Skip to main content

To many financial advisors, the thought of becoming POPI compliant may sound like a drag. Just another box to tick before you can get on with business. That’s a mistake. A careful assessment of your POPI compliance is an opportunity to audit your internal processes, develop robust systems, minimise human error and adopt the best practice that will keep your businesses competitive in the long term.

That’s something we recently discovered when we set out to become fully ISO27001 certified.​

At Commspace we worked hard to enhance our compliance and develop more effective information security systems. It was a challenging but extremely rewarding undertaking. Here are some of the insights we gained along the way.

Set a benchmark

We have always been serious about developing robust internal processes. But often when you’re too close to something, it can be hard to see all the details. Think about how even the most meticulous writers need an editor.

However, this can be an exacting process. That’s something we recently discovered when we set out to become fully ISO27001 certified. ISO27001 is a rigorous international standard for information security management.

In order to become certified, we had to demonstrate how we will identify information security risks and lay out a comprehensive risk management plan.

The plan is far more than a statement of intent. After all, no reputable business intends to be careless with clients’ data. We had to perform an extensive inventory of our assets, and identify how data is secured on each.

Compliance involves a myriad of steps. We won’t get into them all here. But the important point is that we didn’t leave our information security to chance. We applied an internationally accepted standard and took measures to meet that objective benchmark’s requirements.

That’s an important lesson for anyone trying to become POPI compliant, or simply seeking to enhance their security protocols. Don’t just assume your processes are robust just because you can’t perceive any weak points. You need to test your systems against an objective standard.

Switch to secure cloud-based systems…

In the wake of 2020, every company recognises the value of effective cloud-based technology. After an awkward start, most of us adjusted pretty well to remote work. We learned to nod along and half-listen through Zoom meetings just like we do in real life. We more or less kept to office hours.

But how secure are your team’s online practices? Are they mailing sensitive documents to each other? Does each member use a unique login?

These are crucial information security questions. However, it would be a mistake to think they only apply to remote work. What happens when you’re back in the office? How are you sharing documents? Do you have memory sticks with spreadsheets full of sensitive information lying around? When you take your work laptop home, is the data stored securely?

… and implement a cyber security protocol

Unless you have a coherent cybersecurity strategy, those questions can be hard to answer. Rather than approaching each tool and device in an ad hoc manner, you need to consider them holistically. After all, any chain is only as strong as its weakest link.

As part of the ISO27001 compliance process, we appointed an Information Security Officer. ISOs are an invaluable addition to any technology team. They have the expertise to understand the intricate technical details of digital security. But they have a more fundamental role: overseeing your cybersecurity processes in a systemic way. It’s not just about secure devices, but ensuring they are used effectively, in a secure system.

Update, update, update

As part of securing our systems, the Commspace team switched to Google Workspace. The system offers our workforce extra speed and efficiency, and it integrates well with other systems. Equally importantly, our information security team found that the Google solution offered enhanced protection against malware and other cyber attacks.

Many breaches are caused by failing to install the latest patches and updates. Think of the notorious case of Britain’s NHS falling victim to a cyberattack because they failed to perform basic software updates. Whichever system your business adopts, make sure you have an effective process in place to ensure all your software is regularly updated and that you are following cybersecurity best practice at all times.

Not all passwords are equal

Passwords aren’t much use if everyone on your team is using ‘admin – admin’ as their login and password. Secure passwords are a fundamental but often overlooked element of information security.

We added a password manager to our cyber security tech stack (we use 1Password) to help manage passwords and ensure all our passwords are sufficiently secure. Other options include Lastpass, Dashlane and NordPass.

For an additional layer of security, be sure to opt for two-factor authentication whenever possible.

Revenue management that’s secure by default

We can hardly hand out advice on how to implement more secure software solutions if we didn’t take our own digital security seriously. That’s part of the reason it was so important for us to implement word class security protocols.

“The main element you cannot delegate to your cloud service provider is your responsibility for security, compliance and customer trust.”

Stephane Nappo

Commspace revenue management and analytics software is designed with information security in mind. It’s cloud-based so you don’t store sensitive information on insecure local devices (it also means teams can work remotely and maintain good information security).

The system integrates with your existing technology (such as your CRM) ensuring that the information you upload will be accurate and up-to-date. After all, the quality of data is only as good as the input.

And crucially, all data is securely stored and transmitted by default. It’s not something you have to think about as you work.

The Commspace dashboard isn’t simply more elegant and user-friendly than clunky spreadsheets, it’s inherently more secure, too. And that means POPIA compliance becomes simpler than ever.