Due to come into law later this year, the Protection of Personal Information Bill – often referred to as PoPI – will dictate how South African organisations handle personal information, or PI. From the perspective of corporate security, PoPI will affect how organisations protect that data.
PoPI sets out eight principles that govern the conditions for the lawful processing of PI. Principle 7 deals specifically with security safeguards and covers the following areas:
* Security measures on integrity of personal information.
* Information processed by operator or person acting under authority.
* Security measures regarding information processed by operator.
* Notification of security compromises.
In terms of the security measures required to protect PI, organisations must take “appropriate, reasonable technical and organisational measures” to prevent its loss, damage, unauthorised destruction; and to prevent unlawful access or processing of the information. According to the Bill, organisations must:
* Identify all reasonably foreseeable internal and external risks to personal information in its possession.
* Establish and maintain appropriate safeguards against the risks identified.
* Regularly verify that the safeguards are effectively implemented.
* Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
Finally, the organisation must have “due regard to the generally accepted information security practices which may apply to it generally or be required in terms of specific industry or professional rules and regulations.”
Broader security implications
Fall foul of PoPI and the consequences could be a R10 million fine or 10 years in jail. Internationally, such penalties are nothing new.
In August 2010, Zurich Insurance was fined £2 275 000 – about R25 million – by the UK’s Financial Services Authority after a back-up tape containing PI on 46 000 policy holders was lost the previous year by the company’s South African branch.
As an indication of the implications of complying with POPI, it’s worth considering the recent experiences of a local card-payments processor, PayGate. In an August 2012 cyber theft, hundreds of thousands of cardholder details were apparently stolen from the company.
When the theft became public in November, PayGate said it was in the process of attaining compliance with international standards that govern the protection of PI. In April this year, the company was duly certified as compliant with the security standards of the Global Payment Card Industry (PCI) Security Standards Council.
Peter Harvey, PayGate’s MD says, “PCI compliance means that any credit card information we handle on behalf of our clients and their customers is protected by multiple layers of security. In addition to the anti-virus and firewall protection customers would expect, all sensitive information is encrypted.”
According to Harvey, the process takes at least 18 months of serious effort and only a handful of South African businesses are currently PCI certified. To achieve compliance, Harvey says PayGate had to demonstrate that hundreds of controls were in place, ranging from firewalls, intrusion detection and file integrity management, through to staff training and the physical security of its offices and data centre.
PayGate’s experience clearly highlights the fact that protecting PI is not just a matter of IT security. Its protection clearly also extends into physical access control.
Understanding the threats to PI
It’s certainly not difficult for an organisation to “identify all reasonably foreseeable internal and external risks to personal information in its possession”. Research into the theft of PI is extensive, credible and readily available. For example, the annual Data Breach Investigations Report (DBIR) from Verizon has become a benchmark study into corporate data breaches, based on investigations into over 1700 real-life incidents in the past seven years.
The 2012 Report covers 855 breaches in which over 174 million PI records were compromised. It shows that abuse of IT access credential featured in 53% of the breaches – split between exploitation of default, or guessable credentials at 29% and the use of stolen login credentials at 24%.
As in every previous DBIR, the exploitation of credentials is cited as by far the leading ‘threat-action’ in these breaches.
Gaping loophole in corporate security
The abuse of conventional security credentials is so widespread, so well-documented and so frequent that it completely undermines the integrity of any system that uses them. The fact that anyone – absolutely anyone – can use your card, PIN or password is all the evidence that should be needed to illustrate their futility as a security measure.
But who will shout out that the Emperor is wearing no clothes? And will their voice be heard? Any system built around CPPs is no more robust than a skilfully-balanced house of cards.
It’s almost certain that the first organisations to be charged for failing to comply with PoPI will be from the industry sectors most frequently robbed of the PI they hold – financial services, hospitality and retail. It’s equally certain that credential abuse will lie at the heart of this loss – beyond a shadow of a doubt that’s what all the research into such real-world breaches tells us.
Blinded by compliance
One consequence of the advent of PoPI is the birth of a mini-industry offering professional advice about PoPI and the requirements for compliance. From the big law firms, through to the major accountancy firms and management consultants, there’s a wealth of free and fee-based advice and best-practice information out there on all aspects of PoPI and its ramifications.
The danger of this focus is that it encourages organisations to channel their security efforts and initiatives into a very narrow tunnel – protecting PI. This has the effect of diverting resources and attention away from the much greater risks posed by the growing cyber threat to corporate secrets or intellectual property.
Intellectual property is often the foundation of an organisation’s competitive advantage and its loss can carry commercial consequences that make PoPI’s monetary penalties seem insignificant.
And the cyber threat to corporate secrets is increasing as the value of stolen PI continues to fall, basically because the market has been flooded with multi-millions of such records. As with any commodity, once the market is saturated, prices drop. Dave Ostertag, global investigations manager at Verizon Business, says: “I think what we’re seeing is that there’s a big change in the type of data that criminals are going after. There’s a glut of personal data out there now, and there really isn’t a great market for it.
“The value of intellectual property, on the other hand, is much higher – criminals are finding that they can make as much money from stealing a smaller number of highly sensitive records as they can from stealing a big database of customer information.”
The growing threat to corporate secrets was also highlighted by a March 2011 report from McAfee, which stated that: “While it remains a profitable enterprise to buy and sell stolen credit cards, lately, intellectual capital has become the new source of large and easy pay-outs.”
Advanced and persistent
The term ‘Advanced Persistent Threat’, or APT, defines cyber-thefts that are sophisticated, determined and well organised. The other defining characteristic of an APT is the information it targets, corporate secrets.
In 2010, Ernst & Young and Deloitte published commentaries on the increasing cyber-threat to corporate secrets and emphasised the vulnerabilities created by traditional access credentials.
Deloitte stated: “In many cases cyber-criminals have obtained credentials and accessed systems as if they were actual employees and customers. When cyber criminals employ such users as unwitting accomplices… they can operate as if they were users. They can acquire the same, or even greater, ability to navigate pathways, copy data, execute transactions and monitor keystrokes.”
Ernst & Young’s comments supported this opinion: “A common characteristic of APT malware is that it seeks to steal the credentials of valid users so that it can execute as a legitimate user and better evade detection.”
Perhaps a highly positive consequence of PoPI will be that it prompts organisations to rethink how they control access to all their systems and realise that it may be time to secure the foundations rather than adding another layer of shiny playing cards to the teetering construction that is IT security.
© Technews Publishing (Pty) Ltd | All Rights Reserved