With data breaches costing companies millions every year (reaching an all-time high in 20211) and regulatory non-compliance threatening executives with fines or jail time2, it is no wonder that cyber incidents are ranked the number one risk to business in 20223.
To understand how to predict cyber threats, respond to them and minimise their business impact, companies are moving their focus from ad hoc cyber threat response to calculated cyber risk management.
Mission-critical topics such as data governance is a good case in point. Overseeing how data is protected and processed is crucial for South African organisations, especially financial services organisations that process highly confidential personal information.
Facing the POPIA Giant
When the enforcement date of South Africa’s data protection legislation, known as the Protection of Personal Information Act (POPIA), became known, a globally renowned financial services provider contacted AVeS Cyber Security to assist them with their POPIA compliance efforts.
AVeS Cyber Security’s background in IT governance and IT architecture, as well as its Gold Partner competencies in Microsoft Security and Cloud Platform, uniquely positioned the team to work alongside the client’s Risk and IT teams to fulfil their POPIA obligations.
Since the client’s board-level risk committee oversaw the project, the business goals were clear: minimise its cyber and regulatory risks by governing its confidential business data and continuing to enable its remote-working staff.
On a technical level, this meant identifying where the organisation’s data should reside and what technical controls they should put in place to protect the data’s confidentiality, integrity and availability.
Setting Clear Goals and Envisioning the Win
Since the organisation had an existing on-premises data centre investment, AVeS Cyber Security had to investigate what the most cost-effective solution would be: Expand its current on-premises infrastructure with better data protection capabilities or shift its data centre (either partially or entirely) to a Cloud-based platform with scalable data protection built in from the start.
“Our board made it clear that data governance was a strategic priority for the business. We had to consider all possible angles to arrive at a cost-effective answer from year one. The solution also needed to provide a solid, scalable foundation on which we could build the company’s medium-term data governance initiatives,” says Mohammed Dawood, IT Manager at the client.
AVeS Cyber Security compared the client’s existing infrastructure against their risk register to identify technical gaps and completed a cost analysis to evaluate which option – expand on-premises or migrate to the Cloud – would be the most cost-effective and allow for the most scalability and predictability in the medium-term.
“Looking at an organisation’s current, technical data protection needs is one thing, but one has to allow the organisation to easily scale up or down as their business requires it. Although the minimum baseline was to ensure that the organisation meet its POPIA requirements now, the organisation also had to empower their staff to work more securely with data in the future,” says Bradley Adams, Infrastructure Sales Director at AVeS Cyber Security. “That is where we move from pure data protection to data governance and consider more than the technology involved: The key is to make process and people part of the solution. After all, successful data governance projects empower organisations to work efficiently and securely today and three years from now.”
With no on-premises data scanning tools, the client did not have a clear idea of what data they had stored where and how much of that data was “personally identifiable information”. Their workforce comprised both office and work-from-home staff, which meant that data was continually on the move and hosted in different locations.
The cost analysis revealed that the client’s best option was to rebuild its data centre in the Cloud and provide a safe space for employees to store and process business data wherever they were. The client decided to migrate all its data, in an unstructured format, to the Cloud to start controlling access to data as soon as possible, gaining visibility into how they use data for business purposes, and labelling data according to its level of sensitivity.
Due to the nature of the business, the organisation worked daily with massive amounts of special personal information and needed the technical security measures defined upfront and applied automatically to data sets to enable their workforce to work efficiently.
Creating the Roadmap
“When clients contact us to assist them to contain data breaches, we often find that their Cloud platforms’ security was lacking severely at the time of the breach. It is because people tend to treat Cloud security as an afterthought, thinking Cloud means out-of-the-box security. It is a general problem with data centre migrations to the Cloud.
“People do not close enough backdoors before migrating their data. Just like with any other platform, one should build fit-for-purpose security into the Cloud’s design from the get-go, not treat it as an afterthought. So, we knew what our first step was: Design a secure Cloud data centre,” says Adams.
In collaboration with the client’s Risk and IT teams, AVeS Cyber Security created a POPIA roadmap to the Cloud that identified the following:
- Which layers AVeS Cyber Security will build into the Cloud’s security design, as per security best practices, to protect data in the Cloud;
- What data to move to the Cloud;
- How to structure the platform’s licensing to be cost-effective and predictably scalable;
- How to best approach the data migration phase of the project, enabling business operations to continue running; and
- How to support the client’s IT team throughout the process.
AVeS Cyber Security also recommended that the client follows change management best practice to ensure a seamless transition for the organisation’s workforce. “Companies can greatly improve their projects’ return on investment and adoption among employees if they follow the guidance of change management best practices,” says Charl Ueckermann, Group CEO at AVeS Cyber International.
“We have seen technically brilliant projects achieve sub-optimal results when the people in the business are not included as part of the project. No one likes logging into their computers on a Monday morning and discovering that everything they knew on Friday has now changed.”
With the technical roadmap in place, AVeS Cyber Security set out to implement the safeguards required to help the client acquire a secure, data-governed Cloud data centre. Using Microsoft 365 and Microsoft Azure as the platforms of choice, AVeS Cyber Security could introduce various built-in security features in the newly built secure Cloud:
- Data and email protection tools like Azure Information Protection (AIP) to discover, classify, and protect documents and emails by applying labels to content;4
- Multi-factor authentication with Azure AD (Active Directory) to enforce identity and access management rules in real-time and reduce the risk of breaches due to stolen passwords, all while feeling seamless to employees;5 and
- Azure Sentinel, a Cloud-native SIEM (Security Information and Event Management) solution with built-in machine learning capabilities. Sentinel monitors how data is used, provides alerts and insights on security events, and provides task automation and orchestration to improve the IT team’s response time to incidents.6
“For us, the choice came down to the platform’s reliability (99.95% uptime7), flexibility (range of applications available to easily expand the platforms’ functionality), and scalability (compliance with various data governance regulations around the world). We now also have more predictability in our budgeting process.
“User-based costing means that we know exactly what our monthly or yearly spending will be based on how many people we employ, and who has access to which productivity features. In the past, we had to speculate how much data we would store in the next 12 to 36 months, and everyone had access to the same toolsets, irrespective of what they actually needed. Now, we can assign fit-for-purpose resources to high-risk staff, such as executives, when they need it,” says Dawood.
“With the Cloud data centre now up-and-running, the client has been able to make better data-driven decisions at board level to advance its data governance efforts across the business,” says Adams.
Ueckermann adds that other industries that deal with highly confidential data, such as medical and manufacturing, can also learn from this client’s data governance journey and apply key learnings to their own projects.
“This project demonstrates that data governance can be successful if it is led from the top. As the ultimate custodians of data governance, boards should step in to lead organisations through the multi-connected and hyper-regulated business landscape. Without this kind of risk-managing leadership, organisations will not be able to prevail against the cyber threats yet to come,” says Ueckermann.