POPIA Compliance
September 9, 2021

6 September 2021

Introduction

Many companies are moving into the cloud and it is justified if considering factors like: costs, resources, availability and most probably less risks. But is this really true?

Cloud Services

Cloud services created a storm when Covid-19 hit the world and those who have still doubted the feasibility of moving to the cloud, has now moved to the cloud as it was a huge cost saving and because staff was forced to work remotely, it became the answer to many organisations. However, cloud solution does not come without its own problems and risks and this article is to highlight a few of the challenges that companies face by moving to the cloud.

Moving to cloud is not an overnight decision although many companies had no choice but to make this decision quite rapidly due to Covid-19 and that bears the question whether they did a proper due diligence entering into the agreements with cloud providers. Did the cloud provider offer enough information to make an informative decision or was the decision based on price only? Are you locked into the cloud service provider and what is the remedies if your data is compromised? Who takes responsibility for what? All these questions should be considered when entering into the agreement with a cloud provider but what if you have entered into the agreement and only now you realize that there are some possible issues that was not addressed at the time of entering into the agreement or you might have chosen an international cloud service provider and you had no choice but to accept their terms and conditions in the agreement? Be rest assured there is ways to protect your sensitive data but it does involve that a proper due diligence is taken regarding your data. It is important to always remember that your data is your responsibility and according to GDPR and POPIA you are accountable for your data.

Many companies did not anticipate that the new form of working will involve that of remote workers and although moving to the cloud was a great answer for any business to continue delivering services to their clients, it also came with its own risks.

 

Remote workers:

According to the Harvard Business Review study, “remote employees have reported to feel disconnected with their organisations as they do not have physical connection with their co-workers.”

The danger for this is that working from home might result in ignoring company policies and more important they become slack adhering to security policies. I do not believe the most challenging part of letting people work remotely, is the fact that they may start later or attend to home tasks while working. In actual fact, it was found that 70% of remote workers work longer hours than before[1]. A greater concern should be the information security and remote workers. Cybercriminals knows all to well that remote workers are a soft target. Cybercriminals knows exactly how to implement social security and while you still believe that your information security is still in place via VPN and password protection, the cybercriminals use the exact same credentials and they a have access to your sensitive data without you even knowing it is not your employee. Another issue is that because of a slow connection, your employee might download sensitive client information to their personal computer, not knowing that this can compromise the company and before you know it, you are slapped with fines because of GDPR and POPIA and not to mention the reputational damage that you may suffer. We have cases where employees downloaded a database to sell it on the market. Sound crazy, no it is not and in the current economic instability in Africa, this might be happening more than you know.

The question is not if your system will get compromised but rather when will you get compromised is a well known saying in the information security world.

How do I protect my data?

 

Here are some of the steps:
1. Decide what data is important and needs protection?
2. Do you know where your data resides at all times, including on remote users’ desktops?
3. Who has access to this data?
4. How do I monitor who is doing what with this data?
5. Can I manage the risk if the data falls in the wrong hands?
6. Do I have a backup plan in the event that that my service provider has been compromised?
7. Do I need to outsource everything or should some of these functions be insourced?
8. Does my staff understand the risk to the organisation if they do not take security seriously?
9. How do I know that my staff has proper training to prevent cyber-attacks?

These steps are not all inclusive but it is a start. It is also important to understand that this is an ongoing process. Remember we always deal with people, process and technology and although much can be done and controlled with process and technology, our biggest risk is people whether they are employee at the cloud service provider or at your own company. 

Conclusion.

Cloud solutions offerings has countless advantages and it is recommendable and although most of the time, we have to accept more unfavourable terms on the contract, we are still the owner of the data. In other words, we must decide what data should reside in the cloud and what should be protected by ourselves whether on-premise or in the cloud. We are accountable for our own data and especially for sensitive data.

About Condyn:
CONDYN is an information security solutions provider that has serviced the Africa market for the past 26 years with cost effective, world leading solutions. We believe by ensuring each clients unique requirements are met by not by only the best possible solution but also by the most cost-effective solution. We stand for honesty and integrity and believe that if we can secure one client a time, we will make the world a better place for all.


Contact Details:
info@condyn.net
www.condyn.com
+(27) 12 6838816

1 - https://www.theguardian.com/business/2021/feb/04/home-workers-putting-in-more-hours-since-covid-research