With the implementation of the Protection of Personal Information Act (POPIA), organisations in South Africa need to prioritise stringent data security measures or otherwise risk facing significant penalties and implications, writes Lisa Strydom, senior manager of channel and alliances Africa at Veeam Software.
The world today is a very different place than it was a decade ago. As the environment we´re living in becomes increasingly interconnected and digitised, the battle to protect one of our most precious assets – our personal information and data – rages on.
Our every move online leaves a digital footprint that, if mishandled, can have far-reaching consequences for individuals and organisations alike.
From preventing identity theft to bolstering financial security, the protection of personal information is of vital importance and upholds the rights of millions of global citizens. The threat of cyber breaches continues to rise, with 86% of organisations in the Middle East and Africa experiencing ransomware attacks in 2022, according to the Veeam Data Protection Trends Report 2023.
The protection of this information has become a legal requirement across many parts of the world, with the implementation of data privacy laws such as the European Union’s GDPR and South Africa’s POPI Act being implemented in recent years.
Since its implementation on 1 July 2022, organisations operating in South Africa have been required to comply with the conditions of the POPI Act and safeguard the integrity and sensitivity of the personal information of its customers. This means that organisations are required to carefully manage the data capture and storage process of personal information within the lawful framework, as well as ensure that they put all possible measures in place to mitigate the risk of unauthorised access.
One of the critical aspects of the Act are the conditions for lawful data processing. These include facets pertaining to accountability, processing limitations as well as data processing for specific reasons, information quality and accuracy purposes, data subject participation, and security safeguards, among others.
With organisations in South Africa collecting and processing the personal information of millions on an annual basis, it forms the perfect storm for cybercriminals looking to exploit the information of others to their benefit.
For organisations that become victims of an attack in cyberspace resulting into their data being compromised, it’s no longer a case of sweeping news of a breach under the rug, as the Act makes the organisation responsible for the safekeeping of their customers’ information. It’s now not merely a matter of customer data sensitivity or potential damage to the organisation, but also carries significant financial repercussions.
Besides the attacker often holding the information for ransom and demanding compensation for its safe return, the POPI Act calls for harsh financial penalties of up to R10 million and/or 10 years in jail for the organisation´s responsible decision-makers that fail to report a breach. While these penalties have been few and far between since the implementation of the Act, the regulator recently issued a R5-million fine to a governmental institution after it failed to comply with an infringement notice furnished by the regulator after suffering a data breach and ransomware attack in 2021.
This is a situation no organisation wants to face, and it is for this reason that organisations need to bolster their security protocols to mitigate their risk of suffering a successful attack. Unlike potential natural disasters such as fires or floods, being the victim of a cyber-attack is more probable than ever as cybercriminals are relentlessly finessing their tactics and strategies by exploiting any gateway and weakness.
And when considering that Veeam research found that, on average, with each attack, an organisation may expect to lose 15% of their production data, it is not surprising that many continue to invest in and prioritise cyber-attack prevention technologies.
Apart from prevention technologies, immutable and secure backups are a must-have for organisations processing confidential customer data. Based on the lessons learned from the 1,200 victims of ransomware attacks featured in the Veeam Ransomware Trends Report 2023, organisations need to deploy several key technologies and tactics to develop radical resilience in preparation for the next attack.
These include immutable storage solutions within disks and clouds, as well as air-gapped/offline copies on separate media, to ensure that data is recoverable. Furthermore, they need to ensure that they test all the backups for errors as only error-free backups can be recovered as planned also preventing any potential re-infection during the recovery phase.
Here, the implementation of hybrid IT architecture solutions for recovering the servers to alternative platforms as in the case of any other BC/DR strategy has proven to be an effective solution.
In the ongoing battle for organisations to protect valuable data and customer information while remaining compliant with data protection laws like POPIA, prevention remains the ultimate key to successfully minimise risks and to boost cyber resilience that keep businesses running. By prioritising cybersecurity and taking proactive measures, organisations can turn their last line of defence into their best line of defence that will, in turn, protect their reputation, finances, and the data entrusted in their care.