Biggest areas of corporate risk
“No company is immune to cyber risk and the probability of it happening increases by the day. While proactive steps should be taken to comply with POPI, cyber risks expand beyond the need to protect personal information,” says Moodley. According to Silber, hackers present the biggest threat to privacy because employers and government are only entitled to monitor your communication to a reasonable degree. Sometimes hacks are not even particularly targeted, according to CyGeist, where ‘an evolving underground economy’ provides a motive for hackers to scan the Internet for vulnerabilities. This often results in a company that one would not expect to be targeted becoming compromised, irrespective of its size. Threats of compromise are not purely external, CyGeist warns. “Increasingly, compromises are being triggered by trusted insiders who typically have wide access to the companies’ data (authorised individuals having unauthorised access),” says Van de Coolwijk. There has been a growing trend for companies to be compromised by malicious insiders typically for the following reasons: • Disgruntled employees due to perceived
unfair treatment • Financial difficulties with selling corporate
data proving a lucrative avenue • Taking data when they leave a company • Head hunted by competitors for data • Third party providers having access In short, your system is only as secure as its weakest link, which may take the form of a dubious support service, a dishonest employee or even just a lack of staff awareness. It is, therefore, important to have a holistic view of your data and how it is protected. Applying different tiers of staff access and testing your information security systems to sniff out weaknesses can, for example, offer some degree of protection, reveals Berry from Camargue. “It is important that companies assess who has access to their personal data. Only staff who require access to sensitive information should be allowed such access. Sufficient network security should additionally be implemented to ensure external parties cannot access their networks, thereby safeguarding sensitive information,” she explains.
Ban the spam
Aside from espionage and hacking, a more pertinent concern for the average South African is how spam invades your privacy on a daily basis. According to Silber, spam is dealt with in three pieces of legislation in South Africa (The CPA, POPI and ECTA or the Electronic Communications and Transactions Act). In fact, under ECTA you are permitted to send one unsolicited e-mail but you are obliged to honor an unsubscribe request and respond to a request about where the company obtained your details. Failure to do so is a criminal offence. Despite this, no one has been willing to take this through to a successful prosecution. “Therefore, lack of consequences is one of the biggest difficulties when dealing with spam,” adds Silber. “We are really interested in setting some real standards so that companies do not treat data as if it is the Wild West: while some corporations such as banks and insurance companies are becoming respectful of their clients’ data, many other companies still think that they can share it, sell it or start spamming you for unrelated products and services,” says Silber. Encouragingly, under POPI everyone will have to move from an ‘opt-out regime’ into an ‘opt-in regime’ where marketers can only contact you if you actively opt in, according to Luyt. “Businesses will then need to become creative with ways to encourage opt-ins using legally acceptable incentives and loyalty systems,” he concludes.
The way forward
In the USA, we are already seeing a few steps in the right direction to resurrect privacy, or at least a degree thereof. “Snowden, more than anyone, has sparked a debate around privacy and we see that many of the industry players are responding in relatively positive ways. Whether it is Google, Facebook, Amazon or the network operators; they have been exposed for the fact that they have been giving up their users’ rights to privacy. As a result, they are implementing better security features and user protection protocols. The industry in the USA is also putting pressure on government to start reforming the laws to protect users’ privacy and reduce the right of government to force companies to give up their users’ information,” says Hunter. “But this privacy conversation is very slow to happen in South Africa,” he adds. With few companies possessing cyber liability insurance or even a holistic understanding of the risks, cyber experts suggest that the best way forward is simply a willingness to have ‘the privacy conversation’. “We shouldn’t be looking at whether or not a database is appropriate because it is in the right hands. We should be asking what can happen if that database falls into the wrong hands? And that is when the privacy conversation needs to follow,” says Hunter. Silber agrees, saying that with websites aimed at serving up the most relevant information, they are starting to dig more deeply into your personal details. “In my opinion, this is neither positive nor negative but it is the start of the conversation.” “At least companies like Google, Microsoft and Facebook are willing to engage in this conversation. And if the company you are dealing with is not at least willing to do so, perhaps you are in the wrong place.” He adds that one of the biggest challenges to privacy is that many Internet users themselves are not interested or patient enough to have the conversation, until something major happens such as the Snowden event. In other words, we, as corporates, officials and even citizens, are responsible for privacy’s extinction. But, it seems it is still not too late to mitigate some of the impact and resurrect a level of protection.