Survey: A third of SA businesses are prepared for a data breach
ITWeb, in partnership with KnowBe4, conducted an online data protection survey during September and October 2020. The objective was to find out where South African organisations are in terms of managing their data and ensuring that they’re compliant with local and international regulations.
It also sought to uncover the extent to which businesses have identified and classified their data according to risk, and how COVID-19 has impacted privacy compliance programmes.
Roughly 27% of respondents completely agreed that “decision makers and staff in the organisation are familiar with the POPIA regulation", while a further 38% “agree". However, 16% indicated this was not true for their organisation.
Anna Collard, SVP of content strategy and evangelist at KnowBe4 Africa, says, “Despite POPIA only coming into full force by 2021, many South African organisations started their privacy compliance programmes years ago. Awareness training should be a top priority for such initiatives."
Sixty four percent of respondents believe they have in place “sound routines for reporting data breaches”. On the other hand, 18% indicated they don’t. "Not a week goes by without another data breach hitting the news. Organisations need to prepare for security incidents such as data breaches,” says Collard.
The majority (68%) agree that their company has relevant privacy skills and training in place. However, 18% indicated that they hadn’t yet implemented privacy training, and a further 15% weren’t sure. Collard says, “Management and user awareness are some of the top priorities when starting out on a privacy compliance journey.”
When it comes to the preparedness of their organisation for POPIA compliance, just under one-third (30%) indicated they were well prepared, while 39% said they were “somewhat” ready, but more work needs to be done. Fourteen percent of the respondents have only just started, while 8% admitted they are not prepared at all. In contrast, when asked about their compliance with GDPR, 45% of respondents indicated that they comply fully with GDPR, while 40% comply to a limited degree, and only 15% don’t comply at all.
The top three privacy programme elements that the respondents have conducted are to educate staff (67%), to tighten technical controls (61%) and to identify their personal information assets (66%).
A third of the respondents have fully completed the process of identifying and classifying data according to risk, while another third have only done a basic classification. “Data flow mapping, asset identification and subsequent data classification are key aspects of successful privacy programmes," says Collard.
Accidental data loss by staff, or external hacking attempts resulting in data breaches were rated as the biggest risks related to personal information. "Educating users about these risks and raising awareness on how to spot external threats such as social engineering attacks are effective controls to address these risks."
Less than a third (30%) believe their organisation is prepared for a data breach, indicating they have a mature incident response process in place. The majority (49%) report they are “somewhat” prepared but need to do more work on this. Eighteen percent admit that they are not prepared at all, whereas 3% hope this won’t happen to them. "The majority of organisations need more work on their incident response," Collard says.
Forty five percent report they have had no breach incidents in the recent past. For those who did, the most common attack vector is social engineering (e.g., phishing or vishing). "What’s interesting about this result is that it closely matches international research, such as the 2019 Verizon Data Breach Investigations Report, where phishing and social engineering were listed as the number one attack vector of successful data breaches. It’s clear that South African organisations face similar challenges," concludes Collard.