In terms of the POPI Act’s clause 19.1, a responsible party must secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent:
- loss of, damage to or unauthorised destruction of personal information; and
- unlawful access to or processing of personal information.
The POPI Act clearly outlines the requirement for digital defences within an organisation, but not what those defences should be and how much of the budget should be afforded to this category. Some may read that this becomes despondent as it could imply a large investment into an area that is very likely to be more of a financial blackhole. This is the case for many smaller to medium-sized businesses and is being seen in larger business sectors more frequently since unprepared organisations are exposed as victims of cyber-incidents.
Truthfully, not investing in this area will spell disaster for any business in terms of potential losses that will be faced. And sadly, various South African organisations seem to have become the victims of the late adopter syndrome (in reference to diffusion of innovations theory*). This is where preference is given to reactive solutions when it’s required and happens many times after an incident has occurred, rather than being proactive and implementing solutions pre-emptively.
*Diffusion of Innovations Theory definition – This theory seeks to explain how, why, and at what rate new ideas and technology is spread.
Figure: The diffusion of innovations according to Everett Rogers. With successive groups of consumers adopting the new technology (shown in blue), its market share (yellow) will eventually reach the saturation level. The blue curve is broken into sections of adopters. – Wikipedia
This is of course not to say that every organisation should invest a large portion of their annual budget towards digital defences. As outlined in the POPI Act, an organisation needs to implement reasonable solutions company-wide to ensure that they have addressed the potential risks their business faces, depending on what and how much data is handled.
The more data that is handled, the higher the risk, and in turn, the bigger the requirement for trusted and properly implemented defence solutions and trained individuals who can manage these solutions efficiently. Service models like SaaS (software as a service), DaaS (desktop as a service), IaaS (Infrastructure as a Service) and MSP (managed services provider) are specifically designed to help alleviate the financial strain businesses face by leveraging cheaper, external services instead of direct investment.
Definitions:
- SaaS – Software as a service is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. SaaS is also known as “on-demand software” and Web-based/Web-hosted software.
- DaaS – Desktop as a service provides a higher level of automation and real multi-tenancy, reducing the cost of the technology. The DaaS provider typically takes full responsibility for hosting and maintaining the computer, storage, and access infrastructure, as well as applications and application software licenses needed to provide the desktop service in return for a fixed monthly fee.
- IaaS – Infrastructure as a service is a cloud computing service model by means of which computing resources are hosted in a public, private, or hybrid cloud. It provides you with high-level APIs used to dereference various low-level details of underlying network infrastructure like backup, data partitioning, scaling, security, physical computing resources, etc.
- MSP – Managed services is the practice of outsourcing the responsibility for maintaining, and anticipating need for, a range of processes and functions, ostensibly for the purpose of improved operations and reduced budgetary expenditures through the reduction of directly-employed staff. It is an alternative to the break/fix or on-demand outsourcing model where the service provider performs on-demand services and bills the customer only for the work done.
- PaaS – Platform as a service, or application platform as a service (aPaaS) is a category of cloud computing services that allows customers to provision, instantiate, run, and manage a modular bundle comprising a computing platform and one or more applications. This is without the complexity of building and maintaining the infrastructure typically associated with developing and launching the application(s); and to allow developers to create, develop, and package such software bundles