South Africa has become a fertile hunting ground for international cybercriminals.
Research by security company Kaspersky indicates that more than half of South African companies were targeted in the past year while spyware attacks increased by 18.8% between the last quarter of 2022 and first quarter of 2023. In respect of the latter, it is mostly government systems that are under siege.
Phishing, business e-mail “spoofing” and malware attacks are among the most common cybercrimes, though Internet of Things vulnerabilities are increasingly being exploited as well. Unsecured smart devices often do not have adequate protective controls in place to detect, isolate and mitigate these cyber onslaughts.
According to Kgotso Masenya, head of information technology at World Wide Industrial and Systems Engineers (WWISE), it has become crucial for organisations to build secure data privacy systems able to mitigate any possible attack.
Masenya has compiled a checklist of requirements for such systems. This includes:
* Compliance with regulations: The company should comply with any applicable data privacy laws, such as POPIA in South Africa.
* Data inventory and classification: A company’s data should be broken down into categories based on significance and sensitivity.
* Access control: Access restrictions need to be put in place to guarantee that only people with permission may access sensitive information.
* Encryption: Encryption safeguards data both at rest and while it is being sent
* Data lifespan management: A plan for managing data throughout its lifespan, including rules for data destruction and retention.
* Secure data storage: Use of compliant and secure data storage options for data to protect against known vulnerabilities.
* Data masking and anonymisation: Anonymise or pseudonymise sensitive data wherever it is practical.
* Data transfer security: Secure data transmissions are made possible by employing encryption protocols like SSL/TLS. Secure communication routes should be used, especially when sharing data with other parties.
* Audit trails and monitoring: Implement reliable auditing and monitoring mechanisms to keep track of data access and modifications.
* Incident response plan: Develop a thorough incident response strategy to deal with data breaches or privacy problems right away.
* Regular security audits and penetration testing: Periodic security audits and penetration testing.
A further course of action, Masenya says, is the implementation of ISO/IEC 27001:2022, a standard developed by the International Organisation for Standardisation (ISO).
The tool speaks directly to information security, cybersecurity and privacy in terms of information security management systems.
“This standard gives an organisation the ability to implement a framework of controls that ensures there are sufficient redundancies and guidelines to conform to a school of international guidelines/standards that embodies governance, statutory and regulatory requirements, and cyber and information security,” Masenya says.
Enlisting the services of the right ISO specialist is just as important as the implementation itself, and companies should always look at aspects like reputation and experience, competence, conformance to industry standards and laws, proof of concept and the quality of gap analysis reports.
“Once implemented, the key people in managing the data privacy system are usually your chief information security officer, data protection officer, chief information officer, IT department and data owners and custodians,” Masenya says. “What you want from them is to explain the importance of privacy and data management obligations and emphasise how crucial it is to follow data protection rules. They should also provide guidance on impact analyses, and act as a point of contact for data subjects.”
In addition, staffers in these positions should be responsible for implementing access restrictions, encryption and other strong security measures, he adds.