Information security has gone mainstream. No longer the sole domain of IT specialists, maintaining data integrity is a key business decision. And it’s a decision that policymakers and regulators are paying close attention to. As one analyst puts it, the US Security and Exchange Commission “considers cyber vulnerabilities to be an existential business risk”.
And we can see why. Think of the severe, reputationally damaging Equifax and Wells Fargo data breaches. Hackers have been no less active in South Africa: in 2018 Liberty had to warn clients that their private data may have been compromised by a massive hack. Similarly, the debt-collection agency working for African Bank saw private information exposed in a serious data leak. In those cases, we have major financial organisations, whose guardianship of clients’ personal data should be unassailable, that are still scrambling to salvage their reputations.
Even more profoundly, poor data security doesn’t simply put your brand at risk, it can undermine your ability to operate at all. Think of the ransomware attacks that hit the Colonial Pipeline in the US. Or the hack on the UK’s NHS, which disrupted critical operations.
The breach is coming from inside the house
However, if you think about information security and data management only in terms of outside actors, you’re missing half the story. Now that watchdogs (and the public) are starting to take personal data issues seriously, there’s more scrutiny of what companies themselves do with the data entrusted to them by clients.
The recent record fine that Ireland’s regulators applied to WhatsApp is a staggering case in point. Ireland’s data protection regulator hit Whatsapp with an eye-watering €225m penalty because, they say, the Meta (previously Facebook)-owned messaging giant failed to respect GDPR, the EU’s data privacy regulations.
The problem wasn’t that Facebook failed to protect users from bad actors so much as they were themselves the bad actors, i.e. they were insufficiently transparent about how information is processed.
Commentators say that the massive GDPR fine could be a sign of things to come, so any business handling private information should sit up and take note.
In South Africa, POPIA is broadly similar to GDPR. And while we’re yet to see if regulators will have the same bite as their European counterparts, social media users are taking matters into their own hands. Following the implementation of the POPI Act, private citizens are naming and shaming violators who continue to email, call and SMS after users unsubscribe.
A more level playing field for SaaS companies?
It’s ironic that small and medium-sized SaaS companies have to take strenuous measures, and devote considerable time and effort, to meet rigorous data security concerns such as ISO27001 or SOC2. It’s not just a question of regulations. Potential clients tend to be (not unreasonably) wary of small, independent software businesses if they can’t demonstrate that they meet a rigorous independent benchmark. Smaller companies need to prove themselves and can never afford to be complacent.
Meanwhile, massive organisations sometimes neglect even to take the most basic infosec measures. After all, the NHS ransomware attack could have been prevented if basic cybersecurity recommendations had been followed.
As an internal NHS report itself concedes, the attack revealed the “importance of swift and effective patching of systems when new security updates are released, and historic underinvestment in network security and up to date software”.
Or take a private entity like Equifax. A patch to fix their software vulnerability had been available for months before they were hacked.
A small business that exposed clients’ private information because it didn’t even bother to update its OS would probably lose many of its clients overnight.
A fine balance
When we think of regulation, we often just consider the balance between ease of doing business and protecting individual customers.
But finding the right level of regulation also potentially affects how fair a business environment is. As long as large corporations get away with an ‘it’s better to ask forgiveness than permission’ approach, smaller businesses, which have no option but to demonstrate their infosec bona fides, are at a disadvantage.
Of course, theory aside, most small businesses recognise that their ultimate responsibility is to your clients – keeping their data secure and being transparent about how you use it – if only because there is an implicit relationship of trust.
That’s part of the reason Commspace undertook the rigorous, highly intensive journey to become ISO27001 certified. The exercise was invaluable in itself. We learned a lot about building more robust processes and it gave us a chance to bulletproof our systems. But no less importantly, we appreciate that Commspace clients need to keep their own clients’ data absolutely secure. After all, we provide technology for an industry that’s built on trust.