Search
Close this search box.

Phishing: Can you spot these common types?

On the cybercrime timeline, phishing dates back to the mid-1990s when hackers exploited one of the earliest internet service providers to steal passwords and credit card data from unsuspecting users. Technology has evolved significantly since then, but phishing remains a popular attack method because it’s specifically designed to take advantage of human nature.

What is phishing?

Phishing is the practice of using fake, fraudulent, or deceptive communication to lure or convince a targeted person (or group) to hand over sensitive information.

Cybercriminals pretend to be legitimate, trustworthy sources and contact their victims by email, phone, or SMS with the goal of acquiring anything from personal data and banking details to usernames and passwords.

The scammers then leverage the newly acquired information for their own illicit purposes, which may include identity theft, credit card fraud, or privileged account access, among other things.

Email phishing, spear phishing, whaling, smishing, and vishing are five common types of phishing attacks. Learn to recognise the warning signs so that you’re less likely to be fooled by a scam message.

#1 | Email phishing

Email phishing (also called deception phishing or deceptive phishing) is perhaps the most well-known type of phishing. In this kind of scam, attackers impersonate a real company, organisation, or group and send out mass emails to as many email addresses as they can find. This so-called “spray and pray” approach is a numbers game for the perpetrators, and even if they only hook a handful of victims, the attack may still prove worthwhile and lucrative.

How do they do it? The scam email message is intended to make you perform an action, like downloading an attachment or clicking on a link. Malware embedded inside the attachment is activated when you open the file, and the link destination is often a malicious website primed to steal your credentials or install nefarious code on your device.

Consider this example… You receive a legitimate-looking email from your streaming service, saying your account has been temporarily suspended because of unusual activity. You’re instructed to click on a link inside the email, to verify your account credentials. You expect to be directed to the streaming service’s login page, but the link actually takes you to a lookalike login page that harvests your username and password.

#2 | Spear phishing

Spear phishing takes the concept of email phishing and applies it to a specific individual or group. Instead of the bulk, generic communication associated with regular email phishing, spear phishing involves customised messaging for a selected target. As the name implies, spear phishing is a pointed attack, not a wide-net manoeuvre, and scammers will often leverage publicly available corporate collateral to fine-tune the elements of their email trap.

How do they do it? Detailed, personalised messaging is key to the success of any spear-phishing campaign – because the attackers have to make you, the recipient, trust them enough to do what is asked in the email. They may spend days or even weeks on research and information-gathering (from your company’s website, social media pages, and published reports) as part of their efforts to trick you into action.

Consider this example… You’re the accounting clerk responsible for processing vendor invoices. You receive an email from an unknown vendor, with a PDF invoice attached. The message is well-written and friendly. The email sender knows your name and is knowledgeable about your company; they even send their best wishes to your colleague, John, whose motorcycle accident was addressed in your company newsletter last week. You believe that the vendor is legitimate and open the attachment, which then delivers malware to your laptop.

#3 | Whaling

Whaling (also called whale phishing) is the term used to describe phishing attacks aimed at a company’s most senior, most connected, or most influential leaders – the whales. The chief executive officer, chief operating officer, chief financial officer, chief technology officer, and other senior managers are attractive targets because of their high-level access to company resources. With an executive’s login credentials in their possession, scammers may be able to transfer corporate funds, expose private data, or impersonate the target to disrupt or damage the business.

How do they do it? Like spear phishing, whaling requires a tailored approach. Cybercriminals may have to profile the chosen individual for months to gain sufficient insight into their personal and professional lives. But as soon as the phishers have enough information, they can create believable, persuasive messages to try to deceive their victims into downloading malicious files or visiting compromised websites.

Consider this example… A new email lands in your inbox – and it’s from a law firm. The subject line and the content of the message imply that your company is being sued for millions by a former employee. The preliminary paperwork is attached to the email. As the chief legal officer, it’s your responsibility to investigate – but you don’t realise that the attachment is tainted.

#4 | Smishing

Smishing (also called SMS phishing) uses a text message rather than an email message to conduct a phishing attack, but the rationale is the same: scammers want to fool you into clicking on a risky link, downloading a malicious application, or surrendering your personal information.

How do they do it? Digital fraudsters take advantage of the fact that you keep your smartphone within reach and probably read your text messages soon after they arrive. And, as with other phishing methods, deception is their key tool. By masquerading as bona fide businesses (like your supermarket) or trusted sources (like your bank), they can deliver compelling texts directly to you – quickly, easily, and more than once.

Consider this example… You receive an SMS offering 20% off your next clothing purchase. The offer appears to come from your favourite fashion outlet, and uses the same language and style (right down to the abbreviations and emojis) that you’ve seen from the store in the past. To receive the discount, which is only available to the first 100 customers, you need to click the link and claim your coupon code online. You don’t know that the link, when clicked, installs malware on your phone.

#5 | Vishing

Vishing (also called voice phishing or phone phishing) is when scammers call you directly – on your home landline, your work phone, or your cell – and try to make you give out personal or corporate information. Often, they will exploit annual trends and public concerns, or create a sense of panic that makes you feel compelled to comply with their requests.

How do they do it? The person making the fraudulent phone call may pretend to be a tax official who needs your company registration number for verification before refunding money to you. They may claim to be a health official calling to put you on the list for a COVID-19 vaccination. They may even claim to be a customer service agent from your bank, alerting you to suspicious withdrawals from your account. In every scenario, the phisher on the other end of the line will do their utmost to extract sensitive information from you.

Consider this example… You’re called by someone who claims to be from an insurance firm. They say that you’ve been named as a beneficiary in the estate of their deceased client, and you stand to receive a substantial sum of money if you can verify your identity in line with the facts in their possession. You may be asked for your full name, your ID number, your physical address, and your other phone numbers as the impersonator tricks you into providing confidential, high-value information over the phone.

These five types of phishing attacks are among the most prevalent, but they’re not the only ones used by cybercriminals. You need to be able to spot the tactics (and teach your teams to spot them, too) so that would-be phishers do not succeed when they target you and your staff.

Give your people a head start with security training.

Prepare your business teams for the dangers of cyberspace with comprehensive security training from BUI and Cyber Risk Aware.

Check out the on-demand webinar featuring our own Wayne Nel and Cyber Risk Aware CEO Stephen Burke to learn more.

Five questions to ask your leadership team before the POPIA grace period ends

South Africa’s Protection of Personal Information Act gives individuals more control over how their personal information is collected, processed, and used by private and public bodies. The Act requires such bodies (AKA responsible parties) to meet several minimum requirements for the lawful processing of data – and the grace period is almost over. From 1 July 2021, SA organisations must be compliant. Are you ready? Ask your leadership team these five questions to check that key areas of accountability have been addressed…

1 | Do we have a registered Information Officer?

As a responsible party, you are required to register your Information Officer with the Information Regulator by 1 July 2021.

You can do this online via the Information Officer Registration Portal on the Information Regulator’s website, where electronic and PDF versions of the registration form are available. The portal also contains relevant documentation, including guidance notes, official notices, and policies.

Remember, your Information Officer (IO) is the person responsible for making sure your organisation adheres to POPIA. They need to encourage and ensure your organisation’s compliance with POPIA, deal with any information access requests pursuant to the legislation, and work with the Information Regulator in relation to any investigations conducted in terms of POPIA.

They also need to see to it that an organisational compliance framework is developed, implemented, monitored and maintained, and that internal awareness sessions are conducted regarding the provisions of the Act, among other duties. The IO’s responsibilities are listed in Section 55 of POPIA and in the POPIA Regulations.

2 | Do we have adequate security measures in place?

As a responsible party, you are required to secure the integrity and confidentiality of personal information in your possession or under your control.

According to Section 19 of POPIA, this includes the implementation of “appropriate, reasonable technical and organisational measures” to prevent loss of, damage to, or unauthorised destruction of personal information.

Whether you manage personal data on paper or online, POPIA calls for you to identify all reasonably foreseeable internal and external risks to the data; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented; and ensure that the safeguards are continually updated in response to new risks.

In addition, POPIA decrees that you must have “due regard to generally accepted information security practices and procedures” which may apply to you generally, or which may be required in terms of specific industry or professional regulations (e.g., hospitals are expected to have strict security measures in place to protect the detailed, sensitive medical records of their patients).

3 | Do we know what to do in the event of a data breach?

As a responsible party, you are required to report security compromises to the Information Regulator and the data subject(s) involved as soon as reasonably possible.

Section 22 of POPIA describes the obligations of the responsible party when there are “reasonable grounds” to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person.

You should have a comprehensive incident response plan on hand to guide your actions in the event of a data breach, data leak, or cybersecurity incident. Make sure that your IO and key members of your leadership team follow a systematic process to identify the incident, respond appropriately, escalate where necessary, and communicate clearly in line with POPIA’s stipulations.

If you fail to notify data subjects in such circumstances, you could face imprisonment, fines, or both. Remember, you must notify affected parties in writing as soon as reasonably possible after the discovery of a security compromise.

4 | Do we have employee training initiatives in place?

As a responsible party, you should ensure that your employees are educated about basic information security protocols and procedures.

From your Human Resources Department, which handles sensitive staff info, to your employees themselves, who may manage personal data from customers, suppliers, and service providers, your teams have to deal with personal information on a regular basis.

Make sure everyone in your organisation is familiar with POPIA’s requirements – and that individual staff members, line managers, and department heads understand their duties and responsibilities when it comes to data processing, data management, and data security.

Educate your personnel about the collection, use, and storage of personal information under POPIA, and remember that they may need specialised training for new systems and new productivity tools deployed now, or in the future.

5 | Do we understand the risks of non-compliance?

As a responsible party, you could face hefty fines or imprisonment if you’re found to be in contravention of the law.

There are civil and criminal consequences for non-compliance with POPIA. Section 99 of the Act describes how a data subject (or the Information Regulator, at the request of a data subject) may institute civil action against a responsible party for breach of POPIA.

Offences, penalties, and administrative fines are outlined in Chapter 11 of the legislation. If you are convicted of an offence in terms of POPIA, you could be fined up to R10-million, or imprisoned for up to 10 years.

Non-compliance also poses a risk to your reputation: public trust in your organisation could be eroded overnight if you suffer a data breach, and serious brand damage could cripple your business irrevocably.

Get expert help for all your data security needs.

The BUI Cyber Security Operations Center is the first of its kind in Africa. Take a look inside to see how our security experts protect and defend critical data 365 days a year.

Or contact our team directly to learn more about next-generation security solutions to safeguard your personal information, customer files, and business resources.

What’s your plan for System Center 2019 EOS?

System Center 2019 – the latest version of Microsoft’s data-centre management and monitoring application – gives you the tools to govern data centres running Windows Server 2019 and enables hybrid management and oversight with Azure.

Released in March two years ago, the System Center 2019 product suite falls under Microsoft’s Fixed Lifecycle Policy. End of Support (EOS) dates for System Center 2019 Data Protection ManagerSystem Center 2019 Operations ManagerSystem Center 2019 OrchestratorSystem Center 2019 Service Manager, and System Center 2019 Virtual Machine Manager are confirmed: Mainstream Support ends on 9 April 2024 and Extended Support ends five years later, on 9 April 2029.

Microsoft has outlined its road map for System Center 2019 and Update Rollups – with features, enhancements, and fixes – are currently being issued a few times a year.

Microsoft has also outlined its cloud-first strategy, and is increasingly investing in Azure to provide system management capabilities for Windows Server and Linux virtual machines and hosts. Inside Microsoft itself, System Center Operations Manager (SCOM) has been dropped in favour of an Azure service: the company uses Azure Monitor to address operations support for its own applications.

With the System Center 2019 EOS dates on the horizon in 2024 and 2029, you may not feel hard-pressed to re-evaluate your on-premises data centre immediately. But as you build out your business systems – to empower your teams for the new world of work and to drive your digital transformation initiatives – it’s important to invest in future-ready technology.

Here are some of the most compelling Azure resources to weigh as alternatives for your System Center 2019 toolkit.

Backup and disaster recovery with Azure

Two Azure services offer similar capabilities to System Center’s Data Protection Manager (SCDPM) and Virtual Machine Manager (SCVMM).

Azure Backup can back up your physical machines on-premises, virtual machines in Azure, or virtual machines running on hypervisors on-premises. Storage options include locally redundant, geo-redundant and zone-redundant storage for long-term data recoverability.

Azure Site Recovery enables multiple disaster recovery options for your entire site by replicating groups of virtual machines in these scenarios:

  • Enterprise to Enterprise (between your primary and secondary sites)
  • Enterprise to Azure (from on-premises to Azure virtual machines)
  • Azure to Azure (from Azure VMs in one region to Azure VMs in another region)

With Azure Backup and Azure Site Recovery, you can prepare for unplanned outages and be ready to respond and recover as quickly as possible.

Management and monitoring with Azure

The management and monitoring capabilities provided by Azure Automation, Azure Monitor, and Azure Arc-enabled servers are comparable to System Center’s Operations Manager (SCOM), Orchestrator (SCO), and Service Manager (SCSM) software.

Azure Automation allows you to automate, configure, and install updates across hybrid environments. By automating frequent and time-consuming management tasks, you can reduce operational errors and boost efficiency.

Azure Monitor collects and analyses telemetry data from on-premises and Azure environments to help you monitor your infrastructure, applications, and networks. With end-to-end visibility and deeper insights, you can quickly identify and resolve problems.

With Azure Arc-enabled servers, you can extend the Azure resource manager framework to allow for the creation of Azure resources for operating system environments (OSEs) hosted outside of Azure. In this way, on-premises servers can be managed via the Azure portal and other Azure tools.

With Azure AutomationAzure Monitor, and Azure Arc-enabled servers, you can leverage Azure’s scale and power for more comprehensive control and oversight.

Security with Azure

Azure Security Center offers security management, monitoring, and alerting capabilities to Windows and Linux virtual machines, including:

  • Management of Microsoft and third-party endpoint protection software on OSEs
  • Monitoring and notification of potentially malicious activity on OSEs
  • Threat intelligence and OSE misconfiguration warnings based on data gathered by Microsoft
  • Anomaly detection to highlight potential cyberattacks

Azure Defender can be integrated into Azure Security Center to offer additional capabilities. Azure Defender for Servers (applicable to physical servers and VMs) includes:

  • Management of just-in-time VM access to limit inbound traffic to Azure VMs except when requested and required
  • Analysis of network and application usage to help limit unwanted network traffic and application activity
  • System call alerts for Linux servers

With Azure Security Center and Azure Defender, you can manage and secure your Windows and Linux VMs, and improve your overall security posture.

Migrate to modernise

Microsoft will end Mainstream Support for System Center 2019 in less than three years. And in 2029, Extended Support for the suite will cease, too. We expect forthcoming updates and any additional features to focus on improving on-premises capabilities and further integrating System Center with Azure’s range of services.

If you plan to keep using System Center 2019, then be sure to bookmark these online resources to stay up to date with developments and announcements:

And if you want to explore your options for cloud-powered transformation, or data-centre migration to Azure, then book a workshop with us:

We can help you design a migration strategy, create a road map for implementation, and guide you and your teams through a seamless and secure Azure migration process. Get in touch to learn more.

Get maximum value from your Azure investment.

As a Gold Microsoft Partner and Microsoft Azure Expert MSP, we’re able to deliver innovative cloud solutions that work for you.

Take a look at our customer success stories to see how we’ve transformed enterprises in South Africa and around the world.

BUI to participate in first Identity Management Day

BUI is pleased to announce that it will participate in the first Identity Management Day, an annual awareness event that will take place on the second Tuesday in April every year. The inaugural Identity Management Day will be held on 13 April 2021.

Founded by the Identity Defined Security Alliance (IDSA), the mission of Identity Management Day is to educate business leaders and IT decision-makers on the importance of identity management and key components including governance, identity-centric security best practices, processes, and technology, with a special focus on the dangers of not properly securing identities and access credentials.

In addition, the National Cyber Security Alliance (NCSA) will provide guidance for consumers, to ensure that their online identities are better protected through security awareness, best practices, and readily available technologies.

“Raising awareness around identity management is especially critical after a barrage of identity-based breaches made headlines in the past year,” said Julie Smith, the executive director of the IDSA. “In fact, research by the IDSA reveals that 79 percent of organisations have experienced an identity-related breach in the last two years, and 99 percent believe their identity-related breaches were preventable.”

Smith continued: “Compounding this, the ongoing pandemic has accelerated digital transformation initiatives that support changes in how we work and how we live day-to-day, putting organisations at greater risk. Our hope is that Identity Management Day will result in higher prioritisation of identity security and, as a result, fewer data breaches in 2021 and beyond. We are grateful for all of the support from the IDSA and NCSA member companies, and the broader industry, to further this mission.”

BUI is proud to be an Identity Management Day Champion Organisation alongside leading technology companies from around the world. “It’s imperative for businesses to have identity and access management strategies that can stand up to the modern threat landscape,” said BUI Managing Director Ryan Roseveare. “Identity Management Day is an opportunity to put your own IAM policies under the microscope, to improve them where necessary, and to educate your teams about the importance of identity security.”

To support Identity Management Day on 13 April, BUI will share identity and security resources (including how-to tips and tutorials) on its FacebookLinkedIn, and Twitter pages.

Learn more about Identity Management Day on the official website, or check out the #IDMgmtDay and #BeIdentitySmart hashtags on social media.

Be proactive about your digital identity today and every day.

BUI is a Microsoft Azure Expert MSP with advanced specializations in Identity and Access Management, Threat Protection, and more.

Let’s talk about cloud-powered, intelligence-driven IAM solutions for your business. Contact our specialists to arrange a consultation.

BUI attains Windows Server and SQL Server Migration to Microsoft Azure Advanced Specialization

We are excited to announce that we have earned the Windows Server and SQL Server Migration to Microsoft Azure Advanced Specialization in recognition of our deep knowledge, extensive experience, and expertise in migrating Windows Server and SQL Server-based workloads to Azure.

Only Microsoft Partners that meet stringent criteria around customer success and staff skilling, as well as pass a third-party audit of their migration practices, are able to earn the Windows Server and SQL Server Migration to Microsoft Azure Advanced Specialization.

As companies look to modernise their applications and take full advantage of the benefits that cloud computing can deliver, and with the recent end-of-support for Windows Server 2008 R2 and SQL Server 2008 R2, they are looking for a partner with advanced skills to assess, plan, and migrate their existing workloads to the cloud.

“This is the fifth advanced specialization we have attained since September last year, and it complements our existing capabilities in Adoption and Change ManagementIdentity and Access ManagementThreat Protection, and Windows Virtual Desktop,” says BUI Managing Director Ryan Roseveare.

“As more and more businesses turn to the cloud for productivity, security and scalability, we’re seeing an increased demand for expert technical advice and collaborative engagements. We are committed to giving customers the best service and the most innovative solutions to help them not only migrate with confidence, but also achieve their business objectives as quickly and efficiently as possible,” Roseveare explains.

Lionel Moyal, Commercial Partner Director at Microsoft South Africa, adds: “The Windows Server and SQL Server Migration to Microsoft Azure Advanced Specialization highlights the partners who can be viewed as most capable when it comes to migrating Windows-based workloads over to Azure. BUI clearly demonstrated that they have both the skills and the experience to offer clients a path to successful migration so that they can start enjoying the benefits of being in the cloud. I applaud BUI for this achievement. It further underscores their continuing efforts to deliver the highest levels of customer service and support in a rapidly changing world of work.”

BUI offers a two-week-long Data Centre Migration to Azure workshop for customers looking to transform their business operations with cloud technology. The workshop includes a cloud readiness assessment, a detailed road map for cloud implementation, Azure architecture fundamentals, a migration plan, and a migration execution proposal. Learn more on Azure Marketplace, or contact our team today.

Need a trusted partner to help you migrate to the cloud?

BUI is a Microsoft Azure Expert Managed Services Provider and a member of the Microsoft Intelligent Security Association.

Let’s talk about cloud-powered productivity and security solutions customised for your business requirements.

BUI acquires M2M Systems in Kenya

BUI is growing! We’re pleased to announce that we’ve acquired M2M Systems, an award-winning cloud solutions provider and fellow Microsoft Partner organisation based in Nairobi, Kenya.

M2M Systems specialises in digital transformation for small and medium-sized enterprises, through Microsoft Azure and Microsoft 365. Founded in 2013, the company has helped more than 100 businesses in Kenya and the wider East African region to communicate, collaborate, and connect with customers using the power of cloud technology.

Ryan Roseveare, our Managing Director, is excited to build on the foundations that have supported M2M Systems’ success. “For BUI, this acquisition represents much more than a business expansion: it’s an opportunity to accelerate cloud adoption and digital transformation in Kenya by bringing the expertise we’ve gained through Microsoft’s global programmes to a dynamic regional market where the cloud is actively embraced as a driver of business efficiency and scalability,” he says.

As a Microsoft Azure Expert MSP and a member of the Microsoft Intelligent Security Association, BUI’s Microsoft roots run deep. “We’re thrilled that M2M Systems has a team of technologists who share not only our enthusiasm for Microsoft Azure, but also our commitment to innovation and customer-centric service delivery,” adds Roseveare.

Increasing capacity, fuelling growth

Justin Colin, our Business Development Manager, is working alongside M2M Systems during the transition period. “M2M Systems has an excellent track record of cloud engagements and a loyal customer base that spans Kenya’s financial services industry, legal sector, and transportation sector. In the coming months, we’ll focus on increasing staff capacity and creating a broader solution portfolio to meet the evolving needs of the local and regional markets,” he says, adding that the BUI Cyber Security Operations Center, the Nettprotect vulnerability scanning service, and the a2zManaged cloud management service will be important augmentations.

M2M Systems Managing Partner Clare Mungai, one of Kenya’s leading women in technology, says the demand for reliable, scalable, and secure productivity solutions is higher than ever. “In the past seven years, we’ve witnessed the steady growth of cloud adoption in Kenya, but last year’s shift to remote work put that growth into overdrive. Customers are looking to harness the full spectrum of cloud services, and BUI brings a wealth of Azure, security, and networking expertise to complement our existing Microsoft strengths. I have no doubt that this fusion of talent and vision will unlock new possibilities, here and across East Africa. I look forward to welcoming BUI to Nairobi, and working together to support customers throughout their digital transformation journeys.”

Roseveare is equally positive. “With an established base in Kenya and a highly skilled team of cloud specialists, we’ll be able to extend our reach and deliver customised, locally relevant solutions to help organisations become more productive, more competitive, and more secure,” he concludes.

Connect with us on social media for more news and industry updates…

Follow BUI on FacebookLinkedIn and Twitter for helpful tech tips and tutorials from our team.

And sign up for our free security webinars in March to get useful insights from our pros in 15 minutes.

BUI earns fourth advanced specialization from Microsoft

We’re proud to announce that we’ve earned the Threat Protection Advanced Specialization from Microsoft in recognition of our proven success in deploying Microsoft Threat Protection, Microsoft Cloud App Security, and Azure Sentinel workloads.

The Threat Protection Advanced Specialization is the fourth such Microsoft accreditation that our company has earned in recent months: BUI also holds advanced specializations in Adoption and Change ManagementWindows Virtual Desktop, and Identity and Access Management.

“Security has always been a core focus area for us,” explains Chief Technology Officer Willem Malan. “We strive to give customers the best technology, the most comprehensive guidance, and the most innovative solutions to help them protect their digital estates from evolving threats. The Threat Protection Advanced Specialization is not only an acknowledgement of our premier technical capabilities, but also an indication of our commitment to value-driven service,” he says.

As cyberattacks become more sophisticated and more frequent worldwide, it is imperative for customers to be proactive about security, continues Malan. “To safeguard your business effectively, you need the right expertise and the right resources. BUI specialists are already leveraging next-generation tools for threat detection, investigation, and remediation to provide holistic security services to customers. Beyond that, we are actively expanding our range of Microsoft competencies and pursuing new opportunities to deliver even greater support to businesses that are adapting to remote-work and hybrid-work scenarios in the pandemic era,” he adds.

BUI was the first South African company to achieve Microsoft Azure Expert Managed Services Provider status, and joined the Microsoft Intelligent Security Association (MISA) last year. Top-tier cloud and security skills, as well as collaboration within the wider cybersecurity industry, enable us to better serve our own customers, states Malan.

“Advanced specializations, including our latest one in threat protection, position us to deliver relevant, cutting-edge solutions for complex workplaces. And industry associations, like MISA, provide us with important insights into global security trends. As security advisors and partners, we are making sure that our customers receive unrivalled service and support at every stage of their journey with us,” he says.

Malan describes Azure Sentinel, Microsoft’s cloud-native security information and event management platform, as a crucial part of the modern security stack. “It’s an incredibly powerful tool for continuous, real-time visibility across the IT ecosystem. And it’s a single pane of glass that brings structure and simplicity to security operations. Our customer deployments have been very successful, and the results speak for themselves: reduced risk exposure and faster threat detection and response,” he explains.

SEE HOW WE DO IT | Take a look inside the BUI Cyber SoC

As business organisations search for scalable, cost-effective ways to protect their networks, servers, endpoints, databases, applications, and users from cyberthreats, Malan believes two factors will determine the technology partners they choose: reputation and expertise. “We have a longstanding and award-winning relationship with Microsoft, and customers trust us to deliver the right solutions for their needs. For more than two decades, we’ve helped enterprises to design, deploy, and manage their IT assets securely. We’re excited to continue this tradition as we engage with customers who want to protect and defend their critical systems and data,” he concludes.

Learn how to protect your business from evolving threats.

Register for our 15-minute security webinars this March and get relevant advice and tips from our specialists.

Browse through our webinar topics and register to secure your spot. It’s quick, easy, and free! Just sign up, and show up.

POPIA compliance? Make technology work for you

With only five months until the grace period for POPIA compliance comes to an end, our Chief Technology Officer Willem Malan, Cloud Security Architect Neil du Plessis, and Modern Workplace Architect Pieter Neethling explore the challenges before South African organisations, and the technological solutions available to address them.

South Africa’s Protection of Personal Information Act (POPIA) is designed to ensure that private, public, and governmental organisations behave lawfully and responsibly when processing personal information. Signed into law on 19 November 2013 by then-president Jacob Zuma, and gazetted on 26 November 2013, POPIA is a key piece of privacy legislation.

Certain sections of the Act became effective on 11 April 2014, and last year, President Cyril Ramaphosa announced commencement dates for the others. There is a 12-month grace period for compliance with the sections of POPIA that commenced on 1 July 2020, meaning organisations have until 30 June 2021 to put the appropriate measures in place.

“Right now, POPIA compliance should be at the top of the to-do list for every business,” says Willem Malan, our Chief Technology Officer. “And it’s absolutely critical if you haven’t yet begun, because the journey towards compliance is not simply a box-ticking exercise. POPIA requires a fundamental shift in terms of how you deal with personal information, and for many enterprises, that will involve a deep dive into their methods of gathering, processing, and safeguarding data,” he explains.

The challenges of preparing for POPIA

By October 2020, around 30% of South African organisations considered themselves well-prepared to meet their compliance obligations under POPIA, according to a local survey. Simultaneously, 39% said they were partly ready, while 14% had only just started planning, and 8% had not conducted any preparations at all. The disparity is striking, but perhaps not surprising, observes Malan. “For years, there’s been a general awareness about POPIA. It certainly has been one of the most talked-about governance issues in the corporate sphere. But there’s a gulf between acknowledgement and action, and I think that has been a stumbling block for business teams.”

Without prescriptive guidance from the Information Regulator, stakeholders have had to figure out their own POPIA road maps, continues Malan. “They’ve had to get to grips with the law and its specific requirements, before crafting their compliance strategies. That was a significant challenge prior to the coronavirus pandemic, given the time and resources needed. And it’s an even more daunting task now, when organisations are recovering from the impact of the COVID-19 lockdowns, and recalibrating for the new world of work. Considering the extraordinary circumstances of 2020, it’s no wonder only about a third of businesses felt on track to achieve POPIA readiness in time,” he adds.

Neil du Plessis, our Cloud Security Architect, notes that POPIA’s incremental rollout may have dampened the sense of urgency initially seen in boardrooms. “When the Act was promulgated in 2013, it was a wake-up call for everyone. Conversations quickly turned towards compliance, and organisations began to formulate their policies and procedures. But as the years went by without official time frames for POPIA implementation, there seemed to be a loss of momentum at the corporate level. In the absence of concrete deadlines, the impetus for swift, comprehensive action appeared to fade. And now, many businesses are under pressure to expedite their POPIA programmes to meet the mid-year target.”

As the countdown intensifies, organisations also have to make sure that the compliance process is driven forward successfully. POPIA’s diverse requirements necessitate a multi-disciplinary approach, says Du Plessis. “From technical controls to record-keeping measures, the Act outlines parameters for lawful data-handling. Compliance, however, is not exclusively an IT issue or a human resources issue to address, and it cannot be delegated to a single department. POPIA has business-wide implications, and the business response should reflect that,” he says.

Malan agrees. “Data protection is a critical obligation, and businesses cannot outsource their accountability. They are responsible for their own compliance. And they have to answer for how they collect and use personal information. It’s important to look at the enterprise holistically, and to plan and monitor efforts in line with POPIA. It also makes sense to leverage available technology to streamline the process,” he says.

Cloud-powered technology at your fingertips

Microsoft Compliance Manager, a relatively new feature in the Microsoft 365 compliance centre, is already being embraced by BUI customers. “It’s such an intuitive, user-friendly platform,” remarks Pieter Neethling, our Modern Workplace Architect. With pre-built assessments for common information security standards like ISO 27001:2013 and custom assessments for POPIA and similar laws, it’s simpler to benchmark and monitor compliance status, as far as it relates to the use of Microsoft cloud services on Microsoft 365 or Azure Active Directory.

“With Compliance Manager’s centralised dashboard, you can perform real-time assessments of your estate, and get the detailed insights you need to strengthen your compliance capabilities,” continues Neethling. “That level of visibility – combined with step-by-step guidance to address shortcomings, and tools to record and track progress – makes Compliance Manager a robust solution for customers,” he says.

The platform also serves as an evidence repository for supporting documentation, and enables project teams to organise and unify their compliance initiatives. “You can drill down to view and manage individual tasks, evaluate progress, generate audit-ready status reports, and understand your overall compliance posture at a glance. The functionality is right there, at your fingertips,” explains Neethling.

Du Plessis adds that Compliance Manager brings order and scalability to organisational compliance efforts. “It can be overwhelming when you’re confronted with large environments of users, devices, and applications to assess, but Compliance Manager removes the burden by categorising and prioritising required actions. The assessments can be mapped and scaled for your particular business needs to help you manage compliance proactively and efficiently,” he says.

The Protection of Personal Information Act is clear about the costs of non-compliance: fines of up to R10-million. While the financial penalties are substantial, Malan believes there’s a greater cost for businesses that fail to comply with POPIA. “Organisations that do not take data privacy and data security seriously tend to suffer the consequences, sooner or later,” he argues. “And those consequences are usually very public and very damaging – sometimes irreparably so. In many cases, the cost of compliance paled in comparison to the cost of the resultant business disruption and reputational harm.”

Making sure that your enterprise is POPIA compliant is not only good business practice, but good for business too, continues Malan. “If you haven’t yet focused on your POPIA journey, then now’s the time to put in the necessary attention and effort. Now’s the time to get your internal systems, policies, and processes organised. Because as soon as you have that framework in place, you can concentrate on implementing the technological controls. And that’s fairly straightforward to accomplish, with practical help from a trusted partner,” he concludes.

Let’s make technology work for your business.

From improving cybersecurity to enabling collaboration and migrating to the cloud, we’ve helped customers make the most of technology.

Let’s talk about customised solutions to help you solve your POPIA compliance challenges more efficiently. Contact us today.

BUI supports Data Privacy Day awareness initiative

BUI is pleased to support Data Privacy Day as a Champion Organisation alongside private, public, non-profit, and government organisations from around the world. Data Privacy Day is held annually on the 28th of January, and is co-ordinated by the National Cyber Security Alliance (NCSA). It’s a worldwide effort that generates awareness about the importance of privacy, and highlights simple ways to protect personal information.

This year, the NCSA is encouraging individuals to own their privacy by learning more about how to protect the valuable data that is online. The NCSA is also encouraging businesses to respect privacy by keeping individuals’ personal information safe from unauthorised access and ensuring fair, relevant, and legitimate data collection and processing.

According to a Pew Research Center study, 79% of US adults are concerned about the way their data is used by companies. A Cisco survey found that 84% of consumers want more control over how their data is used. And Akamai investigations revealed that 39% of consumers are likely to walk away from a company that requires them to provide highly sensitive data in order to do business.

As technology evolves and the coronavirus pandemic continues to influence how consumers interact with businesses online, data collection practices are firmly in focus. The NCSA has offered up the following advice to help individuals and businesses become more #PrivacyAware.

NCSA privacy tips for individuals:

Protect your personal information. Personal information, such as your purchase history, IP address, and location, is valuable and can be exploited. Think carefully about the type of information you’re prepared to share, and with whom.

Keep tabs on your apps. Many apps ask for access to personal information, such as your contacts list and photos, before you can use them. Be wary of applications that require access to data which is not relevant to the service offered.

Manage your privacy settings. Check the privacy and security settings on web services and apps, and set them to your comfort level for information-sharing. The devices, apps, and browsers you use will have different features to help you maintain control.

NCSA privacy tips for businesses:

If you collect it, protect it. Make sure the personal information you gather from consumers is collected for relevant, legitimate purposes, and processed responsibly in accordance with applicable laws. Data breaches can cause financial and reputational damage to your business.

Adopt a privacy framework. Build privacy into your business by researching and adopting a privacy framework to help you manage risk and create a culture of awareness in your organisation. Educate staff to empower them to protect personal information.

Build trust through transparency. Be open and honest about how you collect, process, and manage consumers’ personal information. Be clear about the steps your organisation takes to achieve and maintain privacy in line with legislation.

Follow BUI on LinkedInFacebook, and Twitter for more data privacy tips, or contact our specialists directly to explore data-management solutions for your business.

Managed security for the modern enterprise.

Did you know that the BUI Cyber Security Operations Center is the first of its kind in Africa?

We can help you balance business productivity with robust prevention, detection, and response.

BUI secures Identity and Access Management Advanced Specialization

We’re pleased to announce that we’ve been awarded the Identity and Access Management Advanced Specialization from Microsoft in recognition of our proven expertise and experience in deploying Microsoft Identity workloads with Azure Active Directory.

Microsoft introduced the Identity and Access Management Advanced Specialization in November last year. The accreditation acknowledges Microsoft Partners who have demonstrated premier technical capabilities and the highest standards of service in delivering secure, unified access management solutions for customers.

“Identity and access management is an essential part of an effective security strategy,” explains Willem Malan, our chief technology officer. “As enterprises continue to embrace digital transformation to enable the new world of work, the ability to manage user identities and safeguard access to business assets is more important than ever before. We are committed to helping our customers leverage the full power of the Microsoft cloud to streamline and secure user access,” he says.

Remote productivity remains a key focus area for organisations around the world, especially as coronavirus protocols continue to impact the way work is done. “Enterprises are solidifying and expanding their remote-work strategies to allow not only employees, but also suppliers, vendors, and external collaborators to access corporate assets from home, or indeed wherever they are,” notes Malan. “And that means making sure their identity and access management systems are robust enough to handle the intricacies of the modern workplace,” he adds.

One of the biggest challenges for customers, continues Malan, is giving the right people the right access to the right resources – at the right time, every time. “Enterprises need to be able to control, protect, monitor, and review user access across the board, but that can be difficult without a central control plane. Microsoft’s Azure Active Directory is a richly featured platform that puts identity at the core of access management to reduce the complexity and cost of safeguarding the business environment.”

The Identity and Access Management Advanced Specialization is our newest Microsoft accreditation, and complements our existing Windows Virtual Desktop and Adoption and Change Management capabilities. “We have amplified our abilities to provide even more support to our customers with comprehensive, cloud-powered solutions to make user authentication seamless and secure,” concludes Malan.

Let’s talk about identity and access management solutions for your business.

Whether you’re just getting started on your cloud journey, or looking to modernise your identity management systems, we’re here to help.

Contact us to learn more about using Microsoft Azure Active Directory to achieve your business productivity and security goals.