A survey of 113 South African companies has revealed that 51 percent of them have no processes in place to classify their customer’s personal information. A further 38 percent said they had no measures in place to prevent data loss.
Trustwave has released findings from a survey of 113 South African IT professionals, asking if they are ready for POPI – South Africa’s Protection of Personal Information Act which seeks to regulate the processing of personal information and standardise compliance with privacy and data protection legislation.
The survey was completed by C-level executives, mid-level managers and IT specialists from a variety of industries including finance, government, retail, manufacturing, mining, construction, education, communication, healthcare and tourism.
The first section of the survey focused on the processes that companies should have in place to classify sensitive data such as medical records, credit card data and personally identifiable information (PII) including names, surnames, ID numbers and medical histories. More than half of those surveyed (51 percent) said they do not have processes in place to classify data correctly.
When asked about measures in place to prevent the loss, damage and unauthorised access to PII, more than a third (38 percent) said they have technical or organisational measures in place, but not both or they don’t have any measures at all.
According to the POPI requirements, companies must notify the regulator as well as customers in the event of a data security breach. When asked about known data breaches within their organisation where PII was lost, damaged or unauthorised access occurred within the past 24 months, 67 percent of survey respondents were confident that they had not experienced a breach where PII was affected. However, according to the 2014 Trustwave Global Security Report that details the findings from 691 breach investigations across 24 countries conducted by Trustwave forensic investigators in 2013, the median number of days from the initial intrusion to detection was 87, possibly indicating that some South African companies may be unaware a breach has occurred.
Only 14 percent said they had suffered a data breach where PII was affected and 19 percent said they did not know.
Finally, about a third (38 percent) of participants felt confident their companies would be compliant with POPI within the next 12 months.
Leon van Aswegen, Security Consultant at Trustwave said, “We conclude from this survey that many South African companies do not have security controls aligned with POPI. Not only should companies be making POPI compliance a front burner issue, but they should also be looking beyond compliance with any regulatory standard, including POPI. These standards serve as a baseline for security. The most effective security strategy entails multiple layers beginning with a risk assessment to vulnerability scanning and penetration testing to deploying technologies that cover their attack vectors to ensuring they have enough manpower and skillsets to make sure those technologies are installed, updated and continuously working properly. If they do not have enough manpower and skillsets in-house, they should consider partnering with a third party team of experts whose sole responsibility is to focus on security, enabling the in-house team to focus on other revenue-generating priorities.
Action Plan
The Trustwave POPI compliance assessment is tailored to meet the requirements for each business regardless of the organisation’s size and complexity. Trustwave helps organisations define a strategy and roadmap to comply with POPI Condition 7, “Security Safeguards.” Trustwave’s compliance experts also define the scope of the assessment by identifying the business areas involved in PII as well as the business’s needs and processes related to the collection, storage, use, share/transfer, and destruction/archival of PII data. Trustwave also helps businesses identify critical PII processed by the organisation, and assess any existing security controls/framework that are in use to protect PII.
Trustwave offers Privacy Risk Assessments, Privacy Impact Assessments, Controls GAP Assessments as well as technical assessments including database security reviews, vulnerability assessments and penetration testing.
* Follow Gadget on Twitter on @GadgetZA