As yet another barrage of data leakages makes news headlines, businesses need to consider whether these security incidents are as a result of data hoarding issues or due to operational oversight, especially as the new POPI legislation and its strict guidelines loom.
Michiel Jonker, director: IT Advisory at Grant Thornton Johannesburg, says: “When the Protection of Personal Information (POPI) Act is implemented in South Africa, data hoarding will be illegal while strict guidelines will require widespread reforms to ensure that the personal information and data that the private and public sector collects are protected.”
The POPI Act, which was gazetted in November last year, and which is currently awaiting an effective date, provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.
Jonker warns that security incidents can be very damaging to a company’s strategy and reputation in the marketplace – and these can seriously impact its competitive edge.
“A balance has to be achieved between the availability and security principles within an organisation,” says Jonker.
He believes that, among others, the reason for the increase in large-scale security incidents is as a result of the phenomenon of big data. For the past decade companies have been processing and analysing more and more data relating to their industry or to existing and potential clients.
“A huge concern is that there is a very fine line between big data with effective, excellent business intelligence tools to mine the data versus the issue of ‘data hoarding’ with no purpose,” says Jonker. “When do businesses begin to collect masses of data without clear, specific business objectives, and with no strategy regarding the security consequences of this information?”
Unfortunately, organised crime has also grasped the value of big data as they continue to target companies with big repositories of personal data on a more regular basis.
Jonker cautions that when POPI comes into place, data hoarding will be illegal in South Africa, because POPI requires that data is only processed for as long as there are clear and defined business purposes to do so. In addition, all security breaches will have to be reported directly to those data subjects that have been impacted and to the Regulator.
“The new Act provides an almost certain guarantee that more companies will end up with ‘egg on their faces very soon’, never mind the fact that businesses will need to appear in court to face criminal charges and civil claims,” Jonker adds.
He says that the perception regarding applications is that they need only provide customers with proper functionality rather than providing secure operational excellence to users.
“Operationally it seems that application developers tend to focus solely on the functionality of a system in order to respond to the baseline needs of the user community,” says Jonker. “A user-friendly system that is also ‘hip, cool, new’ is of the utmost importance.
“Sadly, security is either an afterthought, or – even worse – it is totally absent in certain app systems,” he continues.
Jonker’s IT advisory team at Grant Thornton have discovered that in the development of many applications, even basic security password policies have been discarded. In addition, web application developers are often unaware of, for example, basic SQL injection protection practices which form part of database security best procedures.
“Quite often the development of these systems are also outsourced to mid- or small-tier software development houses, with no formal service-level-agreements (SLAs) in place to guarantee proper application system controls,” he says.
Even more concerning is how companies’ strategic business objectives normally demand a “first to market” approach, in order to capitalise on new business opportunities in the market and to increase competiveness. This practice places more pressure on developers to deliver new applications faster, which usually results in horrendous effects regarding IT security, allowing for no time to research and invest in proper security controls.
Jonker says this causes the classic conflict between security and availability; with availability taking priority by fulfilling and directly responding to the needs of its users, with the provision of superior functionality such as user-friendliness, accessibility, availability, and speed for its users.
While Jonker is fully aware that business and IT strategy should not be formalised purely around compliance requirements, such as the pending POPI legislation, he urges businesses to consider paying greater attention to security best practice so that a proper balance between availability and security principles can be achieved.
“The new POPI Act will certainly force companies to stop hoarding data while simultaneously ensuring that organisations start to pay greater attention to security best practices. Hopefully the Act will, for the first time in South Africa, assist us to strike a proper, strategic balance between availability and security principles,” he says.