Issues and concerns around cyber security are a persistent topic of conversation, and for very good reason, according to Marthinus Pretorius, Risk Management & Compliance Officer at e4, who says a says a little paranoia is healthy and even necessary when it comes to protecting valuable business information.
However, simply adding arbitrary security measures just because others are doing so may not be the best approach. “When we add cyber security measures, it is vital to ensure that the chosen solution is the right one, and is effective in preventing, or at least minimising vulnerability,” Pretorius explains.
A large part of discussions around cyber security is around encryption, and under what circumstances files should be encrypted. “There are many ways to determine what to encrypt in business, but it is always best to assess the business reason to encrypt information. Just as important is the question of when not to encrypt. Adding broad encryption over all information can lead to loss in performance and spending more money on technologies than is needed.” Pretorius adds consideration should be given towards the purpose of the information in question, which legal requirements apply and whether the information has the potential to cause reputational damage to one’s own organisation or that of a client.
As for encryption on the cloud, it is imperative that due diligence is done to ensure that the prospective provider is certified for security and has a good reputation for being security conscious. “A secure provider will openly offer the measures they have taken to mitigate risk and will always be transparent about their current state of security,” Pretorius notes. “That said, extremely sensitive information should not be stored in the cloud without the highest level of security measures in place. It’s best to keep in mind that security is never absolute.”
For businesses looking to improve security and mitigate risk, the sheer number of various technologies and algorithms available can make choosing the right solution a daunting task. Pretorius says reputable security professionals will be fully up to date on which cyphers are weak, and which algorithms can be circumvented.
In addition to having the correct levels of encryption, once the POPI Act and its regulations come into effect, businesses will need to ensure compliance. “While POPI itself not prescriptive in that it states encryption is a requirement; the Act does call for reasonable security measures. Again, it is important to choose what to encrypt to make sure all organisational security measures work in harmony.”
“Security is an ongoing ever changing field, improve your measures at the appropriate levels for your business to balance the risks and make it work for you rather than just doing what the masses say,” concludes Pretorius.