The new Protection of Personal Information (POPI) Act is going to force organisations to change their attitudes towards IT security. Data privacy which is built upon solid IT security practices will make real business sense very soon and South Africans are set to become more hostile towards organisations that do not treat personal data principles with respect.
This is according to Michiel Jonker, director: IT Advisory at Grant Thornton Johannesburg.
The POPI Act, which was gazetted in November last year, and which is currently awaiting an effective date, requires widespread reforms that both the private and public sector must introduce to ensure that the personal information and data they collect are protected. The new Act also provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.
The world has been plagued by dramatic security breaches in the past few months, such as the recent security incidents at retail company Target as well as at renowned e-commerce group eBay. These breaches have caused great concern and anxiety amongst company Board members specifically that their IT security practices are neither adequate nor effective enough to prevent security incidents from occurring.
“This has all come at a time when the awareness of IT Security and good IT governance amongst company board members is actually on the increase,” Jonker adds.
Company board members, have high expectations that “IT security” equals 100% security. Even if it is acknowledged by some that this is not practical, the silent expectation is still created by Board members that close-to-absolute security is required as a deliverable by IT departments.
But Jonker cautions that the idea that an organisation can achieve 100% IT security is a total fallacy – that is, unless you unplug all computers.
“This requirement by executive boards might be one of the major reasons why we experience prominent breaches even in an era where Boards are becoming more aware of their IT security and governance responsibilities,” he continues. “In a world where we still deal with the weakest link of all time – the human element – it is surprising that organisations believe that they need only to rely on preventive measures,” says Jonker.
Many executive board members think that a firewall, for example, fulfils the same function as a brick firewall does between the ceiling and roof of a structural building – that is, to prevent any form of fire jumping from one section to another.
Unlike brick firewalls, Jonker says that firewalls in the IT world will allow unauthorised traffic through – in some circumstances.
“There is also a fear among CIOs and IT executives when it comes to reporting security breaches to Exco and this is due to the general perception at this level that all forms of security breaches can be prevented. Sadly many boards believe that a security breach, even if detected and reported in a timely manner, is a sign of incompetency,” he continues.
Boards and Audit Committees will have to understand that a security breach which was detected in time, and escalated and corrected, has to be acknowledged as part of the bigger picture to enforce IT security.
“It is when no corrective measures are taken even when a breach has been detected, that organisational boards need to step in to address this failure as unacceptable behaviour,” warns Jonker.
Failure to deal with basic and well-known vulnerabilities (unless it was a zero-day attack which no one can detect in time and which nobody is able to prevent) must not be treated lightly by Boards – hence the need for IT expertise on Boards. Jonker also recommends that where IT expertise does not exist at board level, it is important for executives to consult a specialist to ensure that the Board understands all significant risks that the organisation faces.
In the future, companies will also be faced with the potential of multi-million rand monetary fines, civil claims and reputational damage – if found guilty of POPI transgressions.
“This makes IT Governance at corporate board level a reality,” continues Jonker. “The introduction of POPI could lead to significant fines for companies who are found to have had data breaches.”
But massive security breaches will have far greater effects for future organisational wellbeing. In fact, Jonker says that the POPI fines – while being very expensive – will be the least problematic for some corporations.
In Target’s case it is reported that profit fell by 46% during the holiday shopping period. Companies will have to face dramatic customer contraction, they will need to spend millions on PR actions and even compensate customers for losses experienced.
“In Target’s case, this incident will probably run into billions eventually,” adds Jonker. “In an age where customer loyalty no longer exists, the eventuality of Target, is going to be an interesting case to watch.”
Important points for Board members to keep in mind:
* Don’t treat IT security as an afterthought. Security must form an integral part of all business processes. There are still too many systems in the market where no attention was paid to security concerns and the focus is purely on functionality – e.g. a financial package was designed to provide you with proper income statements and balance sheets, not security.
* IT security does make business sense. Recent financial losses endured by retail company Target shows that one security breach can cost an organisation more than the cost of preventative, detective and corrective measures together. Although your organisation might not sell IT security, the lack of appropriate measures in place can certainly destroy an organisation’s reputation leading to loss of customers and revenue.
* CIOs must be appointed at Exco level. Many CIOs are not functioning at Exco level and many times are not invited to Board and Audit Committee meetings. It is important that CIOs are part of any organisation’s business strategy discussions.
* Holistic approach to security. Security is more than just about prevention – it also entails the capability to detect, escalate and correct breaches. A holistic approach would involve deploying the right technology to prevent and detect incidents, implementing effective processes, having the appropriate structures in place and making sure that people are aware of security risks.
* Security culture – the human element will always thwart the best intentions; continuous awareness must be created. Non-compliance with security policies should not be tolerated. Strict adherence to policies should apply to all levels within an organisation. We still see practices where policies are relaxed for “c-level” executives e.g. CEO’s passwords that never expire.