While the strict security and data handling requirements of the Protection of Personal Information Act (POPIA) are now active law (as of 1 July 2020), IT service providers and MSPs have a one-year grace period to achieve compliance for themselves and their clients.
By Amit Parbhucharan, GM: EMEA at Beachhead Solutions
I advise any South African IT service provider whose clients’ store and transmit sensitive customer information in the course of their operations to begin implementing compliant business practices now, in order to ensure that any complications are fully ironed out ahead of the 1 July 2021 deadline.
Once that deadline has passed, things can quickly get uncomfortable: non-compliant organisations – MSPs and business alike – will be subject to penalties including fines of up to R10 million and up to 10 years imprisonment. POPIA also requires any data breach to be reported to both the data subject whose data was exposed and the POPIA regulator. Because of this, non-compliance can also earn MSPs and organisations irreparable damage to their public reputations, which can be the most harmful penalty of all from a business perspective.
To implement device and data security safeguards compliant with POPIA, IT service providers should follow these best practices:
Introduce data encryption
POPIA actually offers a powerful get-out-of-jail-free card when it comes to regulatory enforcement. If a data breach occurs, but data is unreadable and the identity of the data subject has been rendered impossible to establish through encryption or other means, it isn’t necessary to notify the data subject or the POPIA regulator. Encryption is similarly effective in scenarios where employee-used devices are stolen or become lost. To realize these benefits, providers should carefully ensure that encryption is in place and actively protecting clients’ sensitive data across all systems and devices.
Introduce strict access controls
POPIA expressly requires particular safeguards designed to prevent unauthorised user access and data breaches. To meet these requirements, MSPs must carefully protect all system and device access to sensitive personal data by implementing restrictive access controls. This means requiring strong passwords, multi-factor authentication, and employee training to teach workers security best practices.
The current Covid-19 pandemic and the work-from-home practices it precipitated have only increased the importance of device security. With client employees working remotely with laptops, smartphones, tablets, and USB devices that contain or can access protected data, securing these devices is synonymous with POPIA compliance. Introducing robust device security and access controls can ensure that clients’ employee-used devices are well secured, even when located far from the office. For additional device security, MSPs could also require or request that client employees store their devices in a locked and secured location when not in use.
Leverage advanced data access techniques
On top of encryption and tight authentication requirements, advanced measures can render unauthorised data access impossible even in scenarios where devices are lost, stolen, or in the hands of those with bad intentions. Remote access controls can revoke all data access from any device that becomes compromised. Remote data deletion or data quarantine capabilities offer further protection by fully removing or securing any sensitive data present on a device.
Introduce trustworthy anti-virus and anti-malware protections
Attackers utilize malware and virus software to thwart security measures and gain access to an organisation’s systems and applications, putting POPIA-protected data at risk. This reality requires that anti-virus and anti-malware solutions be in place and actively protecting all devices used within an organisation in order to ensure that data is safe.
Backup data regularly
Regular automatic data backups to a secure offsite location help to bolster work continuity and productivity as well as data security. Ransomware attacks target an organisation’s ability to access and control its own data. Having a secure data backup enables a business to brush aside such attacks while keeping sensitive data protected.
Introduce effective security monitoring, auditing, and reporting
Any interruption to encryption or authentication measures can render data defenceless. Monitoring solutions can be used to oversee all components of a device and data security strategy to ensure their continuous and active operation.
When security incidents happen, the ability to demonstrate these active security measures is also essential in proving POPIA compliance to regulators. Section 19 of POPIA specifically requires organisations to keep historical forensic data – auditing and reporting tools that validate an organisation’s security strategy and prove compliant practices in extensive detail are simply a requirement for peace of mind around POPIA.
When an organisation can fully demonstrate that its device and data security measures represent a thoughtful and effective approach to POPIA compliance, that organisation can avoid regulatory penalties in most cases.
Understand that vigilance is the price of compliant security
POPIA regulators can and will come down hard on organisations that fail to effectively protect sensitive data, whether the organisation has knowledge of its full responsibilities under the law or not. Therefore, businesses absolutely must make understanding POPIA and their own specific device and data security risks a top priority.
Risk areas, from active scams to lax policies, unpatched security vulnerabilities, uninstalled security updates, and other issues must be actively addressed. Organisations should introduce solutions that automatically recognize devices and provide device inventory management for simple and effective oversight.
To defeat targeted spearphishing or related attacks, security policies should be crafted to require multiple signoffs before providing any personal data, monetary transfers, or security credentials. Employee training regimens should be in place, which empower each worker to act with the same robust awareness of secure best practices and POPIA’s requirements as practiced at the organisational level.
With less than a year to go before enforcement of POPIA-compliant data and device security measures begins, it’s essential that unprepared MSPs and their client organisations start to introduce the above practices. Considering the challenges of implementing and optimizing the security solutions, policies, and training needed to effective protect both your data and your business, the time to begin is now.