South African organisations need to prioritise the protection of confidential information or face putting their businesses at risk of hefty financial penalties, irrevocable reputational damage, and even legal repercussions, a leading information security company has warned.
With the average data breach costing South African businesses R28.6 million each year, Shred-it South Africa said organisations cannot afford to ignore the importance of implementing robust information security policies and practices. The loss of confidential information can also impact customer confidence and may also put businesses at risk of legal action.
“Many South African businesses are not aware of the costly impact that a data security breach can have, both in terms of lost business and non-compliance fines. It’s more than a financial risk; damage to a hard earned reputation is time-intensive and costly to repair. Prevention is always better than a cure, and I urge organisations in South Africa to make sure information security is top of the business agenda,” says Tony Fitzpatrick, country manager at Shred-it South Africa.
Businesses also need to be aware of the legal requirements when it comes to protecting confidential information. According to Shred-it’s Security Tracker Survey, only 37% of SMEs understand the implications the forthcoming enforcement of the Protection of Personal Information (POPI) Act will have on their business compared to 70% of C-Suite Executives. However, the enforcement of POPI will hold all businesses accountable should they abuse or compromise personal information in any way. Organisations could face substantial financial penalties of up to R10 million, or a prison sentence of up to 10 years could be imposed should an entity be in breach of the legislation.
“The clock is ticking for businesses when it comes to being properly prepared to meet the terms of the POPI Act. When the POPI Act comes into full effect, it is crucial that all businesses adhere to the outlined requirements of the legislation when collecting, processing, storing and sharing another entity’s personal information. Businesses should note that the POPI Act is more than a compliance checkbox exercise; it is ultimately for the benefit of business, by ensuring that all information is securely protected so that organisations can build trust with their customers, employees and partners,” Fitzpatrick concludes.
Shred-it, which helps businesses in South Africa to improve their information security practices and protect their workplaces against the damage caused by data breaches, has issued the following five tips to help organisations put information security at the forefront of business planning:
• Schedule regular information security audits to identify problem areas where confidential information could go astray, e.g. printer stations and meeting rooms. Put measures in place to ensure that documents are securely disposed of, e.g. reminding staff to keep documents secure and store them in locked consoles or containers when they are no longer needed, ready for secure disposal.
• Introduce a Shred-it all Policy, which means all documents are destroyed prior to disposal. This means employees do not need to make a decision as to what is or is not confidential when disposing of paperwork. The decision to use the recycling bin or shredding container is often left to chance or convenience where both options are available. In practice, when outsourcing to a secure destruction provider such as Shred-it, all shredded paper is recycled, keeping you secure and protecting the environment at the same time.
• A clean desk is one of the simplest yet most effective safeguards that can significantly reduce the risk of a data breach. A formal Clean Desk Policy directs employees to put away all paper documents and lock all electronic equipment when leaving workstations, so confidential information is not at risk of falling into the wrong hands or left vulnerable to ‘visual hacking‘ from unauthorised prying eyes.
• Ensure employees are informed about the risks associated with data protection breaches and are well trained on which documents they should consider shredding as well as how to dispose of electronic data.
• Work with a reputable professional information destruction company that not only has a secure shredding process but can offer guidance and help with implementing robust information security practices.