I often get asked what ‘appropriate security’ is for a particular business. Although this is a really important question, it is equally important that you ask the right person. The best way to think about this is to consider how the conversation would go in a court of law.
Judge: Mr Soap, you say that you have reasonable security measures as required by section 19 of the Protection of Personal Information Act?
Joe: Yes, milord.
Judge: And how do you know that your security measures are reasonable?
Joe: Well my attorney looked at the security measures and told me they were reasonable.
Judge: Ah I see. So, your attorney is an expert in security?
Joe: Well, no, he is an expert in the law.
Judge: So, you are saying that did not get a security expert to assess our security measures?
The point here is that you need to be sure that the person whose opinion you are asking is an expert in the right field. While an attorney can help you from a high level in assessing the security measures and controls put in place, you really need an IT security expert for IT security and a physical security expert for physical security (like door locks and access control systems).
Which brings me to the recent ‘WannaCry’ virus. This virus focussed on the Microsoft XP operating system – an operating system that Microsoft no longer supports (and Microsoft gave plenty of notice that it wouldn’t so this is no surprise). If you had upgraded to a more recent operating system and had the latest updates to your operating system the WannaCry virus would not be able to penetrate your security. This is basic stuff, and because it is so basic, you can almost certainly say that not upgrading your operating system meant that you did not have ‘reasonable’ security measures.
Of course, the knock-on effect of the WannaCry virus was that it encrypted your data and asked you pay in Bitcoin before it would decrypt the data. If you had the second aspect of your security in place – redundancy in the form of backups which are themselves not susceptible to the same virus – then this would be a minor irritation to you rather than a full-blown crisis. Once again not having this means your security measures were not ‘reasonable’.
Security isn’t simply a ‘nice to have’. It is a ‘must’, because the impact of security failing can quite literally close your business. A risk-based approach to security is essential before the security breach happens.
I will be speaking about how to react to a security breach at the Second Annual Privacy and Data Protection Conference which will be held at the Cape Town Convention Centre on the 28th November 2017. Please click here if you want to attend the conference.