22 October 2014

New Trustwave Survey Reveals Many South African Companies Are Not Ready for POPI

Submitted by: Tamsin

Johannesburg, SOUTH AFRICA – 22 October 2014

Trustwave today released findings from a survey of 113 South African IT professionals, asking if they are ready for POPI – South Africa's Protection of Personal Information Act which seeks to regulate the processing of personal information and standardise compliance with privacy and data protection legislation. The survey was completed by C-level executives, mid-level managers and IT specialists from a variety of industries including finance, government, retail, manufacturing, mining, construction, education, communication, healthcare and tourism.

The first section of the survey focused on the processes that companies should have in place to classify sensitive data such as medical records, credit card data and personally identifiable information (PII) including names, surnames, ID numbers and medical histories. More than half of those surveyed (51 percent) said they do not have processes in place to classify data correctly.

When asked about measures in place to prevent the loss, damage and unauthorised access to PII, more than a third (38 percent) said they have technical or organisational measures in place, but not both or they don’t have any measures at all.

According to the POPI requirements, companies must notify the regulator as well as customers in the event of a data security breach. When asked about known data breaches within their organisation where PII was lost, damaged or unauthorised access occurred within the past 24 months, 67 percent of survey respondents were confident that they had not experienced a breach where PII was affected. However, according to the 2014 Trustwave Global Security Report that details the findings from 691 breach investigations across 24 countries conducted by Trustwave forensic investigators in 2013, the median number of days from the initial intrusion to detection was 87, possibly indicating that some South African companies may be unaware a breach has occurred.

Only 14 percent said they had suffered a data breach where PII was affected and 19 percent said they did not know. Finally, about a third (38 percent) of participants felt confident their companies would be compliant with POPI within the next 12 months.

Leon van Aswegen, Security Consultant at Trustwave said, “We conclude from this survey that many South African companies do not have security controls aligned with POPI. Not only should companies be making POPI compliance a front burner issue, but they should also be looking beyond compliance with any regulatory standard, including POPI. These standards serve as a baseline for security. The most effective security strategy entails multiple layers beginning with a risk assessment to vulnerability scanning and penetration testing to deploying technologies that cover their attack vectors to ensuring they have enough manpower and skillsets to make sure those technologies are installed, updated and continuously working properly. If they do not have enough manpower and skillsets in-house, they should consider partnering with a third party team of experts whose sole responsibility is to focus on security, enabling the in-house team to focus on other revenue-generating priorities.”

Action Plan The Trustwave POPI compliance assessment is tailored to meet the requirements for each business regardless of the organisation’s size and complexity. Trustwave helps organisations define a strategy and roadmap to comply with POPI Condition 7, “Security Safeguards.” Trustwave’s compliance experts also define the scope of the assessment by identifying the business areas involved in PII as well as the business’s needs and processes related to the collection, storage, use, share/transfer, and destruction/archival of PII data. Trustwave also helps businesses identify critical PII processed by the organisation, and assess any existing security controls/framework that are in use to protect PII. Trustwave offers Privacy Risk Assessments, Privacy Impact Assessments, Controls GAP Assessments as well as technical assessments including database security reviews, vulnerability assessments and penetration testing.

For more information about Trustwave’s Compliance and Risk services, please visit http://www.trustwave.com/Services/Compliance-and-Risk/

About Trustwave Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.7 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com.

###   Follow Trustwave on Twitter at www.twitter.com/Trustwave, on Facebook at www.facebook.com/Trustwave, and on LinkedIn at www.linkedin.com/companies/Trustwave. All trademarks used herein remain the property of their respective owners. Their use does not indicate or imply a relationship between Trustwave and the owners of such trademarks.