Bottom-Up Compliance: A Pragmatic PoPIA Strategy

When it comes to data security, an organisation is only as strong as its weakest link, which is why you should take a bottom-up approach to PoPIA compliance.

Formulating and implementing a robust PoPIA compliance strategy is a complicated affair, to put it lightly. And your business’ appointed Information Officer can do a stellar job, put every necessary step in place and monitor just about every aspect of Information processing. However, it just takes one employee to make a mistake for your entire strategy to crumble.

A simple act of carelessness can have disastrous consequences. And, even though your Information Officer will be held accountable for any slip-ups, he or she simply cannot have eyes on every employee at every moment. This is why you need to turn data security and responsible processing into office culture.

Of course, we have spoken a lot about broader PoPIA strategies and responsible ways to process data, but it’s actually far less complicated for you to require your employees to use very simple techniques while carrying out their daily tasks that will create the foundation for a highly secure system. For the most part, our entire day is spent online, be it when using emails and messaging platforms, web-based applications or even when we check the news or browse social media platforms during our breaks. This means that, at any time, an employee, and therefore, your organisation’s network, is vulnerable to a cyber attack or data breach.

There is some very promising data regarding corporate cybersecurity trends. According to Gartner, Inc., corporates spent $101 billion on information security and services, while that number rose by 12.4% last year and the figure is expected to be $124 billion in 2019. And, according to the 2018 Verizon Data Breach report, security incidents have dropped globally from 53,308 in 2017 to 41,686. Data breaches also dropped by 23% within that timeframe.

However, the number of Personal Information records that have been exposed has spiked dramatically, by 126%, between 2017 and 2018, according to the ITRC 2018 End-Of-Year Data Breach Report. From this information, we can come to the axiomatic conclusion that, while corporates are doing a great job of securing their databases from the top, their employees are changing their behaviour with less rigour.

To put it plainly, if you don’t have each and every employee on board and making an effort, your organisation’s data silos will continue to be porous and leaks will be inevitable. So here are some simple techniques that should form part of every employee’s digital conduct:

Password vaults

In 2019, there are still computer users that use the same, simple password for everything they do. Many organisations have required employees to frequently change their login details at specific time intervals, but it’s impractical, if not impossible, to obligate them to change their passwords on each and every login portal, be it their email, other productivity applications or another online platform that gives a hacker an entry point to your business network.

One useful tool is a password vault, such as LastPass. Password vaults can generate long, complicated and highly secure passwords, managing and categorising them effectively, meaning employees don’t have difficulty with remembering various passwords. These vaults are incredibly easy to use and won’t disrupt workflow.

Multi-factor authentication

Authenticator apps, like Google Authenticator create an additional barrier to access. It is an app that generates a number that consistently changes at short intervals, meaning that a hacker will need access to an additional device to login. So, even if a malicious actor somehow gains access to an employees’ laptop, they would also need access to their cell phone or another designated device.

Virtual private network

If your employees are accessing the Internet through a VPN, your organisation can have complete control over the management and security of the network. The private network connection is established using an encrypted layered tunnelling protocol and VPN users use authentication methods, including passwords or certificates, to gain access to the VPN. This is one of the best security mechanisms that combine a top-down approach as well as a bottom-up approach, with both network administrators and users taking control of the security mechanisms.

Paper Free Offices

For many of us, this pill is rather hard to swallow, because we “like the feel” of paper. It doesn’t strain the eyes and it’s far easier to read. Unfortunately though, the drawbacks of printing documents are plentiful. Firstly, it is incredibly hard to organise documents into files – how many of us have a pile of papers that we no longer need occupying a far corner of our desks? Secondly, it’s bad for the environment – the continuing demand for paper around the world contributes towards deforestation and an advantage of going paper-free is that it would have a positive impact on your company’s reputation. Thirdly, it’s not secure at all – you cannot encrypt a paper document and it is easy for pages containing personal data to fall into the wrong hands, be it because an employee has left it lying around or if they haven’t shredded it before disposing of it.

Consider biometrical security

It may seem like something out of a James Bond movie, but biometric security is fast becoming commonplace. Retina/fingerprint scanners, facial/voice recognition, palm biometrics, behavioural biometrics and gait analysis are all emerging technologies that are getting better by the day. Biometrics ensures fast authentication, safe access management, and precise employee monitoring.

Integrating biometrics security mechanisms could be complicated and expensive, but it is an investment for the future and is incredibly effective. However, other practices should be employed nonetheless where necessary, as biometrics are not necessarily an impenetrable system, especially while many of the technologies used are new and there’s a lot of room for improvement.

You have to learn to crawl before you can walk and common security practices need to become second nature for each and every one of your employees. Achieving PoPIA compliance is a difficult process and it may take your business some time to reach a point where you’re satisfied with your data security mechanisms, but knowing that you have taken a grass-roots development approach will help you sleep a lot easier, because vigilant employees will be the safety net for your strategy. And it is not difficult at all for your employees to be secure in their personal capacity. Not to mention, it will have a positive affect on them outside of the office, because they will have the knowledge that will allow them to protect their own personal information.

It’s all about creating an office culture. How you create that culture is up to you, but, at the end of the day, individual security vigilance should be treated like you would a dress code. You wouldn’t allow your employees to come to work in their pyjamas, would you? You shouldn’t allow them to be negligent in their digital conduct either.

Want to boost your privacy protection policies? Talk to us about our proven process-based approach for quick results.

%d bloggers like this: