How to protect data in a highly connected age
Examining the preparations that payment card industry professionals are undertaking to meet the security measures required for Payment Card Industry (PCI) compliance, it’s clear just how valuable the Payment Card Industry Data Security Standard (PCI-DSS) can be when it comes to safeguarding personal data. PCI-DSS is a real hero, designed to protect cardholder data that, of course, represents some of the most personal of personal data out there.
Under the Protection of Personal Information Act (POPI), any personal data you collect, process or retain in any form, physical or electronic, creates the obligation that you reasonably and adequately safeguard that data in order to be in compliance with the law. Performing a PCI-DSS gap assessment and implementing PCI-DSS controls to a wider scope of personal data beyond just cardholder data (including credit card numbers) within your organisation can establish a strong foundation for extended personal data handling and keep you on the good side of POPI regulators.
With POPI set to have a sweeping impact across all industries, especially for verticals such as financial services, healthcare, retail, hospitality, and law firms, due to the nature and type of personal data processed, the rule has created demands that many businesses will need assistance in meeting. It’s predicted that SMBs, NGOs, NPOs and charities will need more education, support and guidance in preparing their activities and systems for POPI compliance. Enlisting a high-quality consultant can help your company build out a roadmap of the measures that must be put in place, and services providing affordable solutions for taking reasonable measures to serve compliance needs will be highly sought by many sole-proprietors, closed corporations, company directors and board members seeking to solve these particular issues for their organisations.
In protecting personal information or sensitive data, organisations must look not just at safeguarding their internal data stores, but also at the many portable modern devices employees often carry and use to perform their work duties. Bring-Your-Own-Device (BYOD) items including laptops, USB drives, smartphones and tablets are equal links in the data security chain, and while they help keep employees productive, these devices are also more exposed to increased risks of loss or theft. Prioritising encryption for these portable devices used by an organisation’s workforce is essential to begin protecting data. Consider that these types of risks will soon rise as the aptly named “silly season” arrives in South Africa, when incidents of robberies, business and home burglaries, hijackings and car break-ins increase alongside insurance claims for the theft of these same kinds of portable electronics that organisations must be careful to secure.
Encryption alone, however, is only one piece of a successful data protection game plan. To guard against unauthorised device or data access and even potential identity abuse, organisations should seek out added functionality to perform data quarantines, on-network and remote data wiping, revocation of access when necessary, and killing of cached-credentials for further protection of accounts. These solutions provide better security for both company and employee-owned mobile data devices, along with the mobile device management capabilities and adequate reporting to demonstrate compliance to POPI regulators. Organisations will be able to find services like these offered locally by managed service providers (MSPs).
In many ways POPI has only raised the stakes for what were already beneficial data security practices. Data breaches, already costly and reputationally damaging, will now come with increased exposure, stiff fines and in some cases risks of criminal prosecution as well.
Whether driven by best practices or by the law, organisations should recognise their risk areas, either from exposed and unencrypted data or from unprotected employee BYOD devices, and invest in data security protection that will better safeguard its stakeholders going forward.
SMBs, NGOs, NPOs and even small charities might not have big systems, large budgets, or deep resources, and for many their entire operation runs not on servers but on a single or a few PCs alongside organisation-or-employee-owned devices. Still, these organisations cannot plead naivety and must do the basics to reasonably safeguard the heaps of personal data they process and hold. It’s true that all personal information is not created equal, but one good practice for these organisations is for them to adopt a “big buckets” approach for practical, reasonable, and effective security safeguards.
POPI should not be thought of as this big monster law that prohibits the processing and flow of personal information, but instead respected for its aims to regulate and provide an improved framework for what we lawfully can, cannot, or should not process, how we go about it, and what obligations we carry when processing or holding personal information of any natural or juristic persons in our possession. One reason parliament enacted POPI is to protect our people from harm, and, with identity theft and cybercrime on the rise in South Africa, it’s a needed law.
Amit Parbhucharan is the South Africa Country Manager for Beachhead Solutions, a company that designs cloud-managed mobile device security tools.