As yet another barrage of data leakages makes news headlines – most recently publicly exposing FNB and Gautrain customers’ personal details – businesses need to consider whether these security incidents are as a result of data hoarding issues or due to operational oversight, especially as the new POPI legislation and its strict guidelines loom.
No ad to show here.
Early in October, Mybroadband announced the discovery of serious security vulnerabilities allowing data leakages by the web application of FNB where the online card tracking facility exposed customers’ personal details. In addition, Gautrain’s Gold Card holder details were also exposed during the same week.
When the Protection of Personal Information (POPI) Act is implemented in South Africa, data hoarding will be illegal while strict guidelines will require widespread reforms to ensure that the personal information and data that the private and public sector collects are protected.
The POPI Act, which was gazetted in November last year, and which is currently awaiting an effective date, provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.
Security incidents can be very damaging to a company’s strategy and reputation in the marketplace – and these can seriously impact its competitive edge.
A balance has to be achieved between the availability and security principles within an organisation.
Among others, the reason for the increase in large-scale security incidents is as a result of the phenomenon of “big data”. For the past decade companies have been processing and analysing more and more data relating to their industry or to existing and potential clients.
A huge concern is that there is a very fine line between big data with effective, excellent business intelligence tools to mine the data versus the issue of ‘data hoarding’ with no purpose.
When do businesses begin to collect masses of data without clear, specific business objectives, and with no strategy regarding the security consequences of this information?
Unfortunately, organised crime has also grasped the value of big data as they continue to target companies with big repositories of personal data on a more regular basis.
When POPI comes into place, data hoarding will be illegal in South Africa, because POPI requires that data is only processed for as long as there are clear and defined business purposes to do so. In addition, all security breaches will have to be reported directly to those data subjects that have been impacted and to the Regulator.
The new Act provides an almost certain guarantee that more companies will end up with ‘egg on their faces very soon’, never mind the fact that businesses will need to appear in court to face criminal charges and civil claims.
Cool, first-to-market apps VS safe and secure system?
The perception regarding applications is that they need only provide customers with proper functionality rather than providing secure operational excellence to users.
Operationally it seems that application developers tend to focus solely on the functionality of a system in order to respond to the baseline needs of the user community. A user-friendly system that is also ‘hip, cool, new’ is of the utmost importance.
Sadly, security is either an afterthought, or — even worse — it is totally absent in certain app systems.
In the development of many applications, even basic security password policies have been discarded. In addition, web application developers are often unaware of, for example, basic SQL injection protection practices which form part of database security best procedures.
Quite often the development of these systems are also outsourced to mid- or small-tier software development houses, with no formal service-level-agreements (SLAs) in place to guarantee proper application system controls.
Even more concerning is how companies’ strategic business objectives normally demand a “first to market” approach, in order to capitalise on new business opportunities in the market and to increase competitiveness. This practice places more pressure on developers to deliver new applications faster, which usually results in horrendous effects regarding IT security, allowing for no time to research and invest in proper security controls.
This causes the classic conflict between security and availability; with availability taking priority by fulfilling and directly responding to the needs of its users, with the provision of superior functionality such as user-friendliness, accessibility, availability, and speed for its users.
While business and IT strategy should not be formalised purely around compliance requirements, such as the pending POPI legislation, businesses need to consider paying greater attention to security best practice so that a proper balance between availability and security principles can be achieved.
The new POPI Act will certainly force companies to stop hoarding data while simultaneously ensuring that organisations start to pay greater attention to security best practices. Hopefully the Act will, for the first time in South Africa, assist us to strike a proper, strategic balance between availability and security principles.
What can companies do to minimise security incidents?
At an operational level:
- Developers need to become more skilled and technically aware of security issues and applications will have to be developed from a security perspective from the start – i.e. security risks must be part and parcel of the phase where business requirements and functionality are considered.
- More focus should be placed on the pre-testing of applications. The text-book approach should be enforced – proper testing should be done at different levels (i.e. the old, good practices of unit testing, integration testing etc.). Different levels also include different types of users – from developer testing right through to user interface testing.
- Very few companies perform quality assurance (QA) on source code. A separate QA function should be implemented in order to analyse and test source code logic. Research indicates that any piece of software could contain logic errors for nearly every 40 lines of source code.
- Businesses need to reinforce “negative testing” so that systems are tested to prove that they are properly delivering the required business specifications to its users and handling valid user input, while also being tested to “think and execute the unthinkable” whereby testers interact with the system in a seemingly invalid way in order to try and force it to act outside of its defined ways of dealing with user input. By acting outside its design framework, this could force the system to allow full access for the user to the back-end.
- Especially when it comes to external web facing applications, proper expert and manual penetration testing (“white hat hacking” or “ethical hacking”) must be performed by professionals on all web applications. However, Internet-facing systems should also be monitored on a continuous basis by making use of different scanning tools.
At a strategic level:
- Boards cannot afford to treat IT security as an operational issue anymore. IT strategy should be an integral part of business strategy. For example, big corporates need to incorporate cybercrime scenario planning into their regular strategic and risk assessment procedures.
- Business has to realise that although big data presents many benefits and that business intelligence is important, huge data sets do pose a security threat too. Big data increases a company’s risk of attack because organised crime also places a premium on big data. How can we protect data if we are hoarding and cannot tell what data we possess in either a structured or unstructured form? Hoarding makes it extremely difficult to identify and classify data assets according to data sensitivity and risk assessments schemes.
- SLAs with software vendor companies must enforce security arrangements.
Image: Tori Rector via Flickr.