How much does it cost to be POPI compliant?

With a pending compliance deadline of 1 July 2021, many South African businesses are scrambling to achieve some form of POPIA (Protection of Personal Information Act) compliance. Comparable to the European GDPR (General Data Protection Regulation), the requirements are similar, with both regulations punishing non-compliance severely. 

With personal data predominantly stored digitally, it should be clear that POPIA is a vital component of the company’s cyber risk mitigation strategy. Our security experts have compiled the following areas that businesses should focus on and the associated POPI compliance cost.

E-commerce Websites

Many businesses have, over the years, switched to an online e-commerce website capable of promoting and selling their products. During the pandemic, this has become even more prevalent with a surge in online ordering. Online sales store a vast amount of personal information, which brings them directly under the POPIA spotlight.  

As a business owner, you are ultimately responsible for your business’s compliance with POPIA and knowing the POPI Act regulations. By collecting customers’ personal data to deliver your service/product, you become the “responsible party” for processing and “safekeeping” the customer’s personal information. 

Website security is a minefield

Website security is an absolute minefield, but one cannot avoid certain best practices:

Continuous CMS and plugin updates

Many businesses are very familiar with popular Content Management Systems (CMS) such as WordPress, but being popular also makes them a significant target for attackers. 

  1. Once inside the CMS, cybercriminals will quickly find their way into the database and extract the POPIA applicable data. A minimum 4-hour retainer per month should be in place to allow for weekly updates to the CMS and add-on/plugins, without which your website and the POPIA data are guaranteed to be attacked.
  2. Web Application Filtering: Allowing connections directly to your web server without any form of filtering is asking for trouble. Web Application Filters such as CloudFlare protect by filtering traffic to your website to ensure attacks are blocked before they reach the web service. With pricing plans starting from R300 (£15) per month, this is a low-cost way to improve security.
  3. External Penetration Test: Every website has one or more Public IP addresses that allow customers, and attackers, to connect to the site. Penetration testing scans these IP addresses and the web service areas that are available to the internet. The penetration tester then attempts to break into the services the same way an attacker would. Pricing ranges from R30 000 (£1500) for one IP address and less depending on the volume. Pricing varies significantly since many penetration testers will drop an 80-page report into a customer’s lap instead of focused and actionable information.
  4. Web Application Penetration Testing: Then we come to the tricky and expensive part, which involves performing penetration testing of the pages which make up the website. Web Application Penetration Testing identifies where the developers have made errors that would result in a successful attack and is critical to any website. The project takes the form of a 3-5 day engagement with a daily cost ranging between R12 000 – R20 000 (£800 – £1000 per day).

Confidential Emails and Files

Businesses without E-commerce functionality are unfortunately not in the clear. Many companies require their customers to fill in Microsoft Word, PDF, or email templates to invoice and deliver services/products. In the B2C space, this builds up a vast amount of POPIA affected data which is high-risk information stored in mailboxes or file storage spaces.

The following best practices will help with storing this type of data securely:

  1. Email: Businesses are not in control of the content of emails sent to them. This email content can take the form of ID’s, passports, proof of residence, maybe even when they will be at home for the delivery. All this highly confidential personal information is a risk for any business. The only way to protect against this is by encrypting every email on arrival. By providing adequate protection against prying eyes, the risks are mitigated by making malicious access to this information much harder.
  2. Files: Once received, businesses frequently have to store customers’ personal data in some form of a file system, be it on their workstations or cloud storage such as DropBox or OneDrive. File cloud storage is a high risk, and although simplifying managing customers, it creates a literal honeypot of personal information. Files should be stored in an encrypted Vault at all times, where every file which enters the vault is immediately encrypted.

The vault solution can be achieved with many email/file encryption solutions. ENHALO’s Continuous Content Encryption Service is available for a minimum of R30 000 (£1500) per year (10 licenses @ £150 per license per year).

Irregular Behaviour Detection

Being able to monitor and respond to the movement of POPIA data is critical to remaining compliant. For this reason, tracking the forwarding and saving of data outside of the protection sphere allows businesses to monitor and respond to accidental and malicious insider threats.  

The following are areas are of concern and require special monitoring, analysis and response:

  1. Sensitive data saved to cloud storage Staff want to get work done, so saving files to a personal Dropbox or some other storage system to “work after hours from home” seems like a reasonable action. The reality is that this has immediately violated the POPI act, and the business has lost control of this data. Policy violation can also happen through a malicious remote access user who takes control of the worker’s computer. This type of behaviour needs to be tracked and also have the option to be blocked.
  2. Sensitive data emailed via non-business mail  It is all too easy to email a document to a personal email address to “work on the CRM list”, but yet again, it puts the POPIA data directly in the hands of whoever has access to the mailbox. Tracking and blocking attachments to non-business email addresses is crucial to this sensitive information containing credit card or ID numbers.
  3. Saving to a USB storage Storing data on a USB is another way data is easily extracted and worked on offsite but is high risk and should be blocked.

There are a variety of solutions that do simple data movement warnings and blocking. ENHALO’s Irregular Behaviour Detection has a vast array of Day 1 Protections with Analyst backed response to ensure that no POPIA related data would leave the environment without being noticed. With real-time informative messages, lock or isolation action, the data can be secured before a leak occurs. 

At a minimum cost of +- R3 000 (£135) per month (minimum ten computers), the solution provides reliable protection to mitigate the threats businesses face.

Conclusion

The above POPI compliance checklist is not exhaustive but does shed light on the business’s primary areas of concern today. Protecting personal data under the POPI Act is utterly important for South African businesses – non-compliance can result in a fine of between R1 million and R10 million or even imprisonment of one to ten years. There is no silver bullet for POPIA compliance – companies should consider all their primary areas of risk.

Gerhard Conradie Co-Founder and Global Head of Solutions Architecture at Enhalo
Gerhard Conradie

Gerhard, Co-Founder and Global Head of Solutions Architecture, sees quality staff as the most important asset to any business, and believes that giving them the space to grow as much as they are willing and able to, motivates them to grow Enhalo as well.

Supply Chain Threat Detection

Cyber criminals have upped their game, so should you. We never underestimate or ignore your supply chain's security threats.

Security Operations Center

Financial losses, intellectual property theft, and reputational damage due to security breaches can be prevented.

SOC Assurance Service

Despite a mature Security Operations Center, you're still under threat. Our SOC Assurance mitigates the risk of unnoticed breaches.

Emergency Cyber Response

Regain immediate control, contain the damage, and eradicate the threat. Your bullet-proof, SOS rapid response.

Agentless Network Segmentation

Rely less on vulnerability management and rest assured that the threat won’t spread across your network.

Cyber Risk Assessment

Understand how vulnerable you are. We identify your threat sources and calculate your risks – likelihood and impact.

Endpoint Detection and Response

This solution is for customers that do not have extensive security budgets or staffing to implement and monitor an endpoint security solution.

Irregular Behavior Detection

Companies focus heavily on malicious outsider mitigation, while the biggest threat lies with those who already have access.

Penetration Testing Services

A penetration test is arguably the most important part of any cybersecurity journey, it tests an organization’s ‘final line of defense’ against attackers.

Security Awareness Training & Testing

With cybersecurity awareness training, the risk of human error can be reduced, turning human error into a human firewall.

Insights

360 Security
Must Know Cyber
Security Services

Resources

WEBINARS
MEDIA
SON OF A BREACH
CASE STUDIES
USE CASES

Cyber Security Services

Supply Chain Thread Detection
Security Operations Center
SOC Assurance Service
Emergency Cyber Response
Agentless Network Segmentation
Cyber Risk Assessment

Supporting Cyber Security Services

Endpoint Detection and Response
Irregular Behavior Detection
Penetration Testing
Security Awareness Training and Testing

Related Posts

Cyberattack Emergency

Are you experiencing an active cyberattack?

Get rapid response.

Call ENHALO’s International SOS no:
For Other Inquiries: