More than three-fifths of small and medium enterprises (SMEs) surveyed and a third of larger organisations in South Africa surveyed believe the Protection of Personal Information Act (POPI) does not apply to their business raising concerns that there is a gap in basic information security knowledge across the country, a leading information security company said today as it launched the first South Africa State of the Industry – Information Security report.
The survey, conducted by research body Ipsos on behalf of Shred-it, highlighted a lack of awareness among SMEs and C-Suite organisations about the legal requirements around storing and disposing of confidential data outlined in the POPI Act partially enacted on 11 April 2014.
According to the findings, C-Suite Executives (70%) are more likely than SMEs (37%) to understand the implications the POPI Act has on their business. Although the POPI Act is yet to be fully implemented, once it comes into force businesses are given a grace period of just one year to comply. If the Act is not adopted after this time, organisations could face financial penalties of up to R10 million or a prison sentence of up to 10 years could be imposed.
Nearly half (46%) of C-Suite Executives and one-third (32%) of SMEs say the POPI Act will put pressure on their organisation to change their policies related to information security. Despite this, one-third (32%) of SMEs say they currently have no protocol for storing and disposing of confidential data. By contrast, C-Suites Executives are more likely to have policies in place with over half (57%) saying they have a protocol that is strictly adhered to by all employees. However, a further third (37%) with a policy in place admit that not all employees are aware of these protocols. This highlights a worrying gap in knowledge for employees resulting in personal information potentially being compromised as they are unaware of how to correctly protect, process and securely dispose of data.
Businesses can increase security by implementing a Clean Desk policy, which means all information must be secured, for example in a locked drawer, when an employee is away from their desk, and a Shred-it All policy, which means that all office paperwork is destroyed before being recycled so that employees do not need to make a decision as to what is or is not confidential. Some companies have already responded to these security risks, with 80% of C-suites and 64% of SMEs stating that they have a Clean Desk policy in the workplace.
Commenting on the findings, Tom Bell, Regional Manager, Shred-it South Africa, said, “Understanding the legislative environment is crucial for businesses in South Africa to ensure they are implementing best practices to safeguard the confidential information of their customers, employees and partners. However, our Security Tracker results show that organisations are not prioritising this, nor are they putting policies in place to help employees understand how to securely store and dispose of sensitive data. By neglecting to put policies in place, businesses are at serious risk of a data breach, which causes significant legal, financial and reputational harm.”
The Security Tracker results also indicate a need for Government to take action and help South African businesses to understand their information security priorities. Both C-Suite (47%) and SMEs (55%) say the South African Government’s commitment to information security needs improvement.
Other Key Findings from the Security Tracker:
- Almost all C-Suites Executives (89%) and almost three-quarters of SMEs (73%) questioned say they have employees using flexible/off-site working models. Despite this, only 53% of C-Suite Executives have a policy in place for disposing of and storing confidential information both off-site and at home, while this is lower for SMEs (32%), therefore highlighting a policy gap and potential data breach risk for businesses.
- Just half of C-Suite Executives (55%) and SMEs (51%) say client/customer information would threaten the stability of their organisation in the event it was stolen, which is concerning as this information is often confidential and the loss of this data could cause significant legal, financial and reputational damage. Likewise, only 37% of C-Suite Executives and 22% of SMEs note that the theft of HR/Employee information would be damaging, despite the fact that this often contains highly sensitive personal information about individuals, highlighting a lack of knowledge from South African businesses around what information could put them at risk.
These results clearly show that many businesses in South Africa are struggling with information security putting confidential information at risk. Organisations, in particular SMEs, need to recognise that they may need to turn to experts for counsel, whether that’s Government bodies responsible for information security or an information destruction service provider.