“More personal information than ever is being disseminated throughout the internet, and that’s great for businesses, who want to offer their customers better experiences,” said Heino Gevers, Mimecast Customer Experience Director, speaking at the ITWeb PoPI Update 2017.
“But while the government recognises that customers should be free to offer their personal information, there is an expectation that it is secure and not open to abuse.”
The Protection of Personal Information Act was signed into law in November 2013 and once a POPI effective date has been announced, organisations will have 12 months to become POPI compliant.
PoPI not only places reasonable limits on the use of personal information but puts the onus of cyber resilience in the hands of the business, holding businesses accountable for cyber-attacks and the loss of user data.
“If those businesses that aren’t 100% PoPI compliant could conform overnight, they would,” Gevers explained.
“The technology is available today, but the practicality of PoPI compliance is exactly the extent to which they can make the changes affordably, efficiently and without compromising continuity or security.”
Any organisations, suppliers or public bodies who collect, use, store, distribute, modify or destroy personal information are required to comply to PoPI.
While compliance seems daunting, it offers numerous benefits, including increased customer confidence in the organisation, improved overall reliability of the organisation databases, the avoidance of penalties for non-compliance, and reduced risk of data breaches.
In today’s sophisticated threat environment, traditional security tactics are failing and organisations need to revisit their security posture to build a more cyber resilient enterprise.
In fact, Gevers emphasised that PoPI compliance could be considered synonymous with cyber resilience, and organisations should begin to change from a defensive to a resilient approach that encompasses people, processes and technology and is, by definition, about continual refinement.
“Our workplace is changing at an exponential rate, making us more vulnerable to cyber attacks as we empower our workers to be more productive, mobile, and connected,” he said.
“Organisations need to acknowledge that any form of cyber incident is not a single event but a sustained and persistent campaign, and there is no silver bullet or one-size fits all solution.”
To this end, Gevers identified a five pillar framework that should be integral to any approach focused on cyber resilience, including prepare/identify, protect, detect, respond and recover.
Using this framework, organisations can evaluate their cybersecurity strategies, exposing weaknesses that exist in their security posture, evaluating the risk posed by each weakness and addressing the weaknesses that are most critical.
This should be able to improve the organisation’s preparedness for an attack and allow the strategy to be honed with each scheduled cycle of assessments.ince every organisation has unique systems and different security needs, the results of
Since every organisation has unique systems and different security needs, the results of each series of assessments are evaluated based on the current threat environment and the acceptable risk level for the organisation, rather than a relatively generic series of checklists.
For each of these pillars, Gevers outlined focus areas for minimising cyber risk:
Prepare/Idenify
- Improve visibility and understand your information and systems
- Understand your cyber risk posture through assessments and simulations
- Identify and remediate vulnerabilities in your IT organisation
- Map assets to vendor relationships
- Make users cyber-aware
Protect
- Secure business-critical systems from cyber threats
- Protect your endpoints and gateways from targeted attacks and advanced threats
- Protect your mobile workforce and customers
- Protect and govern information assets over their lifecycle, including protection from data loss or illegal acess.
Detect
- Develop and implement the appropriate activities to
- Rapidly identify an attack
- Assess the systems that may be affected
- Ensure a timely response
- Continue to monitor the network for other attack indicators
Respond
- Manage risk by measuring and tracking your cyber resilience
- Create a plan – outline how you intend to respond to cyber incidents
- Determine how response processes and procedure and will be maintained and tested
- Coordinate communication response activities
- Devise a system whereby lessons learned are incorporated into future response activities
Recover
- Consider how a cyber breach would affect systems, people and processes
- What is required if your employee’s devices are compromised?
- How quickly can you rebuild new hard drives?
- Are there processes in place to provision new systems quickly if needed?
- Ensure your critical systems are available during an incident
- Recovery plans need to be reevaluated and updated regularly
For this approach to be effective, however, organisations ate going to have to change the way they think about cyber resilience as well as the conversation about PoPI and cyber risk, with senior management taking a more active role and IT moving from a policy mindset to an approach that is powered by people, processes and technology.
“Cyber Resilience is about the management—not the elimination—of risk. Not only is eliminating risk impossible, but it affects agility – an environment with an acceptable level of risk supports innovation,” concluded Gevers.
“Cyber resilient organisations recognise that security needs to go beyond systems, software or IT departments to include raising the security IQ of all employees and improved organisational processes.”
Mimecast proposes a new strategic partnership between the security function and business leaders, to balance competitive advantage against the inescapable cyber risks of today – to become not cyber risk-free, but cyber-resilient.
For more information, visit the Mimecast website.