Working into almost a year of having the POPI Act instated throughout South Africa, we look at how organisations are handling data differently – more so, are organisations handling data differently?
Personal information or personal identifiable information flows freely in so many organisations, it makes it very easy to understand statistics such as:
Seventy-nine percent of internet users around the world feel they have completely lost control over their personal data. (Vuleta, 2021)
Now, if these users feel they do not have control over their data, it is up to the organisations that hold that data to ensure they have the correct protection measures in place.
We all like to believe that larger organisations have this under control; however, from the small businesses to the enterprises, data breaches are still a risk and are still on the rise.
This is why data protection laws and acts such as POPIA and GDPR have been implemented to protect the general public as well as the end-users of the world.
Every organisation is liable to take actions to secure the data they use in operation; this is most definitely a mandate implemented as a part of the POPI Act.
So where does one even start with this?
Encryption
A lack of encryption reminds me of the days where you would have to call into an operator and be connected to another person. However, if you were a lucky neighbour at the time, you would have free entertainment in the form of your neighbours’ conversations.
This is not particularly ideal if you are the caller, and you would like to express some very personal information to the person at the end of the line.
This is still the case in the 21st century. We would not want anyone outside the authorised parties to be able to access data they are not intended to access.
Encryption is the perfect way to ensure this type of secured communication or static security is in place.
Many will argue that they have encryption enabled, whether it be at a personal capacity or at an organisational level – however, is this managed encryption, or is it just enabled?
There is a major difference between being able to turn encryption on and exploring the security capabilities of the encryption that has been enabled.
For instance, many will believe that Bitlocker alone is an excellent form of data encryption to secure all data on the device.
While this is true while the device is turned off – as soon as the device is booted and is authenticated (usually through TPM Chip), the user, whether they are malicious or legitimate, is able to gain access to the entire device and files if they are able to get passed the lock screen.
What would be the solution if just having Bitlocker is not good enough?
Having a dual encryption that leveraged access control.
This brings us to a solution such as BeachheadSecure.
BeachheadSecure is a solution that goes above and beyond encryption, by giving your organisation access control that is leveraged off a dual encryption method, native to operating systems that are supported.
This means that at the most drastic level, you are able to push a “kill” instruction to a PC that will destroy EFS certificates (EFS is encryption at a file and folder level), decommission Bitlocker (locking the volume with a 128-bit, or a 256-bit cypher encryption) and destroy the master boot record of the PC.
Essentially meaning that one would have to rebuild the PC, have a recovery key for Bitlocker, have the password to the PC (BeachheadSecure also enables the use of password policies), get passed the two-factor authentication if enabled through BeachheadSecure, and have the EFS certificates to gain access to the data on your PC.
In essence, it's pretty much impossible for a malicious actor to get to your data.
Beachhead is constantly looking at securing you and your organisation by taking the responsibility for encryption management out of your hands.
This is definitely a solution you need on your side to stay away from major litigation and legal actions that come from data breaches and breaches of the POPI Act.
Want to find out more? Speak to Drystan Govender and Amit Parbhucharan at the CRS Stand (09) at the ITWeb Security Summit 2022, to be held from 31 May to 2 June at the Sandton Convention Centre. And don’t forget to add your name to the draw for the R4 000 one night stay for two at a luxury hotel and spa.
Get in touch today and test out BeachheadSecure in your, or your client’s, environment.
Sources:
Vuleta, B., 2021. 18 Chilling Privacy Statistics in 2022. [Online]
Available at: https://legaljobs.io/blog/privacy-statistics/ [Accessed 01 03 2022]
Share