Trustwave has released its findings from a survey of 113 South African IT professionals, asking if they are ready for POPI – South Africa’s Protection of Personal Information Act which seeks to regulate the processing of personal information and standardise compliance with privacy and data protection legislation.
The survey was completed by C-level executives, mid-level managers and IT specialists from a variety of industries including finance, government, retail, manufacturing, mining, construction, education, communication, healthcare and tourism.
The first section of the survey focused on the processes that companies should have in place to classify sensitive data such as medical records, credit card data and personally identifiable information (PII) including names, surnames, ID numbers and medical histories. More than half of those surveyed (51%) said they do not have processes in place to classify data correctly.
When asked about measures in place to prevent the loss, damage and unauthorised access to PII, more than a third (38%) said they have technical or organisational measures in place, but not both or they don’t have any measures at all.
According to the POPI requirements, companies must notify the regulator as well as customers in the event of a data security breach.
When asked about known data breaches within their organisation where PII was lost, damaged or unauthorised access occurred within the past 24 months, 67% of survey respondents were confident that they had not experienced a breach where PII was affected.
However, according to the 2014 Trustwave Global Security Report that details the findings from 691 breach investigations across 24 countries conducted by Trustwave forensic investigators in 2013, the median number of days from the initial intrusion to detection was 87, possibly indicating that some South African companies may be unaware a breach has occurred.
Only 14% said they had suffered a data breach where PII was affected and 19% said they did not know. Finally, about a third (38%) of participants felt confident their companies would be compliant with POPI within the next 12 months.
Leon van Aswegen, security consultant at Trustwave, says, “We conclude from this survey that many South African companies do not have security controls aligned with POPI. Not only should companies be making POPI compliance a front burner issue, but they should also be looking beyond compliance with any regulatory standard, including POPI.
“These standards serve as a baseline for security. The most effective security strategy entails multiple layers beginning with a risk assessment to vulnerability scanning and penetration testing to deploying technologies that cover their attack vectors to ensuring they have enough manpower and skillsets to make sure those technologies are installed, updated and continuously working properly,” he concludes.
“If they do not have enough manpower and skillsets in-house, they should consider partnering with a third party team of experts whose sole responsibility is to focus on security, enabling the in-house team to focus on other revenue-generating priorities.”