Unauthorised access to information is one of the most prevalent cyber crimes in South Africa. Data has become the lifeblood of business – from financial information to the details of a company’s customers, data is the basis of every business transaction today.
Unlawful access to this information therefore poses a serious threat, and yet many businesses have insufficient safeguards to ensure that their data is secure.
This will change with the enactment of the Protection of Personal Information (POPI) Bill which is set to be enacted next year. POPI will provide comprehensive protection of information relating to personal detail of an individual, and will require that companies be careful how the information is used as well as how secure it is. “Comprehensive data handling strategies, processes and procedures as well as systems will need to be devised an implemented in order to comply with this legislation,” says Danny Myburgh, MD of Cyanre, a company specialising in cyber forensics and data recovery. “But even without a legislative requirement to manage the security of data, businesses are increasingly becoming aware of the need to protect their information, and of the potential cost of a data breach.”
He explains that these costs can be extensive, and range from the easily calculable costs of notification costs and business loss to less tangible threats to a company’s brand and business continuity. “Criminals are perpetrating this type of crime for a number of reasons, and the effects are just as diverse. The reasons can be for financial advantage or to commit fraud, or they can be more sinister, such as extortion, or deliberately placing a firm in disrepute. Industrial espionage is as much of a motivation as disgruntled employees who want to ruin a business’ reputation, or employees who want to set up companies in competition with their employers.”
The results of this are similarly wide-ranging. From the frustration of having to evaluate how wide the damage is, to potential operational paralysis, a data breach is as significant a threat as the theft of all of a company’s physical assets.
Myburgh says that there some basic guidelines to preventing a breach, and to ensuring that business can continue should the worst happen. “Establish a comprehensive pre-breach response plan that will enable decisive action and prevent operational paralysis when a data breach occurs. Your efforts will demonstrate to consumers and regulators that your organisation has taken anticipatory steps to address data security threats. This plan can be integrated with your ICT contingency plan and should cater for internal and external breaches. But look beyond IT security when assessing your company’s data breach risks. To eliminate additional threats, a company must evaluate employee exit strategies, remote project protocol, on- and off-site data storage practices and more – then establish and enforce new appropriate policies and procedures and physical safeguards.”
He adds that thieves can’t steal what they don’t have. Data minimisation is a powerful element of preparedness, he says. “The rules are simple: Don’t collect information that you don’t need, reduce the number of places where you retain the data, grant employees access to sensitive data only on an ‘as needed’ basis, keep current records of who has access to the data while it is in your company’s possession, and don’t forget to purge the data repository once the need for it has expired.”
Employee education is another vital step to avoiding a data breach. “The continuing saga of lost and stolen laptops containing critical information illustrates that corporate policy designed to safeguard portable data only works when employees follow the rules. Data encryption on portable and mobile devices is a must for modern business,” says Myburgh.
However, the simplest and most convenient way to prevent a data breach – and to recover should one occur – is to retain a third-party corporate breach and data security expert. Not only will they analyse the level of risk and exposure of a company, but they will be able to effectively manage the recovery process for a business, from data recovery to instituting criminal proceedings.
“An evaluation performed by an objective, neutral party leads to a clear and credible picture of what’s at stake, without pressurising staff who might otherwise worry that their budgets and careers are in jeopardy if a flaw is revealed,” says Myburgh. “The true value of this approach is only evident in the worst-case scenario, however. Should a company suffer from the losses caused by a data breach, contingency plans and effective preparation can mean the difference between complete operational paralysis and a minor inconvenience.”