Webinar summary: Implementing POPIA compliance and managing data protection risk using cyber risk quantification and automation best practices

Generative AI
CyberRisk
February 26, 2023

The Protection of Personal Information Act (POPIA) is a South African data protection law that regulates the processing of personal information by both public and private entities. POPIA aims to protect the privacy and personal information of individuals while promoting the responsible use of data by organizations. Recently, Anil Gandharve, Co-CEO of Alfahive Inc. hosted an interactive webinar session with our guest speakers Suren Naidoo, Group CISO, and Conrad Roos, Information Protection Officer at Foschini Retail Group (Pty) Ltd. They shared their expertise on the best practices for compliance with POPIA. In this blog, we will delve deeper into the key takeaways from the webinar, including the implications of POPIA on businesses in South Africa and the steps organizations can take to ensure compliance with the regulation.

Anil Gandharve :  My first question is to you, Suren. What is POPIA and how does it differ from the previous data protection standards?  

Suren Naidoo : POPIA, or the Protection of Personal Information Act, is a data privacy regulation that was fully enacted in South Africa on July 1st, 2021. It was enacted about three years after GDPR, which was brought about in May 2018. The essence of POPIA lies in its respect for other people's personal information, and it is mapped against the information lifecycle. One of the key principles of POPIA is accountability, which means that organizations must take full responsibility for managing personal information throughout its lifecycle, including that of customers, prospective customers, employees, and any other third-party personal information. To ensure compliance, organizations need to implement appropriate safeguards, and it is the responsibility of cybersecurity practitioners to advise and show that the organization undertakes risk assessments and implements appropriate safeguards.

Foschini Group is a fashion and lifestyle retailer that operates across multiple countries, including South Africa, the UK, Europe, Australia, New Zealand, and North America. With data privacy regulations like GDPR, Australian data privacy, and CCPA in California, Foschini Group takes responsibility and accountability for managing the personal information of customers, employees, and third parties. As data privacy regulations continue to emerge, Foschini Group remains vigilant in complying with them to protect personal information.

Anil Gandharve : Thank you, Suren. My next question is to you, Conrad. We know that the Foschini Group handles a large amount of personal information and protecting that information from unauthorized access and misuse is critical. Could you share some best practices that the Foschini Group has adopted to ensure strong access controls and data protection measures?

Conrad Roos : Organizations can ensure that personal information is properly classified and that data retention policies comply with POPIA's requirements by conducting an audit to understand where the data is stored and what type of data is collected, processed and who has access to it. Once the data landscape is understood, it is important to implement a data retention policy that outlines how personal information needs to be retained and securely destroyed or deleted. A retention schedule should also be established to address regulatory requirements. To ensure compliance with the policies, it is important to train and educate employees regularly and make them aware of the importance of data protection. It is also important to review and update policies periodically to ensure that they are up-to-date with any changes in legislation and best practices. Conducting periodic assessments can also help ensure that the policies are being executed properly. 

Implementing strong access controls and data protection measures is critical to safeguard personal information and preventing data breaches. Here are some effective strategies to consider :

  • Role-based access control: Implement a robust access control system based on the least privilege and need-to-know basis. This ensures that only authorized personnel have access to sensitive data.
  • Encryption: Encrypt sensitive personal information to prevent unauthorized access. Ensure that data is encrypted both at rest and in transit. This adds an additional layer of protection to the data.
  • Multi-factor authentication: Implement multi-factor authentication to ensure that only authorized personnel have access to data. This is becoming more common and is now mandatory in some compliance standards.
  • Data backups and disaster recovery: Regularly backup data and ensure that backups are tested and validated. This ensures that data can be recovered in the event of a breach or disaster.
  • Access monitoring and logging: Monitor access to data and log all relevant events. This helps to identify potential security threats and allows for prompt action to prevent data breaches.

Suren Naidoo : Another important strategy for implementing strong access controls and data protection measures to safeguard personal information is data leakage prevention. At Foschini Group, it is a big part of our approach to preventing data breaches. In addition to what Conrad mentioned earlier about logging events, it is crucial to have a clear understanding of your business processes and data flows. This information can then be used to develop specific use cases for your security monitoring. However, without the right visibility, you won't be able to detect and address potential security threats quickly. So having this capability is a critical part of our approach.

Anil Gandharve : Thank you for the detailed insight. My next question is to you Suren: Despite implementing robust data protection measures, data breaches can still occur, and it's essential for organizations to have a well-defined incident response plan. Could you share with us the steps for data breach response and incident plan improvement?

Suren Naidoo : To begin with, this is a broad and important topic that I am deeply passionate about and have dedicated the last six years to improving. The first step is to ensure proper visibility of your assets, which we will discuss in more detail later. My approach is to start small and gradually expand. However, this is a significant effort that involves significant changes to people and their behaviour, especially in large organizations, and therefore, managing this change is critical. When it comes to incident response, there are several frameworks available, and we have chosen one that focuses on four phases: preparedness, detection and analysis, containment and eradication, and recovery and post-incident review. The other important aspect is our non-traditional approach to SOC operations. We strive for actionable intelligence, which is why we call it a Security Intelligence Center. This has been our focus for at least seven years in my role at the Foschini group. Our team doesn't just receive information, but we actively respond to it.

After ensuring our internal readiness, we decided to expand our efforts and create a Crisis Management Framework that goes beyond the typical security incident response plan. It's a more comprehensive approach that covers every aspect of the crisis management lifecycle.  We have a decision tree to determine the escalation process. Each event is reviewed and assessed based on certain criteria. If it meets certain requirements, it becomes an incident, which could involve a violation of company policy or a breach. We conduct a risk quantification exercise to determine the impact of the incident on the organization. Based on that, we either manage and close off the incident or escalate it further if it's a breach that requires additional effort.

External factors can make incident management chaotic, with social media chatter and internal staff members bombarded with requests. This can cause business disruptions, and it becomes a massive issue for the organization. We use this decision chain to empower our teams, and we reinforce it by conducting crisis simulation exercises.

To increase awareness, we have educated our board members and conducted frequent crisis simulation exercises to highlight the complexities of cyber-attacks. Cyber-attacks involve not just technical aspects but also managing communication. For instance, one may face a double extortion attempt where the attackers demand payment while threatening to expose the data.

Our board had an eye-opening experience during the crisis simulation exercises. They had questions about whether or not to pay the ransom, but we realized that it depends on the situation and cannot be based on a policy alone. Therefore, we focused on situational readiness by starting internally and getting the team ready. We then broadened our focus to educate the senior decision-makers in the organization. Once that was done, we partnered with our business continuity management team and crisis team for a complete understanding, process management, and cooperation across the group. We conduct a number of exercises to test and validate our frameworks and processes. Building muscle memory is also essential in incident response and crisis management. We plan to conduct at least 24 cyber crisis exercises every year. This takes a lot of effort, but it's a worthwhile investment in being prepared. While there's been a lot of talk about zero trust, there should also be a push towards better preparedness and crisis management. This has been the biggest change in our approach to cybersecurity.

Anil Gandharve : Brilliant! I love it - the comprehensive Cyber security maturity framework and frequent crisis management simulation exercises are a great way to build the muscle memory of an organization as complex as yours. Suren, my next question is about Employee training. We know that employees are often the first line of defense against data breaches and ensuring that they are well-equipped with the knowledge and skills to protect personal information is critical. Could you share with us the best practices for employee training on personal information protection in the context of POPIA compliance?

Suren Naidoo : I always prioritize best practices, taking into account the context and culture of our organization. It's important to ensure alignment and change behavior, rather than simply conducting training. In the past, I worked for a consulting company where mandatory training was a bureaucratic requirement every quarter, and it felt punitive. There are two approaches to training and awareness: mandatory with consequences such as access restrictions or performance management, or a more purpose-driven approach that focuses on why training is necessary. I prefer the latter approach, where people understand the purpose and importance of training.

The crucial thing for me is to have a comprehensive and multi-faceted approach to training and awareness. It's crucial to understand the culture and context of our organization to ensure alignment, as it's not just about training, but also about changing people's behavior and attitudes towards privacy and security. Making training mandatory and punitive isn't effective, so we prefer to focus on the purpose and the "why" behind it.

Our approach includes using various platforms and tools, such as posters and campaigns like "See Something, Say Something," which encourages employees to report suspicious activity through channels like our "cyber smart" email address. We also use online resources, simulations, and phishing tests. More recently, we've implemented face-to-face interactions to discuss changing attitudes and beliefs towards privacy and security.

Ultimately, it's about creating a culture of behavioral change and ensuring that employees understand the importance of privacy and security. While I can't provide too much detail, I hope this gives you some insight into our approach.

Anil Gandharve : Thank you, Suren, for sharing the powerful 'See Something, Say Something' campaign. Now, Conrad, my next question is for you. As someone who works with several hundred third-party service providers, the responsibility of managing POPIA compliance and ensuring the protection of personal information falls on your shoulders. Could you share some effective strategies that you have implemented to manage third-party service providers? Working with third-party service providers can be challenging, and organizations must take necessary steps to mitigate potential risks. In the context of POPIA compliance, what are some of the challenges that businesses face when working with third-party service providers? Additionally, what effective strategies can organizations adopt to ensure accountability and reduce the risks associated with third-party service providers?

Conrad Roos : Working with third parties can be a complex issue for organizations since many rely on them to store personal information or profile data. As mentioned earlier, organizations remain liable for any data breach, even if it occurs at a third party. To address this challenge, we conduct due diligence exercises and risk assessments before engaging with a third party. We assess their security measures, privacy practices, and compliance with POPIA. We then include our privacy requirements in our service agreements or contracts with the third party, which they must agree to comply with. While these agreements may seem like tick boxes, they are important to ensure accountability and reduce the risks associated with third-party service providers.

Contracting is crucial, and regular monitoring of third parties' security posture over time is important, as their landscape changes as well. Some of our third parties have been with us for decades, so it's vital to ensure that the controls in place are still adequate and compliant.

In addition, incident response planning is critical, as breaches can occur at third parties. Therefore, it is essential to have clear communication channels in place for third parties to report incidents to us. It's crucial to have a clear process in place for incident response, including communication with the regulator. Employees should be aware of the importance of assessing third-party service providers before engaging with them, and they can contact the relevant teams for assistance with the risk assessment process. Ongoing monitoring is also essential to ensure that controls remain adequate and compliant.

Suren Naidoo : Additionally, I would like to emphasize that our journey towards managing third-party risks has been ongoing for several years now. In fact, back in 2017, we developed a framework specifically for managing cyber risks and privacy risks related to third-party providers. However, it's important to note that this journey is not an easy one, especially given the complexity of the organization and the varying perspectives on how to approach this issue.

One key starting point is to have a framework in place that can be used to align with key stakeholders within the organization. It's also important to have a maturity model in mind to ensure that objectives are being met. And finally, the key takeaway is to recognize that this is an ongoing process that requires continuous monitoring and assessment.

In my view, the approach was simple: establish a framework, get the processes and mindset right, and change the culture. Once you have achieved that, you can use platforms like Alfahive based on OPEN-FAIR risk quantification methodology. It was also important for us to move away from the previous qualitative methods and adopt a more quantitative approach. I believe it's necessary to use an industry-standard platform such as the Alfahive risk platform.


However, it's important to note that internal readiness is key before implementing any technology, as silos within the organization can hinder progress. In my experience, breaking down these silos and aligning objectives and processes can be a challenge, but it's necessary for successful third-party risk management. The process should also involve the enterprise risk management team, with the support of key stakeholders like Conrad. Overall, the level of complexity and the specific challenges faced will vary based on the organization's context.

Anil Gandharve : Suren, I have another question for you. How does cyber insurance fit into a comprehensive information security strategy? Specifically, how do you manage insurance coverage, policy limits, deductibles, and exclusions? What are the key factors that organizations should consider when selecting and purchasing cyber insurance?

Suren Naidoo: I am passionate about another subject, which is Cyber insurance. Over the years, I have encountered several issues with cyber insurance. When we first started getting cyber insurance, we received lengthy documents with many questions that seemed unnecessary. Also, the underwriting process for cyber insurance was not perfect at the time, and it has been evolving over the last seven years. Nonetheless, it all depends on the context.

As we have many entities, each one has to be addressed from a cyber insurance perspective, and it's not a one-size-fits-all approach. We have to go through a lengthy underwriting process, which involves engaging with the right business and technology leadership teams. We have a clear separation of concerns and duties, reporting directly to the board, which makes our jobs easier.

It's now becoming even more complex with stricter underwriting requirements due to the significant number of breaches and penalties in recent years. As a result, maintaining coverage limits has become more challenging. 

Naturally, deductibles appear to be increasing and there are several critical factors to consider. For example, log4j recently surfaced and revealed limitations in insurance coverage, and some insurance providers have specific requirements for coverage. Depending on the organization you are dealing with, the number of controls required may vary. Some require 12, while others require only eight. We opted for the maximum number. Some of the most important controls include having a security monitoring capability, instant response in crisis mode, privileged access management, and data leakage prevention, which is particularly challenging and disruptive to business. However, insurance providers are increasingly stringent in their requirements, and we must comply with them.

I believe the main issue with risk assessments is that they often lack context, and it can be challenging to provide this context when answering questions. To address this, we've been working closely with our broker to collaborate with the underwriters and unpack some of these issues. We discuss our approach to cybersecurity, our defense-in-depth strategy, and our compensating controls, as underwriters may not be experts in this area. It's important to educate them on our context and have a two-way exchange of information and awareness to ensure appropriate coverage. Without this conversation, we may receive proposals that don't suit our needs, resulting in increased premiums or inadequate coverage. Additionally, since we have multiple entities with unique contexts, we can't adopt a one-size-fits-all approach, adding further complexity to cyber insurance.

Anil Gandharve : Thank you, Suren. Your insights on managing the cyber insurance underwriting process were comprehensive and to the point. Before we move on to the final question, I would like to invite the audience to submit their questions in the chat or Q&A window. We will address them shortly.

Conrad, Monitoring and reporting can be a cumbersome and tedious exercise. How do you handle this in your context? I understand that you use risk quantification for risk estimation and for communicating with the board and business leaders. Can you share your thoughts on this?

Conrad Roos : Essentially, risk quantification involves assessing the likelihood and potential impact of a cyber threat or vulnerability and assigning a value to those risks. This process helps organizations, like ourselves, to identify and prioritize risks based on their potential financial impact.

By quantifying the risks, we are able to understand the potential severity of a security breach and make informed decisions about how best to address them. We can allocate resources based on the priority of the risks and ensure that we are taking the most effective actions to mitigate them.

Additionally, risk quantification allows us to measure and track progress in addressing the risks. By setting benchmarks and monitoring our progress against them, we can ensure that we are achieving compliance with relevant regulations and standards, as well as meeting any other business and risk reduction goals we might have.

Anil Gandharve : Thank you for shedding light on this, Conrad. At Alfahive, we recognize that managing cyber risks effectively requires a common language, and in today's world, there is no better language than money. By understanding risk in financial terms, we enable businesses, third-party partners, and security partners to comprehend and take action with a common understanding. That's why quantification is a foundational piece that ensures standardization and repeatability across the organization. 

One other point I wanted to share with the audience is our experience working with organizations across the globe that have liability towards POPIA and other frameworks like GDPR and CCPA. While there are specific requirements in different parts of the world, most data protection frameworks share similar elements such as data classification, retention policies, access control, and third-party risk management. With our risk automation platform, we can enable common, repeatable use cases from more mature frameworks like CCPA and GDPR that can be applied to POPIA. Our goal is to connect the dots and bring repeatability and automation through our platform to ensure faster time to value. This will help organizations understand the risk in financial terms and make decisions on which controls to prioritize across their enterprise and third-party ecosystem.

Anil Gandharve : It's been such an insightful conversation so far. There is one question from the audience about how you measure the adoption of the training and do you have champions within the business.


Suren Naidoo: As a security professional in a large organization, measuring coverage is a crucial aspect of our job. We want to ensure that everyone in the organization is protected against fraud and violence. To achieve this, we use platforms that are purpose-built for our specific needs, not just off-the-shelf solutions. We are currently developing a whole new platform that takes a new approach to security, and we're confident it will provide even better awareness.

In addition to coverage, we also pay close attention to phishing simulations to identify how susceptible people are to clicking on suspicious links. Our "see something, say something" campaign is another essential component of our security strategy. It encourages people to report any incidents they witness through various channels, including directing them to me.

To provide more context to our security monitoring, we use entity behavior to monitor and DLP to detect any attempts to share customer data. If we detect someone attempting to share data without encryption, we take immediate action to educate the team and prevent similar incidents from happening in the future. We work closely with business units, including HR, call centers, and financial services, to identify areas of high risk and support them in managing their risks effectively.

Our approach is not to burden people with cyber security responsibilities. Instead, we provide business owners and system owners with dashboards and tools to make informed decisions about their risks. It's our collective responsibility to ensure the organization is safe and secure, and we continuously work towards improving our security posture. Although we're not perfect, we're committed to this journey towards greater security awareness and education.

Anil Gandharve : The final question pertains to how the quantification process aided you in bridging the communication gap with the business, and what you have learned so far from this experience. Can you share any insights on this matter?

Suren Naidoo : Alfahive's platform has been crucial in enabling us to better quantify and contextualize the risk impact of data breaches within the Foschini Group. We have been using the Ponemon Data Breach Report to illustrate certain points, but Alfahive has automated the risk quantification process, providing us with more objective and meaningful discussions around risk management. This has been instrumental in improving our notification and articulation of risk to all stakeholders, ensuring that accountability is taken seriously. While there is still a lot of work to be done, we are moving in the right direction, thanks to the help of tools like Alfahive.

Anil Gandharve : Any other concluding thoughts?

Conrad Roos : In order to maintain a secure environment, consistency is key. It's important to keep chipping away at it, never letting your guard down. However, the journey to security is ongoing and continuous improvement is necessary. No one is perfect and we must utilize the tools, technologies, and people available to us to make the best of this journey. It's important to recognize that security is not a destination, but rather a journey that requires constant attention and improvement.

Suren Naidoo : As I reflect on my experience with managing risk, I believe that the most important thing is accountability. Risk management is a business concern and should be owned by the business, rather than legal or IT. In my opinion, platforms like Alfahive are incredibly helpful in quickly quantifying and contextualizing risks, while also making it scalable. By using these tools, we can have more meaningful and objective discussions about risk.

One of my biggest concerns is supply chain risk, but I believe that Alfahive can help us mitigate this risk. I also appreciate the partnership we have with Alfahive and the fact that they listen to our ideas and incorporate them into their product backlog. This engagement has allowed us to shape each other's thinking and approaches, and I believe that our journey with Alfahive has been a great one. Their thought leadership and best practices have been incredibly valuable to us.

Overall, I believe that managing risk is a journey, not a destination. We must continue to chip away at it and strive for continuous improvement. And with the help of tools like Alfahive and strong partnerships, I am confident that we can successfully manage risk and protect our business.


Anil Gandharve : Thank you, Suren and Conrad, for sharing such valuable insights during our conversation today. I found it incredibly informative and thought-provoking, and I hope everyone else on the call feels the same way. I look forward to the possibility of having another conversation with you in the future and learning even more from your experiences and expertise. In the meantime, take care of yourself and stay safe. Thank you again!