POPI Data: How Irregular Behaviour Detection Aids Compliance

The upcoming POPI Act deadline has many organisations scrambling to reach compliance.

With only a year to prepare since the Act was signed into law last July, many have had a tough time implementing all the necessary controls to protect personal information.

In this article, we’ll look at one of the greatest threats – irregular user behaviour – and explain how you can quickly get it under control.

What is irregular behaviour detection?

Most security budgets are tied up in perimeter defence and incident response, geared towards attacks from outside the organisation.

We see the same media coverage of the latest cyberattacks and external threats over and over, but what if this was only part of the story?

Historically, a vast proportion of data breaches have been caused by individuals inside the organisation. Individuals like employees, contractors, and third parties have direct access to personal information and can easily compromise that information, either by accident or design. This phenomenon is known as the ‘insider threat,’ which creates a substantial risk that isn’t addressed by most security solutions. 

Here is where irregular behaviour detection comes into play.

First, organisations establish a baseline for everything in an IT environment, including users, network traffic, devices, DNS traffic, application access patterns, host connection patterns, seasonal spikes, etc. Once this baseline is set, continuous irregular behaviour detection is used to identify activity that doesn’t fit the baseline – i.e., suspicious or unusual activity.

Common examples of dangerous irregular or abnormal behaviour include:

  1. Downloading harmful files via an Internet browser.
  2. Visiting insecure websites, e.g., those that start HTTP:// instead of HTTPS:// sites.
  3. Plugging unauthorised USB drives into corporate devices.
  4. Connecting to unsecured or open Wi-Fi networks.
  5. Copy/paste or uploading of identity numbers

If irregular behaviour turns out to be acceptable, it is managed by an exception and update to the baseline. However, if the behaviour is dangerous or undesirable, an irregular behaviour detection tool allows you to identify and block the behaviour before it causes a data breach.

Almost 60% of all data breaches are detectable with irregular behaviour

To evaluate the risk caused by internal users, we’ll look at two of the cybersecurity industry’s most respected research publications: Verizon’s 2021 Data Breach Investigations Report and IBM’s 2020 Cost of a Data Breach Study.

  • According to Verizon, 20-30% of breaches are caused by insiders, mainly due to mistakes. Of these, 80% lead to a compromise of personal data.
  • While insiders are directly responsible for 20-30% of breaches, a much higher percentage of breaches involve insider behaviour in a different form.
  • According to the 2020 Cost of a Data Breach Study, 52% of data breaches are caused by an external attacker. 
  • Social engineering attacks like phishing also require insiders’ unintentional ‘help’, often presenting as irregular user behaviour.
  • A further 8% of external attacks use stolen credentials more directly.

Therefore, more than 38% of external attacks rely on the use of privileged accounts. Combined with human error, almost 60% of all data breaches include irregular behaviour at some point.

POPI Data and Irregular Behaviour Detection

The POPI Act commenced on 1st July 2020 and gave organisations just one year to ensure their IT security program is compliant, with a final deadline of 30th June 2021. 

We have covered the specific POPI compliance requirements before in this article, and you can also find thorough plain language guidance in this POPIA Act Summary.

Organisations have less than one month to reach POPI compliance. To do this, they must securely manage the data capture and storage process for personal information relating to customers and employees, including processes involved with:

  • Recording and capturing personal information.
  • Saving documents to a network, cloud storage service, or USB drive.
  • Transferring data between devices, networks, and physical locations.

Naturally, all these activities are susceptible to data compromise, either through accidental or malicious activity. Implementing systems to prevent this is essential to meet POPI compliance requirements.

Herein lies a significant challenge. POPI is descriptive rather than prescriptive. That means each organisation must determine its unique path to compliance and must be able to provide evidence of its risk assessment process, decisions, actions, and investments.

Remember the figures from earlier. Almost 60% of all personal information breaches are directly or indirectly caused by irregular behaviour. By identifying and preventing that behaviour, you can mitigate the risk of personal data loss and ease the path to POPI compliance.

How to Detect Irregular or Abnormal Network Traffic

To manage irregular or abnormal behaviour, an automated, real-time detection and prevention solution is needed.

ENHALO’s Irregular Behavior Detection (IBD) Service identifies and alerts your IT security team to suspicious behaviour in real-time, making it easy to prevent before it leads to a breach:

  • AI and Machine Learning (ML) algorithms monitor user behaviour in your environment, such as typing patterns, unusual network and application use, and excessive printing to detect threats early.
  • Out-of-the-Box policies based on real-world insider risk scenarios ensure malicious insider detection from day one.
  • Automated procedures detect sensitive content sent and received by email, copied between applications, transferred over video conferencing, or exfiltrated through USB and other storage media. 
  • On-the-spot training is triggered when a user violates your organisation’s Information Security or Acceptable Use Policy, helping avoid repeat incidents.

Crucially, our service solution enables real-time response to irregular behaviour, including endpoint isolation, asset lockdown, and user prompts.

We guarantee a strong security posture that prevents breaches and helps to maintain compliance with POPI and other regulatory frameworks.

Supply Chain Threat Detection

Cyber criminals have upped their game, so should you. We never underestimate or ignore your supply chain's security threats.

Security Operations Center

Financial losses, intellectual property theft, and reputational damage due to security breaches can be prevented.

SOC Assurance Service

Despite a mature Security Operations Center, you're still under threat. Our SOC Assurance mitigates the risk of unnoticed breaches.

Emergency Cyber Response

Regain immediate control, contain the damage, and eradicate the threat. Your bullet-proof, SOS rapid response.

Agentless Network Segmentation

Rely less on vulnerability management and rest assured that the threat won’t spread across your network.

Cyber Risk Assessment

Understand how vulnerable you are. We identify your threat sources and calculate your risks – likelihood and impact.

Endpoint Detection and Response

This solution is for customers that do not have extensive security budgets or staffing to implement and monitor an endpoint security solution.

Irregular Behavior Detection

Companies focus heavily on malicious outsider mitigation, while the biggest threat lies with those who already have access.

Penetration Testing Services

A penetration test is arguably the most important part of any cybersecurity journey, it tests an organization’s ‘final line of defense’ against attackers.

Security Awareness Training & Testing

With cybersecurity awareness training, the risk of human error can be reduced, turning human error into a human firewall.


360 Security
Must Know Cyber
Security Services



Cyber Security Services

Supply Chain Thread Detection
Security Operations Center
SOC Assurance Service
Emergency Cyber Response
Agentless Network Segmentation
Cyber Risk Assessment

Supporting Cyber Security Services

Endpoint Detection and Response
Irregular Behavior Detection
Penetration Testing
Security Awareness Training and Testing

Related Posts

Cyberattack Emergency

Are you experiencing an active cyberattack?

Get rapid response.

Call ENHALO’s International SOS no:
For Other Inquiries: