This webinar was hosted by the Mail & Guardian and Microsoft. It featured Kelly Chalom, Cloud Essentials’ in-house legal adviser and compliance specialist; Chris Hathaway, a founding member and Managing Director of the Soarsoft International Group and its subsidiaries Cloud Essentials and Salient Discovery. Gushwell Brooks, a presenter on 702 and CapeTalk, facilitated.
As we move increasingly online, security is becoming more of an issue. There is an immense volume of data being generated, processed and stored on a daily basis. Much of this data is personal, such as our identity number and preferences, occupations, fingerprints and where we live. We often click on the “I agree” on websites and applications without reading the small print or realising the dangers involved or the threat of identity theft. Social media is a fertile dumping ground for our personal information and many are not aware of the risks that this entails.
Your personal information is also stored and processed by your employer and may even include your medical data and Covid-19 status. In addition to personal information, company information is also being stored and processed online and much of it is sensitive and valuable to the organisation, such as minutes of company board meetings. Data that historically used to be stored on premises is now being stored in the cloud and is accessible from various devices at various locations, which means there is the risk of having less control over it. Access points are now everywhere; in addition, you may be accessing company information on a publicly accessible wireless network, and these are often not secure and can also put company information at risk.
Many organisations have had to adopt cloud platforms sooner than planned due to the Covid-19 crisis. Cloud services can be consumed quickly and without the requirement for large infrastructure deployments and drawn out deployment strategies. The problem is that this can also lead to poor understanding and configuration of the platform, and even a lack of due diligence in the vendor that is providing the service.
It’s also worth remembering that much of the physical and network security requirements become the responsibility of the vendor and it is critical to understand the shared responsibility model as well as doing your diligence checks on the cloud service provider you have chosen. The more developed and mature enterprise appropriate cloud platforms such as Microsoft 365 have reached a point where there has also been a convergence of security, governance and information management in their ecosystems. If deployed properly cloud services can actually lead to a hugely improved security and information management posture. Most organisations would not be able to afford the expertise and infrastructure costs required for many of these advanced facilities that are offered by shared and scaled up cloud services. With the modern requirements of ultra-mobility, and personal devices, it is also important to understand how to establish a “modern” perimeter with modernised security systems that protect your data, regardless of the end point.
POPIA (Protection of Personal Information Act) will come into effect in July and companies have 12 months to comply. Compliance is a journey and the best that companies can hope for is optimal compliance. This is because risk is constantly changing and compliance must therefore evolve and adapt in response. Organisations must adopt a risk-based approach to compliance and not only rely on technology to mitigate that risk, but on people and process controls as well. An effective compliance programme relies heavily on the organisation’s workforce, and the level of trust within the business.
All companies must have a data protection officer, or information officer, and if you have a large company, you may want to appoint “data champions” across the business to enforce good data protection practices. Although you don’t need to appoint someone specifically for this role, it is best that it not be held by IT, as although these areas of the business do need to work together, they do serve different functions; otherwise, there may be the risk of IT, for example, implementing retention labels without being aware of or understanding the retention requirements of the applicable laws. The IT staff often undertake this responsibility due to the slow response of business to the new technology.
Trust is key and companies must promote a culture of data privacy; there must be ongoing communication with all staff, and they must understand not only their role in ensuring compliance but also the consequences of non-compliance for them and for the business. Companies should also not over-mitigate as this will make employees feel stifled and unproductive, which may lead them to find workarounds. In addition, companies have to implement their data protection controls based on an assessment of risk and a cost-benefit analysis.
How safe are Zoom and other meeting platforms? Some meetings have been “gate-crashed” with embarrassing consequences. As we mentioned previously, it is critical to be using and deploying an enterprise-appropriate, trusted and tested cloud service provider and preferably one that will help you identify and block the use of “Shadow IT” solutions, such as Microsoft 365. Even when you do have an appropriate technology in place it may not be to blame for these intrusions and you need to look to your people, processes and then technology to ensure you are protected. Cloud platforms have also allowed organisations to switch things on without having to deploy infrastructure and train IT personnel appropriately, so it’s important to know you may need to bring in an expert or partner for at the very least your initial deployment phase of adoption.
A partner will also ensure you have appropriate licensing and even more importantly ensure you are using all of the capabilities you have paid for! Platforms such as Microsoft 365 are hugely developed and take care of many of the base requirements in the standard licensing options.
Identity management and access control are very important in the Covid-19 era, especially if you deploy replacement employees, or are retrenching. Ensure that you revoke employees’ access immediately once they no longer require it or have left the organisation.
There are four themes to a sound personal data protection compliance programme: discover, manage, protect and report. Companies have to be able to demonstrate their compliance with the regulations stipulated. Microsoft has a compliance manager that allows companies to document their journey to compliance; Microsoft’s control mapping is also in that tool and they make recommendations to customers for how to improve their compliance. Make sure you examine the compliance levels of your vendor; the larger service providers are now using machine learning, which can detect for instance when someone who has logged in from one country, logs in from another too rapidly, and then denies access because of the anomaly. We won’t always be able to keep up manually, so it’s best take advantage of these capabilities.
The bigger service providers may have more security options than smaller or private deployments, as the large providers gain from economies of scale, access to resources and expertise and cannot afford breaches that could destroy trust and reputation, critical to their success. End point protection is vital, so do your research and make sure controls are available and implemented. Data protection must be at the centre of your company’s strategy. Get the people, process and technology in your business talking to each other, and buy mature, trusted and vetted technology solutions.