Subscribe

Companies still fail data

Despite comprehensive data protection policies, most local firms are still wide open to data theft and misuse.

Mervyn Mooi
By Mervyn Mooi, Director of Knowledge Integration Dynamics (KID) and represents the ICT services arm of the Thesele Group.
Johannesburg, 31 Mar 2016

Numerous pieces of legislation, including the Protection of Personal Information (POPI) Act, and governance guidelines like King III, are clear about how and why company information, and the information companies hold on partners and customers, should be protected. The penalties and risks involved in not protecting data are well known too. Why, then, is data held within South African companies still inadequately protected?

In my experience, South African organisations have around 80% of the necessary policies and procedures in place to protect data. But the physical implementation of those policies and procedures is only at around 30%. Local companies are not alone - a recent IDC study has found two-thirds of enterprises internationally are failing to meet best practice standards for data control.

The risks of data loss or misuse are present at every stage of data management - from gathering and transmission through to destruction of data. Governance and control are needed at every stage. A company might have its enterprise information systems secured, but if physical copies of data - like printed documents or memory sticks - are left lying around an office, or redundant PCs are sent for recycling without effective reformatting of the hard drives, sensitive data is still at risk. Many overlook the fact that confidential information can easily be stolen in physical form.

Many companies fail to manage information sharing by employees, partners and other businesses. For example, employees may unwittingly share sensitive data on social media: What may seem like a simple tweet about drafting merger documents with the other party might violate governance codes. Information shared with competitors in exploratory merger talks might be misused by the same competitors later.

Even larger enterprises with policies in place around moving data to memory sticks and mobile devices don't clearly define what confidential information is, so employees tweet, post or otherwise share information without realising they are compromising the company's data protection policies. For example, an insurance firm might call a client and ask for the names of acquaintances who might also be interested in their product, but under the POPI Act, this is illegal. There are myriad ways in which sensitive information can be accessed and misused, with potentially devastating outcomes for the company that allows this to happen. In a significant breach, people may lose their jobs, or there may be penalties or a court case as a result.

Best intentions

Most companies are aware of the risks and may have invested heavily in drafting policies and procedures to mitigate them. But, the best-laid governance policies cannot succeed without effective implementation. Physical implementation begins with analysing data risk: Discovering, identifying, and classifying it, as well as analysing its risk based on value, location, protection, and proliferation. Once the type and level of risk has been identified, data stewards need to take tactical and strategic steps to ensure data is safe.

These steps within the data life cycle need to include:

* Standards-based data definition and creation to also ensure security and privacy rules are implemented from the outset.
* Strict provisioning of data security measures such as data masking, encryption/decryption and privacy controls to prevent unauthorised access to and disclosure of sensitive, private, and confidential information.
* The organisation also needs to securely provision test and development data by automating data masking, data sub-setting and test data-generation capabilities.
* Attention must be given to data privacy and accountability by defining access based on privacy policies and laws, for instance, who views personal, financial, health or confidential data, and when.
* Finally, archiving must be addressed; the company must ensure it securely retires legacy applications, manages data growth, improves application performance, and maintains compliance with structured archiving.

The risks of data loss or misuse are present at every stage of data management.

Policies and awareness are not enough to address the vulnerabilities in data protection. The necessary guidelines, tools and education exist, but to succeed, governance has to move off paper and into action. It is important for companies to understand that policies and awareness programmes are not enough to ensure good governance. The impact of employee education is temporary - it must be refreshed regularly, and it must be enforced with systems and processes that entrench security within the database, at file level, server level, network level and in the cloud. This can be a huge task, but it is a necessary one when architecting for the future.

In context of the above, a big question to ponder is: Has your company mapped the rules, conditions, controls and standards as translated from accords, legislation, regulation and policies, to your actual business/technical processes and data domains?

Share