by The PoPIA Team, Pétanque International
While you, as a leader in your business, will be held accountable for ensuring that your business is PoPIA compliant, it requires efforts from your employees to to stay informed and updated on how to contain safeguard and process personal data. It is fundamental that, from top to bottom, your business adheres to the eight PoPIA principles.
To put it briefly, PoPIA requires your business to be accountable for your data, to limit the information that it processes and specify its purpose. Further processing limitations, refining the information and being transparent creates an environment for you to implement security safeguards and data subject participation. These principles need to precipitate into every part of your organisations’ daily operations. How do you make sure, in your role as a leader of your collection of employees, that each and every one of them are on board with these principles of PoPIA compliance?
Cybersecurity research organisation, CSO’s State of Cybercrime 2018 report estimated that cybercrime attacks resulted in an average loss of $353,000 (±R5.09 million), while a Google survey found that just 35% of expert respondents and just 2% of non-expert respondents in technology firms said that security updates and the latest patches were one of their top priorities. This is perfectly exemplified by the 2017 WannaCry ransomware attack, which saw thousands of companies across 150 countries falling victim to cyber attacks, even though a Microsoft patch was available, which would have mitigated the vulnerability. Employees have been found wanting when it comes to following security protocols and you need to create a culture within your organisation of an unwavering commitment to data protection protocols.
Start by recognising the need for cybersecurity roles in your business. By 2021, the number of cybersecurity roles around the world is estimated to triple and getting the best experts on board as soon as you can is fundamental to your ability to be protected against data breaches.
However, the other members of staff will also need to play their part. Their laptops are vulnerable and can be a point of entry for a malicious actor. Therefore, implementing regular training programs to inform employees about the principles and updated about what new measures they need to take in the wake of ever evolving threats. Even if they have been trained on the principles and protection protocols before, there is no room for complacency. Remaining up to date will be a task completed by your cybersecurity experts, but it will be your responsibility to pass new knowledge to non-experts.
The perpetually evolving nature of the threats presented to your silos of information is undoubtedly the greatest challenge to upholding PoPIA’s principle of implementing security safeguards. The devil you know is better than the devil you don’t and you will be facing a different devil every other day. However, the evolving threats will be met by evolving security and if your employees frequently update their software and implement patch plans, you stand a far better chance of maintaining a system invulnerable to hacks.
But what if your business’ data banks have been hacked? In the event of a vulnerability being exposed, you have to have a response plan in place. Starting with being alerted, it is important that you have measures in place to make you aware when your organisation has been infiltrated. And then you need your experts to get on top of the issue and contain the threat immediately. An IBM survey found that respondents were more confident in their organisations’ ability to recover from and attack if they had a response plan in place. While some information may be lost, it is vital for you to minimise the damages and therefore, your liability. Losing 20GB of information is better than losing 20TB. Nonetheless, whatever information has been compromised requires you to inform the data subject. Following this process may seem like a last resort, but it’s better than the only remaining alternative of a large-scale data breach.
In some circumstances, a well-coordinated response plan can restore faith from your data subjects. Perhaps your business was unlucky enough to be the first victim of a brand new attack, but showcasing your ability to respond efficiently and contain the threat could actually aid your reputation, ironically.
Perfectly following data security protocols is complex and is a challenge to all, but the solutions are there. Of course there is a window for human error that is unavoidable, but vigilance and commitment to PoPIA principles puts you in a far better position than you would be in otherwise. However, in that gap between excellence and perfection, there’s a potential solution on the horizon, which would make the process efficient and effortless: Artificially Intelligent security solutions. The existing technology is certainly in its infancy, but we are already starting to see software aided by machine learning and cognitive systems processes that are able to work around the clock, remain perpetually updated and contain threats at light speed efficiency. It is something to consider for years to come, but, for now, your options are limited to the human solution.
However, for now the human solution your best option, even if there is a minimal chance of cybersecurity vulnerabilities. Implementing protocols and adhering to PoPIA prescriptions across every aspect of your business will radically improve your chances of avoiding a data breech and, even though new solutions will emerge, a business culture of strict security mechanisms will make any developments a downhill journey.
For the latest from the Information Regulator, data breaches and privacy issues from around the world, sign up to receive The PoPIA Bulletin every month.