Since the POPI Act was introduced, many businesses have taken the time and effort to implement a POPI strategy that complies with the Act’s basic requirements. But for many businesses this will not be enough to stave off run-ins with the Information Regulator because they neglect one important strategy in POPI readiness: their staff.
Digital security should be a top priority for any business, but it doesn’t stop at good software. There are many ways in which cybercriminals can exploit human weaknesses to gain access to sensitive private information, which means that you will need to educate your staff to fight the threat of cyberattacks and ensure that you adhere to the POPI Act (especially the condition of Security Safeguards) and keep your business strong.
How do criminals gain access to your data?
Cyberattacks can come through vulnerabilities in your digital network, where criminals find an entry point into your network through an unprotected port, but most cyberattacks happen when a source from inside a network grants access to a malicious outside party. This can happen in many ways, which we detail below:
Phishing is when a cyberattack is launched in which you are tricked into giving personal or financial information to a malicious party. Criminals mostly use email to target people who are susceptible to the kind of tactics prevalent in soliciting an impulse response via an electronic request or demand.
Knowing how to spot a phishing attempt is vital to keeping data secure. Once a cybercriminal gains access to sensitive passwords and logins, they can easily infiltrate your systems and cause extreme damage.
Malware takes many forms and is (as is hinted at in its name) a type of malicious software. Malware often enters your network through downloading an untrustworthy document from an internet/email source. The most dangerous malware include:
Viruses: These programs execute themselves and spread by infecting other programs or files. They often scan through files for sensitive information and can alter, duplicate, or destroy data in the process.
Ransomware: These programs encrypt sensitive data and hold the data (you guessed it) ransom until a fee has been paid. It should be noted that even if one were to pay such a ransom some cybercriminals may still refuse to allow access.
Trojan horses: These programs appear as though they are legitimate software, but in fact hide a virus behind the façade.
Spyware & Keyloggers: These kinds of programs keep track of the actions that people take on their computers and can capture and steal sensitive data to be used for malicious purposes.
While anti-virus software does wonders to stop malicious directives from being executed on a computer, it cannot prevent everything. Furthermore, most cyberattacks depend on human naivety and error. Therefore, it is vital that business owners educate their staff concerning the threats that may be posed to their security systems at any time.
The POPI Act requires all businesses to make sure that their information systems are secure and that malicious third parties cannot gain access to sensitive personal data (whether that data belongs to their clients/customers, suppliers, partners, staff, etc.). Failure to protect the data can lead to huge fines of up to R10 000 000 and up to 10 years’ imprisonment. If the damages caused by an information leak are significant enough, such penalties are not outside the realm of possibility.
Secure your data
Speak to your legal advisor regarding POPI law and how you can go about securing your data so that you comply with the POPI Act condition of Security Safeguards before the Information Regulator comes knocking at your door. It would also be wise to invest in employee training to ensure that your data does not end up in the wrong hands.
This article is a general information sheet and should not be used or relied on as legal or other professional advice. No liability can be accepted for any errors or omissions nor for any loss or damage arising from reliance upon any information herein. Always contact your adviser for specific and detailed advice. Errors and omissions excepted (E&OE).