Organisations across industry sectors face the continuing scourge of being victims of cyberattacks. For any organisation, cyberattacks are not a matter of ‘if,’ but ‘when’: A cyberattack is unavoidable.
Following the changes the pandemic has brought about in the business world, organisations have significantly increased their use of data and the internet. This, in turn, has increased the prevalence of cyberattacks and cybersecurity risks
Additionally, the new world of hybrid work has expanded the attack surface and opportunities for threat actors as workers access data and information from anywhere, anytime and on any device. Gartner has named ‘Anywhere Operations’ as a technology trend through 2023, with businesses taking a digital-first, remote-first approach to reach customers, support employees and deliver services anywhere.
“This means data of all types are at greater risk of cybersecurity attacks, including malware, ransomware, and phishing scams. Furthermore, the country is seeing a significant rise in cyberattacks with security breaches frequently making headline news. These attacks not only expose millions of South Africans’ personal information but affect organisations’ ability to deliver key services,” says Willem Botes, Head of Solution Specialists South Africa at Iron Mountain.
Before the pandemic, South Africa saw a cross-industry spike in cyberattacks and since then the number of attacks has increased, leading to financial losses for companies across the banking, manufacturing and energy sectors as well as the public sector with disruption to critical infrastructure. It is estimated that the country loses approximately R2,2-billion a year to cyberattacks with organisations counting the financial cost, damage to their reputation and a loss of customers’ trust and confidence in their ability to securely store and manage records.
Consequently, investors, clients, suppliers and employees are demanding improved management and protection of corporate data, along with better cybersecurity accountability and transparency to alleviate increased cyber risks.
“Developing a data protection strategy to prevent attacks is imperative for businesses of all sizes,” adds Botes. This entails understanding the data the business has, creating a risk-based strategy to manage business risks, taking a holistic business approach by bringing together IT, legal, and security expertise, fostering a security-aware working culture, developing strong information governance for both physical and digital data and records, building in-depth defences and factoring remote workers into the strategy.
In the last few years, several factors have increased the scale of the cyber threat, such as hybrid work and the growing sensitivity to the protection of personal data.
“Employees have changed their work styles and our Economist Impact research has revealed that 75% of business leaders have increased their investment in technology to facilitate data and information exchange across teams, which indicates how leaders’ priorities have shifted since the pandemic,” says Botes.
One of the many reasons data needs to be protected is to protect individuals’ privacy. Personal Identifiable Information (PII), such as names, addresses, ID numbers, telephone numbers, and email addresses are all needed by businesses every day to service customers. However, the loss of PII can result in substantial harm to customers, employees, and the business.
According to South Africa’s Information Regulator, it has received 544 protection of information complaints in the 12 months since the enforcement of its powers in 2021.
“The establishment of an Enforcement Committee by the Information Regulator earlier this year is good news and means that the regulator is now empowered, through the committee, to investigate matters referred to it, and make findings and recommendations in terms of complaints by the public regarding the processing of their personal information,” says Botes.
There are a few basic steps every company can take to improve data security, privacy, and access, by considering the data that they manage across the entire information lifecycle. Identifying, tracking, and managing data from its creation to disposition may seem like a daunting task, but the process can be broken down into four key steps:
* Assessment audit: Conduct privacy assessment audits to identify the requirements related to risk management, retention, and compliance to better control information from the point of creating a record to its final disposition. Audits include taking inventory of stored data and developing an information roadmap of stored records, as well as where those records are located and who is responsible for managing them. Assessment audits provide the foundation for strengthening security.
* Classification: Once the privacy assessment audit phase is complete, classify inventory to comply with retention schedules and retain records in accordance with legal, regulatory, or privacy requirements. The process of classifying content can leverage a rules database to determine which records can be destroyed and when – immediately or eventually – through a proprietary retention management function. As part of this capability, organisations can automatically calculate the destruction eligibility of records according to specific retention policies and better determine when and how those records need to be securely destroyed.
* Seamless access: Employees’ expectations of flexible work styles have changed, and organisations need to evolve along with them. Use technology to provide seamless access to information regardless of the employee’s location, including the use of tools that auto-classify records to facilitate their location. Having the proper metadata or indices assigned to records, physical or digital will improve access to information for employees, wherever they’re located. Managing the lifecycle of records and data leads to a more satisfying work environment.
* Secure destruction: Data classification enables a more detailed plan for disposing of records and IT assets. When determining whether a record or asset has met the requirements of its retention policy, determine how to securely dispose of that record or asset to ensure privacy protection. Inadequate plans for disposing of data and assets could result in the organisation being out of compliance with regulations, fines, losing custody of sensitive information, and suffering reputational harm. Following a precise chain of custody is a key component in the destruction phase to help prevent the loss or damage of a record. A chain-of-custody process is the complete, documented, chronological history of the possession and handling of a piece of information or a record.
“Companies are taking data security and privacy seriously; however, they need help and updated guidance to fully safeguard customer and employee information. They simultaneously need to prepare for the future of work and what may come next. Driving effective, organisation-wide information governance for both physical and digital data that is supported by a security-aware culture will go a long way in ensuring the confidentiality, integrity and availability of information, data, and records,” concludes Botes.