A reality that all companies must face these days is that an information security breach is inevitable, it will happen sooner or later. This is irrespective of what you do as a company.
This does not therefore result in us doing nothing about it. Infact, the new Protection of Personal Information (POPI) Act in South Africa will soon force companies to have certain information security measures in place.
Since storing, accessing and sharing people's data is such an important matter, most tend to think of advanced tech solutions they would need to have in order to comply with the various laws and best practices concerning data confedintiality, intergrity and availability.
With heavy fines set to be imposed and possbile jail in some more serious cases, companies will no doubt feel overwhelmed with all they have to do within the space of a year when the POPI Act is to be implemented.
Three broad catergories that will certainly help those who may feel inundated are the following: People, Processes and Technologies.
A chain is only as strong as its weakest link.
This certainly holds true where people are concerned. Most of the information security breaches we hear about were made possible by social engineering.
A lot of training and awareness will have to be done for employees in all companies that deal with people's data (and these days that's nearly every company).
Awareness of the type of attacks they have to face from hackers as well as awareness concerning the storage, accessing and sharing of data and how that applies with laws and guidelines to be implemented.
Having a security manager or a chief information security officer in place will also be another issue to deal with.
Physical security is as much a risk as information security.
- How easy is it for someone to walk into your office block and potentially steal files?
- Are your company laptops/computers locked down or can anybody just remove them?
- Are the devices in your company accounted for i.e. is it known how many devices there are and what info those devices are carrying and what access those devices have?
- Who in your company is responsible for doing what?
Access control will turn out to be a very important factor as soon as POPI is implemented, and the reasons thereof will be quiet obvious.
This would include having Intrusion Detection/Prevention Systems, AV softwares, constant monitoring of your networks, limiting your Wi-Fi signal range, having some sort of patch management methodology e.g. Microsoft releases patches for their systems on Tuesday (so-called 'Patch Tuesday'), etc.
The technologies that will have to be deployed to save your companies data and your bottom line do not have to be expensive (there are plenty Open Source Softwares out there to choose from).
This is by no means an exhaustive list, but a very broad overview to start giving small and medium sized companies a general direction to follow and things to think about.
Some of the bigger companies already have a few of these in place, but they too will have to work at making sure that they implement some of these things and more.
Very few actually do!
Remember, at the end of the day, security for any company means aligning with business goals in order to maximise a company's bottom line i.e. ***“ Mo' Money “***.
By failing to comply with some laws and best practices, this may mean fines for your company, which will greatly impact your bottom line and reputation – and these days reputation means everything for a business.
It may have to do, in part, with the fact that POPI is always potrayed in a negative light each time it's spoken of. Headlines such as “ How the POPI bill can harm you business” or “The effects of POPI on your business”, etc.
Now, while it's true that POPI will have harsh effects on those who don't comply, it's also equally true that those that do comply may be able to run their businesses better.
“Better?!” , you say. Let me rephrase that - able to run their businesses in a way that benefits all the parties involved – this includes the customers also, by taking customer (data) privacy and intergrity seriously.
Furthermore, there are various security standards that exist, yet sadly many companies dont adhere to those standards; but POPI, since it is law in our country, will force all companies to comply to it, thereby also positioning them properly for aligning to the security standards that already exist, which are not law themselves.
Some of the principles of POPI, which many must have heard of by now, include:
While this includes accountability with the POPI principles ( the processing of personal data,etc), this also fits in quiet nicely with The King Report on Governance in South Africa 2009 ( King III). While the King III is not law, complying with POPI may give a general push to companies that do not follow the King III guidelines to start doing so.
For example, King III says:
“Directors are accountable for the governance and wellbeing of the company”.
King III also provides:
“Guidelines in compliance with laws, rules, codes and standards”
Or in this case,guidelines in compliance with POPI.
The business benefit of this is clear : stakeholders like a company that's governed well. No amount of money or sales can buy that kind of assurance you can give to your stakeholders.
Quality of information
The information that you gather/process must be accurate. This can be a good thing for companies, if companies choose to see it this way:
The more accurate info we have, the better our marketing strategy and returns.
How many companies still market , via post, sms or email, to the wrong or changed postal address, phone number or email address?
The quality and intergrity of information may be helpful for companies. This, of course means that companies should have security measures in place to keep this data safe; and this doesn't have to be expensive technologies in place to do this.
Some form of access control will also have to be in place i.e. who in the company has access to what information and what they can do with that information.
The business benefit of this is more control and accountability for management.
This not only means that the data collected should be done with consent, but also means that the person/s whose data is being collected should know and the purpose for which that data is being collected should be made clear and be used for that purpose alone.
The data subject also has the right to request information on the data you have of them. This too, the sharing of this data upon request, should be done in a secure manner (a secure portal on a company website or registered mail perhaps. I'm yet to see this particular aspect).
The business benefit of this is also clear – more trust from your customers due to the transparency you will be showing. More trust from customers means more trust in your brand/reputation.
Being POPI compliant will no doubt be hard, and yes some finacial costs will be involved as companies restructure internally to accommodate this new way of having to do things.
There may be new skills and new ways of doing things that companies will have to adjust to and new positions that would have to be created; but all this is but a minor shift that will prepare companies to benefit greatly in this ever changing world we live in.
Cost avoidence (possible fines or jail time for non-compliance) is not the only benefit of being POPI compliant.
There are other business benefits, such as:
Giving confidence to your stakeholders (customers)
Brand reputation will be protected and enhanced
Cost avoidence in recovering from a data breach, as companies will no doubt have to spend money to recover after an incident has occurred (a company may be shielded from lawsuits should a breach occur)
Being POPI compliant will be a key step in being compliant with other security standards, which will further give confidence to a companys stakeholders
Image credit: Klearchos Kapoutsis