By Anne Simpson, Marketing Manager at Ava Security

South Africa crossed the threshold of compliance on 1 July 2021 with the Protection of Personal Information Act (Popia) coming into full effect. Prior to this date, Ava Security played host to a roundtable discussion focused on data protection trends and concerns faced by top security executives throughout Africa. This roundtable, with top chief information security officers, brought to light growing concerns shared between the executives of the risk posed by company insiders.

As a global pandemic spread around the world, organisations were made to rethink how their employees would continue working. Prior to this event, most organisations had a central office location in which their employees would come together to perform the function for which they were hired. As this was not a viable option, remote working was quickly adopted by companies worldwide.

However, no longer within the safety of the company firewalls, employees connected to whichever network was convenient, yet still had access to company information. This left remote workers in jeopardy of exposing sensitive information externally. The risk of an employee intentionally or unintentionally releasing sensitive data increased incrementally over the past year. However, with the passing of Popia, the trouble companies potentially face has increased exponentially.

At the roundtable, 60% of IT executives in attendance said they felt insiders posed the biggest security threat to their organisations.

Nick Maxwell, GM for UK, Middle East & Africa and Australia & New Zealand at Ava Security, said: “Organisations have seen an uptick in insider risks in the past year — whether it be due to disgruntled employees people being made redundant, people moving on from their jobs, or people becoming a little bit more desperate.”

Insecure networks

This sentiment was echoed in the responses from participants who felt insiders and the threat they posed remained a challenge even after working under these conditions for some time. Remote employees are still needing to use insecure networks and devices to connect to their company infrastructure.

The solution to this problem is not black and white. However, 80% of CISO roundtable attendees agreed that awareness training was effective at helping to create better cyber hygiene. A workforce with strong cyber hygiene creates a better defence against outside attacks, keeping data where it belongs while helping organisations comply with Popia regulations.

User awareness training can be the most helpful when it is consistent. However, according to Maxwell, “there needs to be a fine balance between creating the right employee experience and still ensuring that data is secure from wherever they are connecting”.

User activity monitoring is recommended to shed light on how data is moving around and being used within an organisation. This visibility for security teams helps to mitigate the risk of data being leaked, yet also helps if a leak occurs — giving quick insight into incidents.

Organisations can take a proactive stance against external security threats by creating a strong internal defence of company insiders. According to Maxwell, it’s important for companies to remember “that your training is not just a tick-box exercise, but that you are actually changing behaviours in your business to ensure that people fully understand the impact of their actions when you give them access to data within your environment”.

Under Popia, a small action can have larger repercussions, including fines, the loss of company reputation and even jail sentences. This roundtable illuminated the top threats these security executives are facing from within their own organisations and gave insight into how they are addressing these issues to be continuously compliant with data protection laws.

Ava is a global technology company with offices in the UK, Norway, and the USA. We exist because we believe that we can create a better, smarter way to deliver security. We help organizations see, understand, and act on their surroundings to protect their people, business, and reputation in real-time.