Growing African focus on data security
Beachhead Solutions, provider of cloud-managed mobile device security and data access control, recently announced its expansion into the South African region, along with the appointment of Amit Parbhucharan as the new Country Manager for South Africa and Mauritius. Beachhead said its new availability in the region was particularly opportune for businesses needing compliance solutions ahead of South Africa’s Protection of Personal Information Act (POPI) enforcement and in light of legislation such as MU DPA.
Biztechafrica spoke to Parbhucharan about the complexity of managing and protecting the personal information of customers.
In a nutshell, what do SA’s POPI and the MU DPA in Mauritius have in common?
[AMIT] Both POPI and MU DPA are laws of their respective countries and both are aimed at protecting the personal information and privacy of individuals. MU DPA is slightly more established than POPI is in South Africa as the Mauritian law has been in place since 2009, with an appointed regulator/commission, several rulings and some precedent judgements.
Are other countries in Africa looking to similar legislation?
[AMIT] Yes, already 8 countries in Africa have enacted laws or have draft bills. Data Privacy legislation in the Economic Community of West African States (ECOWAS) is gaining momentum with member states agreeing to the adoption of data privacy laws, and whilst still slow to move, the East Africa Community (EAC) has now taken steps to encourage member states to adopt data privacy legislation, and although not binding, it has established the EAC Framework for Cyberlaws.
What are the implications of this legislation for enterprises?
[AMIT] Organisations, large, small, private and public need to be more conscious and apply more rigor when dealing with personal information. The sensitivity and weight of personal data plays a vital role when processing, using, safeguarding retaining and destroying personal data. For example, losing a laptop with a spread sheet containing thousands of email addresses could be far less damaging and suffer fewer consequences than misplacing a USB stick containing just a few files detailing the HIV status or account numbers of just ten people!
The impacts could be different for the differing country laws and the judgements issued, but in the case of South Africa’s POPI Act, this could be up to a $1M fine or imprisonment.
What are the implications of legislation such as this for cloud adoption in Africa?
[AMIT] The onset of legislation that caters for stricter security pertaining to personal data will encourage and force individuals and enterprises to question and review the security practice of cloud providers whose service they want to use. Many of the legislations do not prohibit the use of cloud, as the concepts of a “data processor”, “responsible party” and “data controller” are well known, but the onus and risks still reside with the “data processor” or “responsible party” so they will need to work with their cloud service providers to scrutinise exactly what personal information is being captured, and for what purpose, how it is used for any further processing, secured, retained and discarded. Equally, this also means that cloud-providers will need to shape-up in order to attract business from customers.
Are Africa's enterprises ready to comply? What about SMEs - are they prepared?
[AMIT] A lot of work still needs to be done here. It is about awareness, education, ethics, risk and ultimately the more savvy the customer, the more they will demand companies and government bodies to comply when it comes to their personal data.
SMEs are in a conundrum as they struggle to balance staying profitable or cash positive with being compliant and doing the right thing. It’s not all bad news though, as SMEs who do protect the personal data of their customers and suppliers the same as they would want their own to be protected can turn their compliance into a business advantage to attract and maintain customer confidence.
What are the biggest risks to the enterprise (and the consumer) in the event of a breach?
[AMIT] This will be dependent on the specific law. Some laws might require breach declaration and notification while others do not make it mandatory to report a breach beyond the regulator. Judgements, fines and penalties will be commonplace but reputational risks, customer confidence, and damages from these will be more dire. A data subject will be well within his/her rights to lodge complaints with the regulator/commission where a breach creates a risk of harm to the individual, and enterprises must do what is required to mitigate the damages caused or likely to be caused by such harm.
Where are the common weak links in the data security chain?
[AMIT] There are multiple weak links, but the ones that create the most noise are the theft and misplacement of typical edge Mobile Data Devices (MDDs) such as laptops, USB sticks, smartphones and tablets. SMEs and larger enterprises do need a multi-faceted approach to information security, but more needs to be done when the potential for data exposure is high.
The weak link that has me worried surrounds the mobility of data – the data that resides on PCs, smartphones, tablets and USB storage. Users/employees are ultimately holding these data repositories, in some cases they even own them. These users play a critical role in the security of that data. And it is true that every business must encrypt data. But what concerns me is that any encryption is only effective if the password is unknown. What happens if the employee quits the firm but still has the hardware? They still have the credentials and access to the data, because encryption can’t protect the data one that device is authenticated. What happens if the password is compromised by a careless employee? Because of these common vulnerabilities, ensuring that you can monitor, manage, report and perform additional security measures on the at-risk device remotely is important, even when the device is no longer in your possession or control.
What approach should Africa’s CIOs and CISOs take in securing data during collection, transmission and storage?
[AMIT] A review of current processes and what PI (personal information) is being captured and for what purposes is a vital start. The concept of minimalism is logical here. 'If you do not need it, do not capture it' is a good motto to follow. There are many good frameworks and resources to reference and we have an established pool of skilled consultants to engage and leverage across Africa. Sometimes it’s best to start simple and do something sooner. Pondering on strategy for a comprehensive solution could yield more harm. Do seek out some simple and affordable solutions to plug some holes quickly, especially at points that provide entry to data repositories and company systems.
One simple practice is to secure your core and your edge quickly (like those MDDs) and work your way in from both ends, and then evolve your efforts over time. Many organisations I deal with have their core systems protected and focus their efforts and funds there, understandably so, but far too many have done little or nothing at the edge. So the time is now, legislation or no legislation, to ensure those laptops are encrypted, and those USB storage devices, smartphones and tablets are properly secured with quarantine, wipe and trace capabilities, similar to those offered by the Beachhead SimplySecure services!