South Africa slow to realize “Data Security is a boardroom issue”
“When it comes to a data breach or loss of some kind it’s not if, but when,” says Ilze Dewing, Business Development Director at Endpoint Data Backup and Recovery solutions specialists, Cibecs.
“Recommendations in South Africa’s King III report, stipulations in our Companies Act and new incoming legislation such as the Protection of Personal Information Bill (PPI) and the Protection of State Information Bill, places responsibility for the security of sensitive data at the feet of an organization’s board. Neglect to do so can, and will, have a negative impact on individual board members and their organizations alike.”
Statistics tell an (alarming) story
Research conducted by Cibecs and IDG Connect in the 2012 Data Loss Survey indicate that, by and large, South African organizations have an alarmingly blasé attitude towards the security of their business critical data, with nearly 50% of respondents still relying on users to take responsibility for company data.
It comes as no surprise then that, of the companies that rely on their users for the security of organizational data, 94% have experienced data-related problems as users fail to comply with their company’s data backup policy.
“The problem is one of buy-in from board members into the critical need to secure company data,” says Dewing. “The 2011 State of the Endpoint Survey (conducted by the Ponemon Institute) revealed that nearly 50% of IT Technology decision makers couldn’t solve their security problems because, they felt, they had no buy-in from their CEO and CFO.”
A paradigm shift required
This situation will have to change, and rapidly so, if companies are to avoid hefty penalties and the other costs related to data loss or data security breaches.
In addition, a recent Deloitte & Touche survey revealed that few South African companies have achieved compliance – and that only 50% of the companies surveyed had commenced any steps towards compliance.
“Even more worrying is the large percentage of companies that do not even understand the impact of the law and the compliance requirements,” says Dean Chivers, a director in Deloitte & Touche’s legal department. “Any medium or large entity, which has not commenced compliance activities by the end of this year, is very unlikely to comply timeously.”
Recognize and Minimize Risk at boardroom level
Considering the kind of data that is at risk and the negative impact the loss of that data will have on a business or enterprise, the situation is nothing short of alarming.
“Consider for a second the kind of data that drives businesses and organizations, “says Dewing. “Everything an organization is built on is at risk and it’s the board’s fiduciary duty to make sure that that risk is minimized – and that mechanisms exist to recover swiftly should defenses be breached.”