Cyber attacks are gaining momentum, and each new publicised incident highlights the increasing need for effective data protection. Many of these attacks have targeted personal information, such as identity numbers, addresses, contact details and even, in some cases, financial information, exposing these individuals to crimes such as fraud and identity theft on a grand scale.
Vishal Barapatre is chief technology officer at In2IT Technologies
Globally, various governing bodies have implemented regulations aimed at protecting personal information, most notably the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI-DSS). Locally, businesses are gearing up to comply with the Protection of Personal Information (PoPI) Act, however, this is a regulation which has not officially been implemented or enforced as yet.
Nevertheless, it is important to note, that even as we wait for PoPI to become ‘official’, GDPR and PCI-DSS are regulations that still apply to us – and non-compliance is a risk organisations cannot afford to take.
Non-compliance risk
Organisations that fail to take compliance seriously underestimate the risk they put themselves in, from compliance, security and a business perspective. Each industry faces its own different regulatory requirements, however, PoPI and GDPR are imperative across all industries, focusing on protecting personal information, specifically.
PoPI and GDPR both lay out a set of requirements that businesses need to comply with, from understanding what data businesses have, to ensuring personal information is stored in a specific manner – usually single copies in a centralised repository. GDPR may be considered a European regulation, yet any local business with so much as a single European customer can be liable for unprotected data.
Audits have become mandatory, meaning that sooner or later businesses will find any lack of compliance exposed and will be subject to the penalties. Both regulations have hefty fines that businesses will be forced to pay, should they be deemed non-compliant. These fines can be large enough to cripple a business.
Security risk
Compliance shouldn’t be seen as merely a disciplinary measure; it’s also good business sense. Regulatory compliance enables businesses to protect themselves against cybercrime. The mandates in place require businesses to put mechanisms, tools, processes and policies in place to actively protect their customers’, employees’ and suppliers’ personal information.
Typically, businesses retain a lot of personal data, which they usually keep in locations most convenient for its use. Unfortunately, most businesses don’t know what they have, where it is or how many copies they have. By complying, businesses are forced to know what data they have, where it resides, and what security measures they have in place for its safekeeping.
A single, centralised repository for personal data is easier to protect and can streamline operations simply through ensuring there aren’t multiple different versions across the organisation. Cybercriminals will find it harder to hack a well-protected single repository than they would if there were multiple access points to the data.
Business risk
Cybercrime can have a massive impact on businesses. A single attack can decimate a business, not just in loss of data but also in loss of reputation: no one wants to do business with a company that cannot protect their personal information. Publicised hacking incidents are usually followed by a loss of customers, revenue and profits for the responsible businesses; they lose their customers’ trust.
The security measures that compliance enforces and which compliance certification proves allows businesses to confidently assure customers – and other individuals – that their data is secure.
Getting compliant
Compliance may seem daunting and many organisations don’t know where to start. It often makes the best sense to engage with a compliance consultant who can provide audits and give guidance on what processes, policies and tools should be put in place to comply.
Data should be classified based on criticality to the business, relevance and sensitivity, with policies being defined around the access and use of that data. Security tools should be implemented based on the type and sensitivity of the data, including encryption, authentication, sharing and access controls, and others.
We may still be waiting for the PoPI Act to be implemented in South Africa, but businesses that have begun the process of complying with GDPR and other regulations are better equipped to make the necessary adjustments to comply with the PoPI Act. It’s important that organisations begin now so that they aren’t caught, either by regulators or by cybercriminals.