On 1 July this year, the Protection of Personal Information Act (POPIA) became enforceable. A process that was set in motion in 2013 has finally reached fruition with the focus on organisations having to keep the personally identifiable data of their customers as safe and secure as possible. The question now turns to the impact this could have on cybersecurity measures.
When all is said and done, POPIA is a privacy standard very much focused on business to consumer organisations. These companies have scrambled over the last few months to meet their POPIA obligations or risk significant financial fines and reputational damage. Externally, they have been using auditors, lawyers, ethical hackers, and penetration testers. Internally, the spotlight has fallen on getting the artefacts in place to become compliant.
POPIA has resulted in renewed interest when it comes to implementing more advanced cybersecurity tools in organisations. And yet, this is something that has had to be a priority long before POPIA was even announced. Given the increased connectedness of organisations and how critical data is to their competitiveness, the days of purely relying on a firewall and antivirus solution to safeguard systems and data are long gone. So, while POPIA might have been the catalyst to refocus on security, it cannot be the only driver for change within the business. There must be a concerted effort to change from the boardroom down to all levels of staff whether they are on-premise or working remotely.
Considering the strong consumer angle in this legislation, the net effect has been quite positive, forcing everyone to become more privacy aware. Certainly, there has been a good impact on the cybersecurity, legal, and governance environment because of this. With people’s expanding digital footprint, they want to ensure their information is protected. Corporates must therefore ensure they receive the necessary customer consent to use that personal data. Furthermore, when they need to share it, they must be transparent with the [data] owner on why they are doing so with the consumer being able to remove their permission at any stage.
Security products have certainly helped companies tick the required boxes when it comes to how to manage data and take care of the consent process. Already, POPIA has resulted in a boost for cybersecurity investments and knowledge at organisations especially as it pertains to breach-detection solutions, business continuity, disaster recovery, and the like.
A framed approach
Cybersecurity frameworks have not had to adapt too much with the POPIA deadline looming. Instead, companies have a wealth of frameworks to choose from to make the compliance process a smoother one. While there is no one framework that is applicable to all the requirements of the Act, there is enough overlap between the leading ones to help drive most of the important aspects of compliance.
In Europe, the likes of ISO27K virtually assures GDPR (General Data Protection Regulation) compliance. And then there is the National Institute of Standards and Technology (NIST) in the United States, SOC 2 as it relates to how customer data is stored in the cloud, and other more niche frameworks like PCI (payment card industry) and HIPAA (health industry) to choose from.
Moreover, these frameworks provide local organisations with the tools needed to achieve POPIA compliance. This means that even if a company does not go through an official certification process, which can be quite expensive, most of these frameworks are open source and can be used for guidance on doing the necessary self-testing. A company can therefore pick and choose relevant aspects to create its own best practice.
There are numerous aspects of cybersecurity that are directly applicable to POPIA. But the way the Act is written is quite general and not specific to cybersecurity as such. For instance, it talks about companies needing to take every care to ensure data is protected. But what does that mean in practical terms?
Realistically, companies must therefore ensure they have encryption, firewalls, backups, and privileged access control in place as a foundation. Ultimately, it comes down to doing all the elements of data protection well whether this is from the perimeter to detecting breaches and mitigating the risks of those potential compromises.
It comes down to having as much cybersecurity in place as a company can afford. This must be balanced by not making the system unusable or inconvenient for users whether that is an employee or the customer. After all, the more secure the system, the more difficult it becomes to use. There must therefore be a balance between the right level of security and still meeting POPIA compliance aspects.
This is where CIA (confidentiality, integrity, and availability) comes into the cybersecurity equation. Confidentiality can refer to the effective use of firewalls to keep data protected. Integrity is not letting malicious parties or unauthorised users modify data. As part of this, backups, data management, and encryption are vital. Finally, availability talks to data management and how easy it is to access this while not compromising on the security features of the environment.
The most challenging part of all this is knowing where to start and where the process ends. It comes down to applicability and translating the legalese of POPIA into something that has a practical interpretation.
It is as much about a company showing its due diligence and that it is taking reasonable care with personal data. Cybersecurity is therefore an effective way of making doubly sure personal data protection is taken care of in the event of a disaster or compromise. If POPIA is the stick that drives an improved cybersecurity posture, then so be it.
Ian Shak, Chief Information Security Officer at Saicom