How to stay cyber resilient and protect personal information during and after lockdown

How to stay cyber resilient and protect personal information during and after lockdown

yber resilient and protect personal information

Responding to the global increase in the remote workforce due to the COVID-19 pandemic, we have no other option but to adopt a futuristic outlook on how to improve information security as cyber threats spike.

The protection of personal information of both employees and consumers is often not prioritised until this information is compromised. According to the Protection of Personal Information Act 4 of 2013 (POPI) in South Africa, reputational damage and the financial burden of paying fines of up to R10 million to the Regulator

could be avoided by implementing appropriate safety measures to protect personal information.  Even though these measures are often thought of as physical safety measures, we should consider all possible ways of accessing valuable personal information; hence the importance of including cyber security in organisations.

For ease of reference, the POPI Act defines personal information as “information relating to an identifiable, living, natural person and, where applicable, an identifiable, existing juristic person, including, but not limited to—

  • information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
  • information relating to the education or the medical, financial, criminal or employment history of the person;
  • any identification number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
  • the biometric information of the person;
  • the personal opinions, views or preferences of the person;
  • correspondence sent by the person that is implicitly or explicitly of a private or confidential nature, or further correspondence that would reveal the contents of the original correspondence;
  • the views or opinions of another individual about the person; and
  • the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person”.

According to the above comprehensive explanation of what personal information is, it is clear that employees could be vulnerable to outsider cyber threats if no appropriate safety measures are taken to protect their own personal information and that of clients.

Tips for South African organisations include the following:

Educate employees on “phishing” and other fraudulent activities:

  • According to Atlas VPN, “phishing is a technology that cybercriminals use to gather personal information via deceptive e-mails or, websites. The number of phishing websites spiked by 350% amid the COVID-19 quarantine from January - March 2020”. Many attackers will take advantage of this practice to trick employees into giving their credentials through email (phishing), voice calls (vishing) or SMS (smishing). Inform employees of best practices to avoid becoming a victim. This would include not opening emails in the “spam” folder and not opening any unknown links or downloading questionable files.  

Ensure protection of virtual meetings by using secure platforms. Recommendations for using the Zoom conference facility are as follows:

  • Use an automatically generated meeting ID instead of a personal meeting ID.
  • Avoid sharing your meeting link on public channels.
  • Require meeting passwords.
  • Enable the meeting waiting room – this allows you to accept and reject participants.
  • Meetings cannot be recorded without the employees’ knowledge.
  • Meetings should not be recorded if personal or sensitive information will be shared. If meetings are recorded, do not indicate that in the title or description of the meeting.
  • Recorded meetings should be protected with a password to prevent the recording from being downloaded.

Update IT policies:

  • Since working from home provides the whole family with access to a company laptop /other device, it is recommended that the organisation’s IT policy be updated to prohibit or limit unauthorised use of the device.
  • The IT policy should provide for specific limitations regarding downloading and storage of specific (pre-determined) information /content.

Ensure that devices are equipped to prevent security threats

  • Passwords: As mentioned in a previous blog 'Beginners Guide to Practical Cybersecurity' written by Retha van Zyl , use passphrases instead of passwords as passwords can easily be identified and used for hacking. Different passwords/passphrases should be used across accounts to lower the risk of all accounts being compromised.
  • Antivirus: This software is used to detect and remove viruses and malicious software. Ensure that these programmes are regularly updated and running.
  • Firewalls: Firewalls enforce rules regarding data packets that may enter and leave a network. This reduces the risk of malicious packets travelling over public networks. If employees travel frequently or must regularly rely on other unsupplied networks, ensure that their devices contain high-quality firewalls for protection.

Use secure networks ​​​​​​

  • Do not connect to unsecured networks such as a neighbour’s open Wi-Fi or public Wi-Fi as this is an easy way for information to become compromised.
  • After the Wi-Fi installation, ensure that the password is changed. Do no use the initial password provided.

Be selective of what information to transfer

  • Do not transfer company information to a personal device, such as a phone or laptop, if you are unsure whether the same security measures are provided for on the personal device.
  • Do not transfer personal/sensitive information from the company’s server to the company device. This ensures that no personal information can be retrieved/lost should the device be stolen/damaged (provided there are adequate security measures to access the server from company devices).

In conclusion

While we are in the process of becoming a truly borderless society, organisations should use this opportunity to improve their cyber security.  By prioritising the protection of valuable personal information, organisations will be able to successfully operate remotely.

While the main focus of the POPI Act is on compliance, our approach at SERR Synergy is to implement compliance in such a way that it provides business value to our clients and allows for improvement in efficiencies and effectiveness by meeting the compliance requirements.

About the Author: Monique van der Merwe completed her B.Consumer Science degree at the University of Pretoria. She joined our team in July 2018 and currently holds the title of “Information Compliance Advisor”. She specialises in compliance with the Consumer Protection Act (CPA) as well as POPI and PAIA. This includes compiling legal compliance reports and developing policies along with the other assessment aspects relating to consumer protection legislation. She drafts and submits PAIA manuals to the Human Rights Commission and also compiles and implements Data and Information Protection Reports to identify risks associated with information security in each department of an organisation.


You May Also Like

Are electronic signatures legal?
June 17, 2020
Given the current situation faced by South Africa and the rest of the globe, a concern was raised as to whether all agreements and contracts can be signed electronically.
Healthcare Professionals and their obligation to the POPI Act
May 16, 2019
The main purpose of the Protection of Personal Information Act 4 of 2013 (POPI Act) is to regulate the processing and distribution of personal information by public and private bodies. Although balancing the right to privacy and the right to access is tricky, medical profession
POPI Act – what is the liability of responsible parties?
August 06, 2020
With South Africa’s Personal Information Act 4 of 2013 (POPI Act) that came into effect on 1 July 2020, it is important for business owners to acknowledge and understand the degree of the civil action, criminal offences, fines, damages and compliance notices in terms of the Act. 
Online Resource & News Portal