A data breach can strike any organisation at any time and its critical data must be safeguarded, whether it’s sensitive information that an organisation must protect to maintain its competitive advantage, or records needed to meet industry or government regulatory demands.
Sensitive personal and business data is more vulnerable today than ever before with corporate trade secrets, national security information, personal identity information, medical records, social security and credit card numbers, stored, used, and transmitted online through digital channels and connected devices. With the expected trajectory of data growth, current predictions estimate that as a human race we will be storing over 463 Billion Gigabytes per day by 2025, a growth of over 1000% as of 2018, a Data Tsunami is presenting an even bigger challenge.
With over 80% of corporate data living in File Shares, SharePoint and Cloud Storage services such as Google Drive, One Drive, Box and Dropbox, compounded by users having access from any device, Data Security has taken on significant importance to many if not all organisations.
The proliferation of data presents criminals with an increasingly wide range of opportunities to monetise stolen information and intellectual property. Besides, foreign governments and organised crime rings have embraced hacking as one of the most potent tools at their disposal. The ramifications of a data breach, where protected data is exposed or stolen, are dire, with the average cost to an organisation that loses over one million customer records being as much as $40 Million.
Organisations are also at risk from internal threats and to prevent the accidental or intentional release of sensitive data, where negligent or disgruntled employees can expose confidential information even faster than a hacker, organisations need to ensure adequate safeguards are in place. A recent IBM survey identified that on average it takes an organisation nearly 197 days to realise they have suffered a data breach and a further 67 days to contain and resolve. Organisations need to ask some key fundamental business questions about their Data.
- Do you know what Data you have?
- Can you identify sensitive data?
- Do you know who has access to that Data?
- Do you know how that user got access and should they even have access?
- How is that Access being used?
- Who owns that Data?
- Can you report in real time what is happening to that Data and take appropriate action?
With Section 19 of POPI placing an obligation on a responsible party to secure the integrity and confidentiality of personal information/data in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage to, or unauthorised destruction of; and unlawful access to, personal information. To comply with this obligation, the Companies in South Africa must take reasonable measures to:
- identify all reasonably foreseeable internal and external risks to personal information under its control;
- establish and maintain appropriate safeguards against the risks identified;
- regularly verify that the safeguards are effectively implemented; and
- ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.
All which will require a comprehensive Data Governance Strategy that answers the: Who, What, Why, When and How.
While in South Africa notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to restore the integrity of the responsible party’s information system. As many organisations in South Africa deal in the European Union (EU), stringent regulations will be applicable. GDPR requires that organisations incorporate least-privilege permissions for EU citizens’ PII data, but also that they be able to detect and remediate violations of that policy immediately. Organisations will now have a maximum of 72 hours after becoming aware of the data breach to report any data breach involving customer data and must notify individuals if adverse impact is determined.
The complexities associated with compliance and data protection means the most effective way forward is to automate as many identities and access management tools and security audit processes as is reasonably possible.
Riaan Hamman, Data Security lead at Puleng Technologies says, “There are several steps organisations need to take to ensure they are compliant with regulation. The first, and most vital step organisations need to do is map their data to data owners throughout their environment. Successful compliance and good corporate governance require every organisation to know who its users are, where regulatory controlled and sensitive data reside, and how its data is accessed”. Hamman explains, “Once data and owners are captured, organisations need to strengthen the controls that determine who has access to specific data and who doesn’t. Data access needs to be controlled by “least privilege” so that access to only the minimum resources is permitted and access to sensitive data is highly restricted. These privileges need to be checked on a regularl basis both through internal and external audits.
Bulpett concludes, “At Sailpoint we have approached the issue of Data Security with an Identity Governance Platform that puts the protection, management, control and ongoing access to an organisations data at the heart of a Cyber Security Strategy. Specifically, identity governance tools enable organisations to confidently assess their risk, strengthen their controls, close enterprise vulnerability, and automate their detection and audit processes. Assessing risk with identity governance at the forefront of a security strategy, an organisation can create a roadmap to prioritise and remediate the most important regulatory gaps, and thus effectively control and secure an organisation’s critical asset - its data.”