It’s been just over a couple of weeks since South Africa saw the biggest data leak in its history and it seems that a general malaise has set in.
This sounds nuts when one considers that the leak included the data of over 60 million South Africans, including 12.4 million minors. According to experts, the data included a frightening amount of information – ID numbers, physical addresses, estimated incomes, bond information, marital statuses and more. All of it packaged up quite neatly in a public server for any would-be identity thieves out there.
This should, by all accounts, be this is all pretty unnerving. Even more unnerving, however, was how South Africa absorbed this news with a collective shrug.
Unlike, for example, the Equifax hack, which dominated the news cycle overseas around the clock in the week it broke – and is still making headlines currently – the SA data leak has all but dropped out of local news. We at htxt.africa have even found an alarming number of people who have remained blissfully unaware of it.
South Africans should take note, however, in particular the business sector. In fact if there’s one silver lining one can take from this debacle, according to Henk Olivier, MD of Ozone Information Technology Solutions, this leak should make SMMEs especially concerned about the training of its staff in online best practice.
“It’s not like a leak of this type couldn’t happen at a small to medium business if the staff isn’t educated about data security,” he says.
“Managers need to take note of several approaches. First, they need to educate users on staff. Second, they need to make sure all security patches are up to date. They should also set up system to monitor and control the flow of data that’s leaving the office – either through the internet or through staff members leaving the office with devices such as laptops and smart devices.”
Olivier also says that businesses need to implement clear lines of communication and command through different branches. If something goes wrong, management needs to be able to ascertain how best to quickly plug the problem.
“One of the scariest things about the data leak,” he says, “is that, while a company has owned up to it, no one really knows who was responsible for it. We don’t know where in the chain the leak occurred.”
“Businesses need to be more aware of policies and procedures in order to manage and control the flow of that type of data. The thing is, if you have a clear spec of what happens with your data – whether its installing it, moving it to a new location or upgrading something in the system to secure it – you’re better placed to keep things under control.”
Olivier posits the theory that it could have been a lack of procedures that led to SA’s data leak in the first place. He says it’s entirely possible the data was placed in an open server as part of a data movement procedure, but best practice wasn’t in place to make sure it was moved to a secure server later.
“The chain of procedure is vital,” says Olivier. “You have to have an A, B, C situations where if the data flows between three parties, you can easily identify, at which part – or which person – the mistake occurred.”
Ultimately, he says, it’s not about having the best software or products to defend your networks. Managers need to ensure their staff are both aware in exterior online threats (phishing scams, social engineering and so forth and properly trained in internal procedures so that the flow of data is never compromised.
The chink in the security armour of most SMME-held data is its staff. Computers are only as smart as the people who use them, after all.