Data breaches could be crippling

Globally, the first six months of 2019 saw more than 3 800 publicly disclosed company data breaches that resulted in the exposure of 4,1-billion compromised records

United States-based credit reporting agency Equifax has agreed to pay more than R10 billion to regulators to settle global claims resulting from a data breach that exposed the personal information of 147-million people – representing the largest settlement ever paid for a data breach.

According to Risk Based Security research, the first six months of 2019 saw more than 3 800 publicly disclosed breaches that resulted in the exposure of 4,1-billion compromised records. The report says that the data contained e-mail addresses in 70 percent of cases and passwords in 65 percent.

Xperien CEO Wale Arewa says South Africa is experiencing a disturbingly high number of data breaches. “A breach at Liberty Life remains South Africa’s biggest leak, with the personal details of more than 30-million people exposed,” he says, warning that data leaks could have enormous financial implications for companies involved, possibly crippling businesses. “If found guilty, companies will certainly face civil claims and huge fines,” he says.

With increased regulatory compliance and new legislation being introduced globally, he says businesses are in for a rough ride. “It is critical that IT managers account for all IT assets within a company. They need to know exactly how many devices – laptops, PCs, tablets, mobile phones or fax machines – the business owns, who has access to them and where they are located.

“And, in a fast-paced and ever-evolving IT environment, business leaders need to recognise new methods for data protection –  on all working devices as well as on retired IT assets. They also need to know what software is installed on each device and whether there is data encryption installed.”

According to Arewa, the number of devices entering businesses is increasing, and it is not uncommon to suffer a security breach involving a device that is not even recorded on a company’s IT asset register.

“There are serious security issues associated with the Bring Your Own Device (BYOD) concept, where the company does not own the equipment, but nonetheless remains liable if the device is permitted access to company information,” says Arewa.

In order to comply, he says businesses will have to implement proper security processes and properly train relevant staff. In many cases, technology will be used to automate many of these processes to secure data.

“Furthermore, many security breaches are internal, either deliberate or through plain negligence. By implementing a software-usage tracking and analysis tool, one can identify culprits and, in some instances, enable preventative measures,” he says.

Arewa adds that all devices need to be encrypted – including portable media and mobile phones. “This ensures that all information is protected if the device is lost or stolen. A managed encryption service is quick and easy to deploy and provides data security in the event of a security breach.”

According to Arewa, few companies understand the protection of personal information when disposing of redundant IT assets. “They need to realise that by retiring technology assets wisely, they can offset the cost of a secure IT asset disposition programme. Rather find a third-party specialist with deep experience in disposing of IT assets,” he says.

“Securing sensitive data is a daunting task for any business. Data security laws mandate that companies implement adequate safeguards to ensure privacy protection of individuals and the penalties for data breaches are tough,” he concludes.