With a pending compliance deadline of 1 July 2021, many South African businesses are scrambling to achieve some form of POPIA (Protection of Personal Information Act) compliance. Comparable to the European GDPR (General Data Protection Regulation), the requirements are similar, with both regulations punishing non-compliance severely.
With personal data predominantly stored digitally, it should be clear that POPIA is a vital component of the company’s cyber risk mitigation strategy. Our security experts have compiled the following areas that businesses should focus on and the associated POPI compliance cost.
E-commerce Websites
Many businesses have, over the years, switched to an online e-commerce website capable of promoting and selling their products. During the pandemic, this has become even more prevalent with a surge in online ordering. Online sales store a vast amount of personal information, which brings them directly under the POPIA spotlight.
As a business owner, you are ultimately responsible for your business’s compliance with POPIA and knowing the POPI Act regulations. By collecting customers’ personal data to deliver your service/product, you become the “responsible party” for processing and “safekeeping” the customer’s personal information.
Website security is a minefield
Website security is an absolute minefield, but one cannot avoid certain best practices:
Continuous CMS and plugin updates
Many businesses are very familiar with popular Content Management Systems (CMS) such as WordPress, but being popular also makes them a significant target for attackers.
- Once inside the CMS, cybercriminals will quickly find their way into the database and extract the POPIA applicable data. A minimum 4-hour retainer per month should be in place to allow for weekly updates to the CMS and add-on/plugins, without which your website and the POPIA data are guaranteed to be attacked.
- Web Application Filtering: Allowing connections directly to your web server without any form of filtering is asking for trouble. Web Application Filters such as CloudFlare protect by filtering traffic to your website to ensure attacks are blocked before they reach the web service. With pricing plans starting from R300 (£15) per month, this is a low-cost way to improve security.
- External Penetration Test: Every website has one or more Public IP addresses that allow customers, and attackers, to connect to the site. Penetration testing scans these IP addresses and the web service areas that are available to the internet. The penetration tester then attempts to break into the services the same way an attacker would. Pricing ranges from R30 000 (£1500) for one IP address and less depending on the volume. Pricing varies significantly since many penetration testers will drop an 80-page report into a customer’s lap instead of focused and actionable information.
- Web Application Penetration Testing: Then we come to the tricky and expensive part, which involves performing penetration testing of the pages which make up the website. Web Application Penetration Testing identifies where the developers have made errors that would result in a successful attack and is critical to any website. The project takes the form of a 3-5 day engagement with a daily cost ranging between R12 000 – R20 000 (£800 – £1000 per day).
Confidential Emails and Files
Businesses without E-commerce functionality are unfortunately not in the clear. Many companies require their customers to fill in Microsoft Word, PDF, or email templates to invoice and deliver services/products. In the B2C space, this builds up a vast amount of POPIA affected data which is high-risk information stored in mailboxes or file storage spaces.
The following best practices will help with storing this type of data securely:
- Email: Businesses are not in control of the content of emails sent to them. This email content can take the form of ID’s, passports, proof of residence, maybe even when they will be at home for the delivery. All this highly confidential personal information is a risk for any business. The only way to protect against this is by encrypting every email on arrival. By providing adequate protection against prying eyes, the risks are mitigated by making malicious access to this information much harder.
- Files: Once received, businesses frequently have to store customers’ personal data in some form of a file system, be it on their workstations or cloud storage such as DropBox or OneDrive. File cloud storage is a high risk, and although simplifying managing customers, it creates a literal honeypot of personal information. Files should be stored in an encrypted Vault at all times, where every file which enters the vault is immediately encrypted.
The vault solution can be achieved with many email/file encryption solutions. ENHALO’s Continuous Content Encryption Service is available for a minimum of R30 000 (£1500) per year (10 licenses @ £150 per license per year).
Irregular Behaviour Detection
Being able to monitor and respond to the movement of POPIA data is critical to remaining compliant. For this reason, tracking the forwarding and saving of data outside of the protection sphere allows businesses to monitor and respond to accidental and malicious insider threats.
The following are areas are of concern and require special monitoring, analysis and response:
- Sensitive data saved to cloud storage Staff want to get work done, so saving files to a personal Dropbox or some other storage system to “work after hours from home” seems like a reasonable action. The reality is that this has immediately violated the POPI act, and the business has lost control of this data. Policy violation can also happen through a malicious remote access user who takes control of the worker’s computer. This type of behaviour needs to be tracked and also have the option to be blocked.
- Sensitive data emailed via non-business mail It is all too easy to email a document to a personal email address to “work on the CRM list”, but yet again, it puts the POPIA data directly in the hands of whoever has access to the mailbox. Tracking and blocking attachments to non-business email addresses is crucial to this sensitive information containing credit card or ID numbers.
- Saving to a USB storage Storing data on a USB is another way data is easily extracted and worked on offsite but is high risk and should be blocked.
There are a variety of solutions that do simple data movement warnings and blocking. ENHALO’s Irregular Behaviour Detection has a vast array of Day 1 Protections with Analyst backed response to ensure that no POPIA related data would leave the environment without being noticed. With real-time informative messages, lock or isolation action, the data can be secured before a leak occurs.
At a minimum cost of +- R3 000 (£135) per month (minimum ten computers), the solution provides reliable protection to mitigate the threats businesses face.
Conclusion
The above POPI compliance checklist is not exhaustive but does shed light on the business’s primary areas of concern today. Protecting personal data under the POPI Act is utterly important for South African businesses – non-compliance can result in a fine of between R1 million and R10 million or even imprisonment of one to ten years. There is no silver bullet for POPIA compliance – companies should consider all their primary areas of risk.