It’s become something of an industry motto that it’s not a case of if you get breached, but when you get breached. And IBM Security’s Cost of a Data Breach Report 2020 puts some real rand amounts to this unfortunate inevitability. According to the report, the average cost of a data breach in South Africa is more than R40 million. Each stolen or lost record costs almost R2,000. Further, it takes companies an average of 177 days to spot breaches, and malicious attacks take even longer: criminals typically have 191 days (more than half a year) of free play time on company networks before they are spotted. Once discovered, it takes companies on average 51 days to contain the breach.
Now consider the rise in high profile breaches here and abroad, as well as beefed up regulatory pressure in South Africa, with the Protection of Personal Information Act (POPIA) coming into force from 1 July 2021. These stats inevitably point to a stark conclusion: companies that want to stay in business need to do everything they can to prevent data breaches, whether these are caused by malicious attacks, system glitches or human error.
As companies understand what is expected of them and put plans into place to achieve their data protection goals, they need to bear in mind that the protection of data is a journey, not a destination. And that not all data is equal. Indeed, less than 1% of total data is likely to require maximum security. This is according to Sheldon Hand, IBM Security Business Unit Leader – Southern Africa.
You can’t protect what you can’t see. So, the first step on any company’s data protection journey should be a data discovery and classification exercise. And with POPIA in mind, this should also seek to understand the company’s personal identification information obligation: What is it? Do we store it? Where is it stored? How secure is it?
This discovery exercise allows for better data classification. Companies can determine what data is top secret and needs maximum security; what is confidential and can be adequately protected with slightly less rigorous security; and what is public information which needs to be readily accessible. The details of these classifications will of course vary by company, industry and the specific regulations that apply.
Of course, all this is easier said than done. Data is often described as the modern-day oil, and like oil, it needs to flow. There is also a lot of it. Hand points out that South African enterprises can have tens of thousands of databases, thousands of servers that need to be secured and protected and hundreds of people that need secure access to the data.
The journey doesn’t stop with discovery, classification and protection though. It now needs to be monitored for anomalous behaviour that could signal a potential breach. Given the rapidly growing data footprint of most organisations, this is only achieved through automation and harnessing artificial intelligence and machine learning.
“Securing information in a large enterprise is a combination of people, processes and technology,” says Hand. “You need the technology to implement the procedures and controls, and then help you to analyse the use of data in your environment. Who is accessing it and what are they doing with it, and does anything indicate a potential breach?”
Further, the value of data changes over time. For instance, pre-patent and production, a blueprint could be top secret and need maximum security. A few years later, once it’s in production with competitors in the market, that blueprint’s value could have waned significantly, or even be zero. It certainly no longer needs maximum security. This changing value of data will impact your ongoing data protection journey.
“It doesn’t really help to come in with a big bang approach to data protection today so that in nine months you’ll be ready for POPI and have implemented your solution but then you take a step back,” says Hand. “Your data protection programme has to be consistent and it has to evolve with the changing business landscape.”
A final note on how rapidly the landscape is changing, as one of the pioneers of quantum computing, IBM reminds clients that with the future arrival of quantum computing today’s encryption standards will need to be replaced as they will be easily broken by quantum computing capabilities. Companies should bear in mind that at some point in the future their data protection journey will involve them transitioning from one encryption standard to an entirely new one.
Pelin Konakci, IBM’s data security sales leader, will be speaking at Cyber in the City about how to take your organisation from readiness to transformation. She’ll also be joining a panel discussing the importance of data classification, privacy and protection for regulatory compliance. IBM is a sponsor of Cyber in the City on 19 November 2020 from 9 am to 1 pm. Visit cyberinthecity.co.za to register.
"*" indicates required fields
By ticking the box, you provide consent to receive electronic marketing communication on Altron Solutions and Services and the solutions of our key strategic partners. You may personalize your subscriptions based on your interests.
You can manage your communication preferences or opt-out via the Altron website.