In our previous newsletter, Challenging paradigms about the conventional working office – Part 1, we mentioned the five main concerns that our members say they have experienced during the lockdown and when transitioning to remote working. These are illustrated below:
In Part 1, we discussed practical suggestions and ideas that addressed two of the five main concerns, namely managing operational risks and communication ability. In this newsletter we look at ways to address a third concern, namely data and equipment security.
With employees working remotely, it is no surprise that data and equipment security has become a key concern. The risk of losing client information and the business’ intellectual property has increased significantly as access is now spread out and therefore less controlled. Should a data breach occur, it may result in extensive damages such as monetary costs to repair the damage to the infrastructure, lost productivity, the permanent loss of data as it may be destroyed and reputational damage for the business. According to research conducted by L. Monzon, published on the website of IT News Africa, through the course of one week this year, an average of 3.26 million cyberattacks occurred on a daily basis.
Click on the links below to download employee surveys that you can use to gain insight into your business’ position in terms of data breaches, and gain insight into day-to-day business operations to help you make more informed strategic decisions:
Considering the above, you need to ask yourself:
- Can my clients trust me to protect their information from cybercriminals?
- Is my business prepared and equipped to respond appropriately in the event of a cyberattack?
The tips provided in this newsletter are relevant when working from the office or remotely. However, at this stage we are dealing with concerns and solutions focused on working remotely as a substantial number of FSPs are still operating this way.
Protecting data and equipment
Even though employees might have a non-disclosure or confidentiality agreement in their employment contract, under the circumstances, it might be worthwhile to consider asking your employees to sign a fresh non-disclosure agreement and/or a confidentiality clause. It makes employees aware of the seriousness and importance of protecting this information even when not at the office, and it also holds them accountable.
Data protection, if not already a top priority, will soon become one given that the Protection of Personal Information Act, 4 of 2013 (POPIA) came into effect on 1 July 2020. Its purpose is to protect personal information in order to strike a balance between the right to privacy and the need for the free flow of access to information, and to regulate how personal information is processed. Although there is a 12-month grace period to comply with various sections, it is worth noting that section 22 of this Act imposes an obligation on the FSP (the responsible party) to ensure that personal information is secure, to prevent loss of, or damage of personal information, and to have systems in place to mitigate the risk of a data breach or when personal information is compromised in some way. This means that should, for example, a work laptop which contains client information be stolen, the Information Regulator must be informed as this is considered a data breach. Other examples of a breach include unauthorised access to information via USB drives, mobile devices, an email account or computer network. Non-compliance with the requirements of the POPIA may lead to the Regulator imposing an administrative fine or even imprisonment. For more information on the POPIA requirements, please click on this link to read the Mastering Compliance article dated 30 June 2020.
An additional security measure to minimise a possible internal data breach would be to implement policies which provide clear guidelines around the accessibility to data:
- The business could limit access to data to employees who require it to perform their duties, e.g. only grant access to the business’ payroll or security codes used for banking or the encryption of business information to those employees involved in these specific activities.
- Another worthwhile exercise to perform, if not already done, is to separate your data into different folders or sections e.g. data around product suppliers is stored separately from data relating to clients. Therefore, should an employee share data related to product suppliers via email and an unauthorised individual intercepts this communication, the exposure of data is limited, as not all data can be accessed in one place.
Sharing and removing access to data
Further to protecting data and equipment, the business should document instructions around sharing data. This can include a process around keeping a record of which employees have access to which data and the purpose for which they need that access. If access was required telephonically due to employees working remotely, the conversation should be recorded. This can be done through your CRM system if it has this feature or through a cell phone application e.g. Call Recorder – Cube ACR which can be downloaded via the Google Play Store. Please note, due to various privacy laws this application does not work on WhatsApp calls and is only for Android users. iPhone users may make use of TapeACall which can be downloaded from the Apple App Store, but this comes with a subscription fee. These applications are also useful for recording telephonic conversations with clients too, which can help with recordkeeping requirements set out in the FAIS General Code of Conduct. Where you do make recordings, be aware of your obligation to inform clients that calls will be recorded.
The legislation places a specific duty on FSPs to have appropriate procedures and systems in place to record verbal and written communications relating to a financial service rendered to a client. Once the purpose of employees’ access has been fulfilled, their access rights should be removed and any copies of the data in their possession must be returned. For example, if the information was stored on hard drives, these need to be returned. The employee’s laptop or computer should be scanned to confirm that the data, e.g. payroll information or stored passwords, has been removed. Further to this, the same person who granted access to the data needs to ensure that the access rights have been removed. We recommend that these confirmations be in writing.
Consider these processes to protect data and equipment
As mentioned earlier, stolen equipment may result in a breach of data which results in contravention of the POPIA. We have therefore listed, the following processes that could be considered for protecting your data and equipment:
- Lock any cupboards or drawers which contain confidential information.
- Lock the doors when leaving the workspace, if the workspace is in a room.
- Log out of laptops/computers or cloud storage applications when away from the workspace, especially if the workspace is somewhere central in your home e.g. the lounge.
- Ensure confidential documents sent as attachments via email or stored electronically are password encrypted. When sending confidential information related to the client, many businesses encrypt this with the client’s ID number, requesting this as the password to open the attachment. Consider having a policy in place that is shared with employees to secure passwords which can include tips on creating a secure password e.g. a minimum length (8 to 12 characters long) and password complexity [letter case, characters (%, $)]. You could also have rules, for example, against repeating the same password across all devices or files and folders. In other words, avoid using the same password for banking details and payroll data. The policy should also include a rule which prohibits the sharing of passwords with anyone except the person appointed in charge of passwords – in the case of an FSP, it could be the Key Individual. We recommend the use of a password manager e.g. Keeper, to keep track of the various passwords. Password managers usually require a subscription fee, the free versions normally have limited features. It is also good business practice to change your passwords when an employee, especially the one in charge of managing the passwords, leaves.
- Lock the laptops/computers away in a cupboard or drawer away from windows when leaving them unattended.
- Depending on your arrangement with your employees, take out personal insurance on their office equipment.
- Double check that your business’ short-term insurance policy covers equipment used by employees when working from home.
As mentioned in Part 1, this is merely a starting point. As we can see, whether operating from the office or remotely, there are still certain core elements which need to remain intact, such as the protection of your clients’ personal information. This is particularly important in a time where cybercrime is on the rise. Therefore, as your business eases into a new ‘business as usual’, you may consider either revisiting existing policies and processes or creating additional ones which suit this new business environment. In doing so, it is important to keep in mind the recent amendments to the final amendments to the General Code of Conduct and the Code of Conduct for FSPs conducting Short-term deposit business, some of which came into effect immediately and others which will come into effect in the next 6 – 12 months. We will discuss additional suggestions which address the remaining concerns in the newsletters to follow.
Protect yourself, staff, business and clients against cybercrime
To avoid becoming a victim of cybercrime, take the necessary steps and protect yourself, your business, staff and clients from potential cyberattacks.
Masthead’s Cybersecurity Online Course is designed to equip you with the know-how to protect yourself and your FSP from cybercrime on a day-to-day basis.