People 'n' Issues
POPI a prompt for mobile security
Since the introduction of the POPI act, businesses have had to reevaluate the way they store and handle documentation. Now, with smartphones and tablets becoming viable work tools, companies have to factor in how these devices affect their compliance with the act, writes NADER HENEIN.
Over the past three decades legislatures across the world have been trying to update their legal systems to address growing concerns around how our private information is being used once handed over to companies in both the public and private sectors.
Looking back, this first began with an article published in the Harvard Law Review by two men who later became pillars of the US legal system, Warren and Brandeis. They wrote “The Right to Privacy” in December of 1890 protesting what was then “New Technology”: the printing press had birthed its first tabloid magazine and with it the lives and photographs of private citizens were laid bare for all to see.
Fast forward a century or so and the introduction of the Protection of Personal Information Act (POPI) is driven by the same motivation, the protection of personal customer information held by organizations.
Naturally this is prompting South African businesses to re-evaluate how they store and process customer information and mobile data is by no means exempt. Today smartphones and tablet allow us to retrieve, store and process custodial information in our day to day jobs to be able to better serve our customers, better compete and better generate revenue and with that comes the onus the treat this information responsibly and protect it from loss or theft. In the same way that a bank is held accountable to its customers for the money it stores, POPI aims to hold organizations accountable for the mismanagement of custodial information.
Because we tend to overlook mobility in enterprise as a company peripheral it has grown to represent one of the weakest potential points in many large organisations’ information security infrastructures. Enterprises need to strengthen their mobile security posture if they are to align themselves with POPI’s requirements. This means they need to put strong processes in place to prevent accidental or deliberate data leakages as well as to prevent malware infections.
Mobile devices are today central to business processes. Most large organisations have sales and service staff as well as executives in the field carrying a wealth of personally identifiable information about customers’ on their devices. These mobile devices can also often be used to access a range of customer data stored on company servers. Yet this area has not received enough attention from CIOs and IT managers as they rush to meet POPI’s demands.
In practice, this means organisations should make sure they have security frameworks and solutions that allow for end-to-end control over how data on mobile devices is managed at rest and in transit. These security procedures ideally need to be auditable so that the organisation can demonstrate compliance while critically not affecting the advantages that mobility brings. So in short, security and compliance should not come at the expense of the bottom line or the user experience for that matter.
The BlackBerry Enterprise Service 10 (BES10), an Enterprise Mobility Management (EMM) solution, ensures that data-in-transit and data-at-rest are both properly encrypted across all managed devices. Local encryption of all customer data (messages, address book entries, calendar entries, memos and tasks) is enforced via IT policy. Additionally, system administrators can create and send wireless commands to remotely delete information from lost or stolen devices.
For BlackBerry 10 devices, the integrated BlackBerry Balance technology keeps personal and work apps and information separate from work apps and content. The user can switch from their Personal Space to Work Space with a simple gesture. The Work Space is fully encrypted, managed and secured, so enterprises can protect critical content and applications, while allowing users to get the most out of their smartphone for their personal use through apps like Facebook and Twitter without ever impacting their regulatory compliance posture.
Mobile security that complies with POPI is going to be especially challenging for organisations who have embraced the “Bring Your Own Device” (BYOD) philosophy. The mix of devices in use in their workforces – many of them consumer smartphones and tablets not designed to enterprise security standards – makes such organisations vulnerable to loss or theft of customer data. With this in mind, companies with BYOD policies need to start looking to implement multiplatform MDM as a matter of urgency.
BES10 allows IT administrators to manage Android, iOS and BlackBerry devices through a single end-to-end platform and management console. And with BES12 coming at the end of the year, it will also manage Windows Phone making BlackBerry the only company who can provide customers the flexibility to choose between any of the popular policy models such as BYOD or Corporate Owned Personally Enabled (COPE).
For iOS and Android devices, Secure Work Space is a containerisation, application-wrapping and secure connectivity option that delivers a higher level of control and security, all managed through the single BES10 administration console. Work applications are secured and separated from personal apps and data, providing integrated email, calendar and contacts: an enterprise-level secure browser: plus secure attachment viewing and editing with Documents To Go.
Take time to develop and implement a formal EMM strategy for your organization, POPI has sharp teeth for enforcement – companies that do not meet its requirements face stiff penalties including large fines and reputational damage. At a more fundamental level we all have an almost integral responsibility to protect individual privacy and for many we do not need laws to point out what the Universal Declaration on Human Rights considers one of its pillars next to freedom and equality.
* Nader Henein, Regional Director, BlackBerry Product Security
* Follow Gadget on Twitter on @GadgetZA