Big­gest ar­eas of cor­po­rate risk

RISKSA Magazine - - News -

“No com­pany is im­mune to cy­ber risk and the prob­a­bil­ity of it hap­pen­ing in­creases by the day. While proac­tive steps should be taken to com­ply with POPI, cy­ber risks ex­pand be­yond the need to pro­tect per­sonal in­for­ma­tion,” says Mood­ley. Ac­cord­ing to Sil­ber, hack­ers present the big­gest threat to pri­vacy be­cause em­ploy­ers and govern­ment are only en­ti­tled to mon­i­tor your com­mu­ni­ca­tion to a rea­son­able de­gree. Some­times hacks are not even par­tic­u­larly tar­geted, ac­cord­ing to CyGeist, where ‘an evolv­ing un­der­ground econ­omy’ pro­vides a mo­tive for hack­ers to scan the In­ter­net for vul­ner­a­bil­i­ties. This of­ten re­sults in a com­pany that one would not ex­pect to be tar­geted be­com­ing com­pro­mised, ir­re­spec­tive of its size. Threats of com­pro­mise are not purely ex­ter­nal, CyGeist warns. “In­creas­ingly, com­pro­mises are be­ing trig­gered by trusted in­sid­ers who typ­i­cally have wide ac­cess to the com­pa­nies’ data (au­tho­rised in­di­vid­u­als hav­ing unau­tho­rised ac­cess),” says Van de Cool­wijk. There has been a grow­ing trend for com­pa­nies to be com­pro­mised by ma­li­cious in­sid­ers typ­i­cally for the fol­low­ing rea­sons: • Dis­grun­tled em­ploy­ees due to per­ceived

un­fair treat­ment • Fi­nan­cial dif­fi­cul­ties with sell­ing cor­po­rate

data prov­ing a lu­cra­tive av­enue • Tak­ing data when they leave a com­pany • Head hunted by com­peti­tors for data • Third party providers hav­ing ac­cess In short, your sys­tem is only as se­cure as its weak­est link, which may take the form of a du­bi­ous sup­port ser­vice, a dis­hon­est em­ployee or even just a lack of staff aware­ness. It is, there­fore, im­por­tant to have a holis­tic view of your data and how it is pro­tected. Ap­ply­ing dif­fer­ent tiers of staff ac­cess and test­ing your in­for­ma­tion se­cu­rity sys­tems to sniff out weak­nesses can, for ex­am­ple, of­fer some de­gree of pro­tec­tion, re­veals Berry from Ca­mar­gue. “It is im­por­tant that com­pa­nies as­sess who has ac­cess to their per­sonal data. Only staff who re­quire ac­cess to sen­si­tive in­for­ma­tion should be al­lowed such ac­cess. Suf­fi­cient net­work se­cu­rity should ad­di­tion­ally be im­ple­mented to en­sure ex­ter­nal par­ties can­not ac­cess their net­works, thereby safe­guard­ing sen­si­tive in­for­ma­tion,” she ex­plains.

Ban the spam

Aside from es­pi­onage and hack­ing, a more per­ti­nent con­cern for the av­er­age South African is how spam in­vades your pri­vacy on a daily ba­sis. Ac­cord­ing to Sil­ber, spam is dealt with in three pieces of leg­is­la­tion in South Africa (The CPA, POPI and ECTA or the Elec­tronic Com­mu­ni­ca­tions and Trans­ac­tions Act). In fact, un­der ECTA you are per­mit­ted to send one un­so­licited e-mail but you are obliged to honor an un­sub­scribe re­quest and re­spond to a re­quest about where the com­pany ob­tained your de­tails. Fail­ure to do so is a crim­i­nal of­fence. De­spite this, no one has been will­ing to take this through to a suc­cess­ful pros­e­cu­tion. “There­fore, lack of con­se­quences is one of the big­gest dif­fi­cul­ties when deal­ing with spam,” adds Sil­ber. “We are re­ally in­ter­ested in set­ting some real stan­dards so that com­pa­nies do not treat data as if it is the Wild West: while some cor­po­ra­tions such as banks and in­sur­ance com­pa­nies are be­com­ing re­spect­ful of their clients’ data, many other com­pa­nies still think that they can share it, sell it or start spam­ming you for un­re­lated prod­ucts and ser­vices,” says Sil­ber. En­cour­ag­ingly, un­der POPI ev­ery­one will have to move from an ‘opt-out regime’ into an ‘opt-in regime’ where mar­keters can only con­tact you if you ac­tively opt in, ac­cord­ing to Luyt. “Busi­nesses will then need to be­come cre­ative with ways to en­cour­age opt-ins us­ing legally ac­cept­able in­cen­tives and loy­alty sys­tems,” he con­cludes.

The way for­ward

In the USA, we are al­ready see­ing a few steps in the right di­rec­tion to res­ur­rect pri­vacy, or at least a de­gree thereof. “Snow­den, more than any­one, has sparked a de­bate around pri­vacy and we see that many of the in­dus­try play­ers are re­spond­ing in rel­a­tively pos­i­tive ways. Whether it is Google, Face­book, Ama­zon or the net­work op­er­a­tors; they have been ex­posed for the fact that they have been giv­ing up their users’ rights to pri­vacy. As a re­sult, they are im­ple­ment­ing bet­ter se­cu­rity fea­tures and user pro­tec­tion pro­to­cols. The in­dus­try in the USA is also putting pres­sure on govern­ment to start re­form­ing the laws to pro­tect users’ pri­vacy and re­duce the right of govern­ment to force com­pa­nies to give up their users’ in­for­ma­tion,” says Hunter. “But this pri­vacy con­ver­sa­tion is very slow to hap­pen in South Africa,” he adds. With few com­pa­nies pos­sess­ing cy­ber li­a­bil­ity in­sur­ance or even a holis­tic un­der­stand­ing of the risks, cy­ber ex­perts sug­gest that the best way for­ward is sim­ply a will­ing­ness to have ‘the pri­vacy con­ver­sa­tion’. “We shouldn’t be look­ing at whether or not a data­base is ap­pro­pri­ate be­cause it is in the right hands. We should be ask­ing what can hap­pen if that data­base falls into the wrong hands? And that is when the pri­vacy con­ver­sa­tion needs to fol­low,” says Hunter. Sil­ber agrees, say­ing that with web­sites aimed at serv­ing up the most rel­e­vant in­for­ma­tion, they are start­ing to dig more deeply into your per­sonal de­tails. “In my opin­ion, this is nei­ther pos­i­tive nor neg­a­tive but it is the start of the con­ver­sa­tion.” “At least com­pa­nies like Google, Mi­crosoft and Face­book are will­ing to en­gage in this con­ver­sa­tion. And if the com­pany you are deal­ing with is not at least will­ing to do so, per­haps you are in the wrong place.” He adds that one of the big­gest chal­lenges to pri­vacy is that many In­ter­net users them­selves are not in­ter­ested or pa­tient enough to have the con­ver­sa­tion, un­til some­thing ma­jor hap­pens such as the Snow­den event. In other words, we, as cor­po­rates, of­fi­cials and even cit­i­zens, are re­spon­si­ble for pri­vacy’s ex­tinc­tion. But, it seems it is still not too late to mit­i­gate some of the im­pact and res­ur­rect a level of pro­tec­tion.

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.