POPI and data security – there is no time to lose!
South Africa cannot pretend anymore that we are not victims of cybercrime and data breaches. South African companies are being hacked as much as any other organization in any other county around the world. The general population may not think that it is prevalent here because there is no law requiring data breaches to be made public i.e. it is hushed up. That is until POPI. Although POPI has been in the making for a few years now, hopefully it will start getting some teeth with the recent appointment of Pansy Tlakula as chairperson of the newly formed information regulator. This has been long outstanding and is in the interest of the South Africa people.
However, from my experience, companies have not been taking POPI too seriously; having either failed to adequately addressed data security or having failed to even embark on a strategy to implement an enterprise wide data focused security strategy. When we talk about data security we are referring to the means of securing the data where it is physically kept. Typically this will be in a database in a structured format, or in an unstructured format on file servers. This is where Personal information predominantly resides and this is what hackers and insider threats are trying to get at. You can have as much security as you like surrounding your database, but not protecting your data within the database is akin to having electric fencing, burglar bars and locked doors in your house, but leaving your expensive jewellery in an unlocked box on a dressing table. You also need to put that jewellery into a safe.
A key factor to being able to protect your data is to know what data you actually have and where it resides. But not all data is sensitive and in need of protection and a lot of your data will have no value outside of your organization. So not only do you need to identify all your data, but you also need to classify this data. Data can be generally classified into three categories. First is data that legislation requires you to protect, typically personally identifiable information (PII). Second is data that does not fall under legislative requirements but is nonetheless of huge value to your organization, of which you don’t want to fall into the hands of your competitors. Lastly, the third type of data is that which is not protected by legislation nor does not hold any value outside of your organization and therefore does not need specific protection. Before you can even embark on a data security strategy you need an enterprise wide Data Inventory so you know exactly what data you have got, what data requires protecting and knowing where this data is physically residing.
The next step to protecting your data is determining who has legitimate rights to access this data. The principle of least privilege (POLP) needs to be applied to all your sensitive data, only allowing your employees the minimal access to sensitive data that will allow them to perform their normal job function. This may often require changes to access privileges as well as revoking excessive access rights.
Once you are able to determine what is authorized access to sensitive data, only then are you able to determine what unauthorized access to sensitive data is. This includes privilege abuse.
It is only at this stage that an organization in a position to start building their data access policies and putting in data security measures. Such measures would include monitoring and reporting on authorized access to sensitive data, but also monitoring and preventing unauthorized access. The same goes for identifying, reporting and blocking of privilege abuse.
As you can see a great deal of work has to be done by an organization before they can even think of implementing any data security solutions. This work is spread across many departments and requires the co-ordinated input from many people, and will take some time to complete.
The bottom line is that if large enterprises have not yet embarked on a data security project then they could find themselves falling foul of legislation purely due to the fact that architecting and implementing a data security solution across an enterprise is no small task and could take at least a year or more to complete. If legislation requires compliance to happen within one year, you are likely to see a lot of panic and disruption within the organization, which will undoubtedly be caused by the shortage of experienced data security software vendors in South Africa and a sudden surge in demand for their services. This will naturally be exacerbated by the current skills shortage in the IT security industry.
There is no time to lose!