user awareness by blocking the sharing of sensitive data and raising an alert when a user is not being compliant or making a mistake in trying to share sensitive corporate information. Garcia said the agent did not slow down productivity: “It is very lightweight on the endpoint as we only track data in use. It also works well with other DLP solutions, such as data classification tools, as it is an open platform with open APIs."
Ava’s human-centric security approach gives organisations individual user profiles to shed light on how data is accessed and used, with optional anonymisation for privacy. Ava delivers user activity monitoring, reporting on instances of careless, malicious and accidental behaviour, and constant, automated enforcement of corporate policies such as acceptable use policies.