Subscribe

Legality pain for security pros

Regina Pazvakavambwa
By Regina Pazvakavambwa, ITWeb portals journalist.
Johannesburg, 23 Oct 2014
Business needs to take legal requirements on information security to the fore, says Tony Oliver, MD of Performanta.
Business needs to take legal requirements on information security to the fore, says Tony Oliver, MD of Performanta.

South African IT security professionals say dealing with issues like compliance, regulatory complexities, legislative overload and legal risks is leaving them with inadequate time to get involved in business issues.

This emerged from a poll undertaken among 80 IT security professionals during the IT Security Forum, hosted by Performanta, in partnership with ITWeb, at The Maslow in Sandton yesterday. The professionals voted on the legal implications of cyber crime and information security on their business.

The majority of the respondents (71%) revealed there is a lot of noise concerning issues like compliance and regulation, thus, enterprises need to put priorities in place to ensure these do not encroach on their business time.

Only 18% said these issues did not affect their work, with 11% saying these issues were eating into their business time.

Tony Olivier, MD of Performanta, said there is a gap between the business and legal requirements of information security. He noted businesses need to take the legal requirements of information security to the fore and not just focus on the technical aspects.

In the poll, 89% of the respondents said the legal department must only get involved once business understands the legal implications of a breach in their system, with 11% only seeking legal help as a last resort.

However, Olivier believes legal department should get involved before any information breach has occurred to help business understand the legal context.

If there is a privacy breach in the company, there needs to be a legal framework the business can refer to in order to limit damage to the organisation, said Professor David Taylor, IT law specialist and data privacy officer at T-Systems, also speaking at the event.

According to Taylor, the audience's response indicates companies need to take care of both the legal and technical aspects of information security by putting measures in place to protect personal information as well as the system from all kinds of breaches.

"You must put legal measures into place before cyber breaches occur in order to plan how you are going to properly respond to those breaches and tackle them. For example, if you have service providers maintaining data for you, make sure you have agreements in place to ensure your information or customers' information is properly protected," said Taylor.

Organisations have to be able to measure the success of their information security initiatives, said Olivier, adding they need to have visibility on whether the organisation is secure or not.

"Privacy is a competitive advantage, that's what has been shown internationally, that's why your reputation gets ruined and that's why your customers go away when there is a security breach and information hosted on the company's networks is compromised," said Taylor. "It is important to identify and implement correct measures to protect your company from cyber attacks. And should they occur, have a legal framework to protect the company from financial and reputational damage," he adds.

The poll also divulged the majority of IT security professionals (52%) do not believe they can be incarcerated for a privacy breach in SA. However, when the POPI Act comes into play, violators will be liable to a R10 million fine or 10 years in prison if a breach occurs and no measures were in place to protect the customers' personal information.

Share