This past week, has been quite an interesting one, While reviewing our weekly Cyberthreat reports, what continues to strike me; again and again; is the infinite depths to which people will go to prove that there is no such thing a common sense and that Stupidity Reigns Supreme:
Case in point, unauthorised or personal cloud sharing services is a great way to ‘enable’ customer personal information with third parties to process claims, without any kind of limitation on the access, duration and whom the access is provisioned for; so here we go again, doing all the technical stuff preventing the scary hacker guys from destroying reputations only to undone by users that are trying to get their jobs done and being innovate in the process.
Visibility, awareness with positive behaviour nurturing, is the only way to keep out of this dangerous maelstrom, take it from me.
With this in mind, enjoy our roundup of stories for this week…
World Password Day?
Every First Thursday of May is World Password Day. Mark Burnett, Security researcher, whom first encouraged people to have a “password day,” where they’d update important passwords in his 2005 book Perfect Passwords. Inspired by this, Intel Security built upon this idea and to declare the first Thursday in May World Password Day in May 2013.
Password Day is meant to create awareness of the need for good password security.
Fast Forward to Last week when twitter decided to upstage all by notifying all 300 million twitter users to change passwords after the plaintext password debacle.
Opportunity for Managed Services: InfoSec
Trying to implement a security program that focusses purely on controls, invariably, fails. Focus purely given to point solutions like firewalls and antivirus just aren’t enough to protect a company from a devastating hack. While it’s usually the big companies that make the headlines, the reality is every organization is a target, regardless of size. In fact, cyber-attacks are on the rise for small and midsize businesses, which is logical since most lack the essential security resources or controls necessary to mitigate risk - in fact, 61% of data breach victims were small & mid-size companies in 2016 (2017 Verizon Data Breach Report). The most disturbing fact is that the majority of small businesses that are breached are forced to close their doors within six months later (US National Cyber Security Alliance).
We have been in consultation with many industry players and the most common issues that customers face are:
- Where and How to Start
- What to Fix First and why
- Insufficient personal
- Insufficient budget
- Lack of understanding how to defend against cyber-attacks
- Insufficient enabling security technologies
- Lack of in-house expertise
Opportunity for Managed Services: InfoSec | Mke Lapeters
The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses | Commissioner Luis A. Aguilar
POPIA and GDPR (My attempt and Take)
Recently a good friend of mine and a customer asked me to give advice on whether they were on the right track in terms of POPIA and GDPR; this is the long version response I had for them:
As Regulations continue to change, there are principles; that you should adopt as you may or may not be a listed Company, some are but not limited to:
Follow the KING adopt the KING Code of Practice III / IV, look and understand the Laws of the land of South Africa; e.g. POPIA, The Electronic Communications and Transactions Act and the Consumer Protection Act etc. etc. etc.
For Example: Section 19 of POPIA places an obligation on a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage to, or unauthorised destruction of; and unlawful access to, personal information.
To comply with this obligation, the responsible party must take reasonable measures to:
Identify all reasonably foreseeable internal and external risks to personal information under its control;
- establish and maintain appropriate safeguards against the risks identified;
- regularly verify that the safeguards are effectively implemented; and
- ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
In a nutshell GDPR vs. POPIA:
The good news is that the GDPR and POPIA are simply different flavours of data protection laws. They are actually quite similar to each other. Obviously, when South African enacted POPIA, South Africa did not know what the GDPR would look like. The concern was that the GDPR would be radically different from POPIA and it would mean that Parliament would need to change POPIA significantly.
The GDPR is more an update to data protection law, rather than a complete overhaul. There is much debate whether this is a good thing and whether the GDPR protects data privacy in the world we live in.
But for those who have already done much to comply with POPIA, it is good news. You won’t need to start again. But you will need to tweak what you have been doing. And in some cases, the GDPR will even help you by providing answers to questions we have been asking.
Follow these principles and you should be fine:
GDPR/POPIA affects your business. It’s not simply a security issue. If your organization wants to keep up with global competitors and do business with EU citizens this is everyone’s issue. You have to get your entire executive team and the board on the same page, and in order to mitigate and continuously manage this, you need to name a Data Protection Officer (DPO).
Once you have the executive team on board—with funding and full commitment—it’s time to organize your privacy office. This should really be a full network; your entire organization should be looped in and everyone should be accurately updated on regulations and rules. Your DPO needs to align a privacy counsel and program manager to help roll out GDPR/POPIA compliance all the way from the CEO to sales and marketing and support to IT ops, and so forth.
MAP PROTECTED DATA
Everyone’s on board? Great. Now it’s time to take a look at what personally identifiable information (PII) is collected and why. Where is it stored and how is it classified? Take an in-depth audit now. Is PII transferred across borders? Why and who is it shared with?
It’s time to build and customize your company’s processes and Incident Response Process (which has to happen within 72 hours under GDPR/POPIA will probably align to this). Your DPO should also assess your third party vendor risks at this time. Be thorough.
AWARENESS AND TRAINING (REPEAT)
Build new specifics into your new-hire training, but don’t forget about ongoing technical training for senior staff. Make annual security training mandatory and brief your executive leadership on new GDPR/POPIA readiness.
Continuous compliance, detailed mapping and auditing of the “why” and “how” of your customer’s PII and data, and setting up a strong privacy team with a Data Protection Officer who knows the importance of getting buy-in from the board will keep your company compliant.
Talk to us we can help!