Hard to believe that there are over 100 000 information security breaches at listed companies every day.
South Africa has the benefit of the King Commission into Corporate Governance (or as it is described – Responsible Corporate Citizenship). This commission has progressed all of the way to King IV, or the 4th commission into Corporate Governance.
King III introduced IT governance and risk awareness at board level, and introduced IT Governance as part of a director’s Duty of Care. King IV introduced the deliberate separation of technology and information to address the question of protection of personal information as opposed to access to personal information. King IV is also a deeper delve into the POPI Act (Protection of Personal Information) and some of its implications for the organisation. The POPI Act (which is very similar to the GDPR Act of the UK) includes personal information such as email address, financial information, and online messaging, amongst others.
In today’s business environment, a cyber-breach is a much bigger risk than disaster recovery, highlighting the need for advanced information security. The South African public have recently experienced such a breach at a South African life insurance and investment organisation:
- They were breached and did not know it until the ransom was demanded
- Then they kicked into gear, and investigated, etc. to eliminate the breach
- Feedback to the public was sketchy, with a reassurance that their personal data was safe as only the email and possibly attachments was breached
In light of the above example, let’s take a brief look at some of the main recommendations from the King IV commission which can be applied in any organisation:
The risks associated with the technology and the information need to be managed, which implies a continuous monitoring of all of the aspects of information, data quality and data security.
Information Security Management System (ISMS)
This is best undertaken through an ISMS framework, developed by the board and managed by the business management team. This would require IT Governance and Security to become a board meeting agenda item. The ISMS also needs to be a clear and concise plan, fully understood and actionable upon a breach being detected.
Disaster Recovery Officer
This ISMS should be the responsibility of the Disaster Recovery Officer who would monitor and report cyber breaches and private information leaks. Typically this would be the Chief Information Officer (CIO).
There are many more recommendations, but by implementing the above processes, will hopefully limit the risk.