South African companies have responded admirably to the challenges of doing business in a pandemic with many accelerating their digital strategies and opening new channels for consumer engagement. Unfortunately, bad actors have also adapted exceedingly well, taking advantage of loopholes across different channels and using the opportunity to access poorly secured data. And, while business leaders have been focused on securing our transactional data, in the longer term, compromised personal information can result in just as much damage as a breached bank account.
According to a Microsoft report, global consumers use an average of between three and five customer service channels when engaging with a brand. Securing each channel in the most appropriate way, that doesn’t inject too much friction into the user journey, while still providing sufficient security – even for non-financial data – is a growing challenge for global businesses. As POPIA takes effect, this takes on an added complexity for local organisations.
“In South Africa, we don’t just have to secure our own information, companies must also ensure that they are monitoring their partners and conducting due diligence,” says Wessel Matthee, information security and compliance manager at Entersekt. “Unfortunately, around 90 to 95% of companies don’t conduct this due diligence, leaving them vulnerable should a breach occur. Even if it was a third party that was breached, the company whose personal information was compromised will still be held accountable. Simple username and password access protocols are no longer enough when it comes to protecting data, even non-financial data.”
While mobile network operators and financial service companies have applied authentication protocols for some time, when it comes to other sectors such as healthcare providers, this is often overlooked.
We love to share, and it’s costing us dearly
South Africans are friendly people. We love to share our triumphs and misfortunes and social media has given us the perfect platform to do this. The problem arises when we share information without thinking and that information falls into the wrong hands and is combined with data from compromised sites.
Matthee says, “We have to understand that non-financial data is also valuable and can be ‘weaponised’ by fraudsters. Many organisations rely on knowledge-based authentication like security questions for access to their systems. For example, if a customer calls their bank or insurance company, the company has to make sure they are talking to the actual customer. To confirm this, they usually ask security questions, like your address or date of birth. The same is often true for access to online systems. But much of that information is already out there – either on social media or via a breach, making it very easy for fraudsters to impersonate a legitimate customer.”
To mitigate this risk it is vital that we become a lot more circumspect about what we share on social media. But it is also vital that all companies which hold personal information, such as medical aids, hospitals, legal firms and others make use of appropriate authentication.
Matthee explains the one sector which is significantly at risk is telecommunications and MNOs in particular. This was highlighted recently in the chaos surrounding the T-Mobile breach where 40 million customers had personal information stolen.
“If you breach an MNO you have access to a multitude of valuable data. You have access to personal information, and you can steal payment information as well as security information. The fallout from this could be very costly,” he says.
Customers have lost trust and want more control
The spike in data breaches over recent years has given many customers reason to be mistrustful of how their information is stored and protected. In fact, research shows that consumers’ attitudes to a “friction-free” experience may be changing, and they would now prefer to verify transactions before funds leave their account. While this attitude is more prevalent with older customers, it is still a fairly contrarian position and shows just how guarded we have become when it comes to trusting brands to protect our data.
Matthee says the growing pressure to secure non-financial data, not only as a result of POPIA, but also due to the increasing expectations from the general public has resulted in a significant spike in interest in authentication solutions.
“We have seen a 50% spike in enquiries from non-financial companies in the last year,” says Matthee. “The healthcare sector, in particular, is waking up to just how at risk they could be if they can’t show they have taken all reasonable precautions to safeguard personal information. The need for excellent multi-factor authentication is even more important when companies begin participating in ecosystems and exchanging data with third parties. Passwords and knowledge-based questions will not cut it and companies found wanting will have a hard time trying to convince a judge they had done enough, should they be breached. Not to mention the catastrophic loss of trust from their customers, which in today’s world is a currency all of its own.”