How to lose R400 million

Gidani (licensed operator of the South Africa National Lottery) recently came perilously close to losing its R400 million-a-year contract.

The reason for this near miss was its failure to secure its business-critical data (a requirement of its contract with the National Lotteries Board) - with two independent audits questioning existing measures to protect confidential data.

The much publicised data breach that led to fraudulent activity at Gidani, of course, played a crucial part in highlighting the failings of the technology and processes in place at the operator.

According to local news reports, “the board initially considered revoking Gidani's licence altogether... but it had since decided to fine the company instead.”

That a case of poor data security nearly put Gidani out of business is by no means an isolated incident. History is littered with companies that suffered severe loss of business and damage to market reputation through breaches of confidential information - just ask Sony.

The Ponemon Institute estimates that last year's data breach at Sony will cost the company an absolute minimum of $5.6 billion - with the majority of cost attributed to “expense outlays for detection, escalation, notification and after-the-fact (ex-post) response”, as well as the “economic impact of lost or diminished customer trust and confidence as measured by customer turnover, or churn, rates”.

$5.6 billion, R400 million a year - whatever the monetary value that is associated with data security breaches, it pales in comparison to the direct impact a failure to protect data can have on company board members in their personal capacity.

With the imminent passing of the Protection of Personal Information (PPI) bill in South Africa, board members are staring the possibility of being held personally liable in the face, with prison sentences, fines and the like on the cards, should companies be found guilty of not taking appropriate steps to safeguard their business-critical and confidential information.

The direct cost and personal liability to businesses and individuals alike are sure to make believers out of the once sceptical - and often reluctant acknowledgers - of the importance governance, risk and compliance (GRC) plays in business operations today.

Cibecs is well aware of the reluctance within organisations to take decisive action in terms of their GRC status, especially among IT professionals who already find their plates filled to capacity.

In order to assist companies in their quest for hassle-free compliance, Cibecs is making the services of its in-house GRC specialist, 'The Gov', available to field any and all GRC-related questions.

The Gov is also more than happy to share his in-depth knowledge of procedures relating to the security of mission-critical data.

“We encourage companies of all sizes to get in touch with The Gov to ensure their procedures are in line, their data sufficiently protected, and their business continuity planning on par with industry best practices,” says Cibecs Marketing Manager, Brandon Faber.

“Questions can be posed to The Gov on the following address: thegov@cibecs.com.”

Contact Cibecs on (011) 791 0073 or e-mail: info@cibecs.com for more information.