By Simeon Tassev, QSA & MD at Galix
The Protection of Personal Information Act (PoPIA) is now in full effect, after a lengthy introduction phase. This, added to the pressure of ongoing lockdowns necessitating continued remote working, is putting a lot of pressure on organisations when it comes to data management. Data security is under scrutiny like never before, and businesses are beginning to feel the heat in a complex, confusing and highly pressured environment. However, a reactive approach of ‘doing something has to be better than nothing’ could leave businesses in a worse predicament than when they started. A strategic approach, delivered by the right managed services partner, can aid organisations in handling the dual challenges of compliance and Covid while improving data security and data management effectiveness.
Even though businesses have had several years to gear up for the implementation of PoPIA, many organisations had not put adequate measures in place. Then Covid-19 and all the ensuing chaos happened, further adding strain. Now, rather than taking the time to understand what needs to be done from a data management perspective, and how it needs to be done, businesses are reacting without clear understanding or strategy in place. They will inevitably expend a lot of effort and money, but without a plan of action and proper management, they will likely come out the other side being neither compliant nor prepared.
One example is the vulnerability scan. In the wake of PoPIA, this is a common request from businesses, to check whether websites or other areas have weaknesses that could be exploited as part of an attack. However, this is short sighted, as it is only one of many potential attack vectors, and in isolation does not necessarily provide any useful input. It also does not actually address the management and security of Personally Identifiable Information (PII), so on its own will not ensure compliance.
The reality is that PoPIA is new legislation, and as such is unclear on many definitions, so organisations take the view that any action is better than nothing. However, while this may be technically true from a compliance perspective, such an approach adds little to no value. It makes far better business sense to take the time to design a proper, effective plan of action for both compliance and data management.
This requires understanding the challenges specific to the enterprise and the risks in terms of the vulnerabilities that apply, and how to close them or mitigate them. This is the element that is missing from current approaches to PoPIA compliance, however, it is also an area that requires specific skill sets that many organisations simply do not have. This is where a managed services provider can assist.
Ultimately, organisations need managed services because data is a business asset, and it cannot be effectively measured or used if it is not being managed and monitored. It is essential to have a comprehensive inventory of data, systems, hardware, and software that together make up a business, before understanding how these can all be classified and prioritised. Only then can efforts be focused in the correct areas and controls put into place to mitigate specific risks to a specific business, rather than an ineffective, generic or reactive blanket approach.
Managed services providers can help businesses to develop strategy and put the right controls into place to handle data risk. However, not all managed services providers offer the same levels of service, so it is important to engage with a trusted partner and understand what will be delivered.