Three weeks ago Australian web security expert Troy Hunt revealed on Twitter that the personal information of more than 30 million South Africans had been leaked online.
This is the biggest breach of personal information in the country’s history.
This breach has made the public, and enterprises more aware than ever of the protection of personal information and the POPI Act, or Protection of Personal Information Act.
The POPI Act was signed into law in April 2013, but the South African Information Regulator, the body responsible for implementing the Act and monitoring its implementation, has indicated that the Act will only be in full effect in early 2018.
This Information Regulator was only chosen in December 2016, three years after the Act was signed in.
Companies in South Africa are aware of the POPI Act, as is evident from a 2015 Grant Thornton’s International Business Report (IBR) where 91% of businesses surveyed said they would implement the Act.
In 2016 however, the same report revealed that only 25% of the companies saw cyber attacks on personal information as a current threat. This lack of attention provided to cyber attack security can expose companies to the information breach Hunt discovered.
Most enterprises trading in the tech and online sphere rely heavily on customer information as enterprise data for a number of services.
According to the POPI Act, when personal information is collected the person from whom the information is being collected must be made explicitly aware of the purpose for which the data will be used.
The data collected may also only be used by the company for an activity or function which relates to the company and its business.
Companies can comply with this regulation by adding text to their website where personal information such as date of birth or credit card details is asked for.
This text should state how the company will use the required information. This can be the first, very effective step in protecting an online company.
Another important condition of the POPI Act is the safeguarding of the personal information collected.
According to Condition 7 of the Act, companies need to determine whether there are any possible internal or external risks to the information collected and also foresee any future threats.
One way this can be done is by implementing security regulations such as using changeable passwords to information databanks or login details to the backend of online store databases.
Ensuring that spreadsheets with this personal information are access controlled using passwords is another way to ensure the safety of the information.
There are, however, a great number of other regulations in the POPI Act as well. This can become overwhelming and expensive. Companies can also protect their enterprise data and thus comply with the Act, through making use of database security tools.
The relational database management systems (RDBMS) most commonly used by companies are not always sufficient to protect online companies against all possible security breaches.
According to senior security strategist and CTO at Securosis, Adrian Lane, the extensive problem companies are facing is the security of sensitive customer information across a number of different databases.
“Single platform products don't play well when an enterprise has sensitive information in many types of databases,” says Lane.
Traditionally, these RDBMS do not always have the capacity to secure all of these databases at the same time.
Unfortunately, enterprise data collected from customers is only valuable to a company if it can be used and enable collaboration between departments and teams.
On their Windows IT Pro Center website, Microsoft warns of two extremes - where either access is given to everyone without any security or having only one user with access, which can in itself cause a bottleneck effect.
These and other potential security flaws pose a potential breach of information and effectively the POPI Act.
For this reason, it is worth companies investing in a good enterprise database security systems and also employing someone who is directly responsible for this security, as is required by the POPI Act.
The initial investment of both time and money into these security systems might be overlooked by 75% of companies in the IBR Report, however, the value of protecting both the company and customers in the future is an investment worth making.