POPIA
DIY
WEEK 5:
Electronic documents – protecting your records
This week is the second in our digital security series.
Although data loss is a breach of the POPIA, it’s the consequences of such a loss that are the biggest threat to your practice.
If you lose, or can’t access your data, your practice could grind to a halt. Think about it. How effectively would your practice be able to function if all your devices disappeared tomorrow or if you couldn’t access your files? What would happen if the issues took a long time to resolve? How would it affect your reputation?
- Phishing: Malware infection happens when users click on malicious email attachments or website links. It can lead to ransomware attacks and can give criminals access to sensitive information such as passwords, account numbers, and PI.
- Hacking: This is the exploitation of known vulnerabilities in internet connected servers and devices using widely available tools and techniques.
- A lack of contingency planning: Consider what will happen if the building burns down? Do you have off-site back-ups? Do you have a plan in case the lights go out? Many catastrophic data breaches and losses are not the result of criminal activity, but of a lack of planning. Remember what happened to Delta Airlines? This is called ‘business continuity management’ (BCM), and this is how you build a BCM programme.
SECURITY MEASURES YOU SHOULD IMPLEMENT TODAY TO PROTECT AGAINST THESE THREATS:
(If you get lost in here, don’t panic. Forward this list to your IT service provider and ask them to help)
Let’s start off with a few basic steps:
- Don’t write your passwords on a piece of paper or in your diary. If you must write it down, keep it somewhere safe, locked away and preferably not at your office.
- Don’t share your password with anyone!
- Check whether your email addresses (and passwords) were compromised on https://haveibeenpwned.com. If you have a compromised password make sure to update it.
- Set your devices to automatically lock after three minutes.
- Make sure you have reliable back-ups in a different location.
For the rest, we suggest you pass these lists on to your IT service provider and get them to action it. Unless you’re an IT expert, of course!
Still with us? OK, let’s take it to the next level:
- Secure your data in the cloud. Use two-factor authentication, especially for remote access to your data.
- Use a cloud service that is in the EU, their data protection and privacy regulations are the best.
- Don’t use out of date software or software no longer supported by the manufacturer (like Windows XP, or can you imagine, Windows 98!). Turn on software updates and make sure they are installed regularly (not every six months!)
- Only allow new software installations using the admin account.
- Install malware protection software on all devices exposed to the internet.
- Set up and configure a boundary firewall, internet gateway, or equivalent network device between your network of computers and the internet.
- Make a weekly backup of your email and your information on the cloud on a hard drive and encrypt the backup, or disconnect the backup from your computer and store it somewhere safe.
- Do not overwrite previous backups unless your backup disk is full.
- Test whether your backup works ever three months.
- Make sure you store your email not only on your computer but also on a server (don’t use a POP3 email account).
Remember to keep adding to your GAPS sheet!
We know, it is a mouthful. We’ll shut up now … until next week.
COMPLIANCE TIP: Have a contract in place with your IT service provider (we’ll discuss operator contracts later) that includes a service level commitment and the performance of a security audit at least once a year.
Remember that you have a free one-hour consultation included with this programme!
Use it, and contact us if you have any questions about this week’s topic.