28 January marked Data Privacy Day, an international annual event that highlights the importance of data protection and compliance in a high-risk world.
The World Bank describes it as an international focus on the ‘importance of respecting privacy, safeguarding data and enabling trust’.
And it is important in the era of increasingly sophisticated cybercrime where online has become a complex web of tracking, cookies, crime and intent.
According to Brendon Ambrose, General Manager and Data Privacy Lawyer at Atvance Intellect, companies in South Africa need to focus on maturing their data protection and compliance foundations to ensure that they are not only aligned with the Protection of Personal Information Act (POPIA), but that they can handle the ongoing cyber onslaught.
“POPIA has been in effect for a short while and most organisations are putting compliance processes in place, but there’s still a lot of concern around how robust their processes are and whether or not they’re fully prepared,” he adds. “As international Data Privacy Day rolls in, and stories of doom and gloom and breach along with it, this is a good time for companies to focus on how they manage their security and alerts around a compromise.”
While POPIA comes with an extensive checklist, one area that’s invaluable to the business is the notification of security compromises.
According to IBM, it takes an average of 287 days to discover and contain a data breach. This gives the attackers nearly a year to play around in the system, really building up that stickiness that allows them to steal credentials, data and information.
Which makes early identification and mitigation absolutely critical as this can fundamentally change the impact that the attack has on the business, both in terms of cost and reputational damage.
“Companies need to gain a solid understanding around how a security compromise is defined within the business, within POPIA, and when and how to report it,” says Ambrose. “The last thing a company needs is to find out that it’s been hacked because information was leaked online, or a significant amount of personal information connected to the business was found online. It’s essential that companies focus on embedding the right processes and hiring the right resources because the fall-out for failure is expensive and damaging.”
The same IBM study found that the total average cost of a breach increased by 10% from 2020 to 2021, rising to $4.24 on average, and that lost business came to around 38% of the overall average at a cost of $1.52 million. In addition, 20% of the breaches were due to compromised credentials and companies that had low levels of compliance paid significantly more – $2.30 million more, to be precise. Which really does underscore the fact that compliance is not a compromise. It has to become a part of the organisation’s culture, trickling down from the top into every department and onto every desktop.
“One of the best ways to ensure that compliance remains a mandated priority within the business is to invest into training,” says Ambrose. “There’s the first line of defence training that ensures every employee understands their role in keeping the business, and its data, safe. Then there’s ensuring that the company has a POPIA compliance officer who is regularly and rigorously trained so they’re prepared for what the cybercriminal is about to throw at them.”
Understanding precisely how the organisation has to comply with, and report around, POPIA is essential in ensuring that it can emerge from an incident with minimal harm and risk.
The reality is that every, single business that uses the internet is at risk of being hacked. Some recent research found that 64% of companies have been attacked at least once, 63% of attacks are about money, and there’s an attack every 39 seconds.
It doesn’t matter how big or small your business is – if it’s online, has data and makes money, it’s a target. In fact, 80% of companies that have been attacked once, will be attacked again.
“Invest into training and into processes and procedures that help the organisation to identify an incident and mitigate its impact,” says Ambrose. “Ensure your information officer or responsible compliance officer has the skills and tools they need to create a robust incident management plan and stay abreast of changes in security best practice and attack vector. This is not the time to minimise the resources given to security, not when the fallout is so significant.”
Ultimately, international Data Privacy Day is just that, one day, but it should underscore the importance of investing into skills, resources and systems that will ensure the business can withstand, or survive, a breach.
At a time when customer trust is low, and government oversight is high, compliance is less a box ticking exercise and more an essential part of doing business.