Research by information security specialists J2 Software shows that employees pose one of the biggest threats to the security of corporate data—a threat that is largely unrecognised by South African boards. The launch of the King IV Report on Corporate GovernanceTM by the Institute of Directors in Southern Africa on 1 November, and the imminent announcement of the effective date in terms of the Protection of Personal Information (PoPI) Act by the newly appointed Regulator, provide a wake-up call for South African organisations, says John Mc Loughlin, MD of J2 Software.
“Data is now recognised as the most valuable asset a company owns, and it is the target of criminal syndicates. PoPI and similar legislation elsewhere in the world has been devised to force companies to take responsibility for protecting the sensitive personal data they store on their systems. Codes like the King Code have long identified that a company’s data is the fuel on which it runs, and have made boards responsible for ensuring it is protected,” he explains. “But, all too often the threat is conceptualised as external, and the solution as purely technological. What they fail to recognise and be accountable for is that their employees represent an equally serious security risk.”
McLoughlin says that while there is no doubt that syndicates target employees to buy corporate information, an equal cause for concern is the fact that many corporate end-users create vulnerability inadvertently, simply by mishandling data or corporate IT assets. A survey conducted by J2 Software of 46 million Windows File, and Application activities and more than 197 000 external USB device insertions found that:
- One in 40 end-users mis-handle sensitive corporate information; 2.5 percent of the trusted user base represents a direct threat to corporate security.
- Less than 1 percent of businesses encrypt information copied to external USB drives, and even fewer know what has been copied.
- Less than 1 percent of businesses encrypt their users’ hard drives.
- 70 percent of businesses have no control and no visibility on administrative rights across their environments.
“Most, if not all, of these companies will have data-security policies in place but the truth is that they have absolutely no idea what is actually going on with their data,” McLoughlin says. “Very often it’s motivated employees who are the risk—using Dropbox because it’s the only way to get sensitive financial information to the sales director on a business trip in Turkey, for example. But one must also bear in mind that dishonest employees often have access to a lot of sensitive data that can easily be copied onto a hard drive and sold to the highest bidder.”
King IVTM requires companies to “exercise ongoing oversight of the management of information and, in particular, oversee that it results in the continual monitoring of security of information”.
“To discharge this responsibility and ensure that the company’s information is protected, systems are needed to monitor who is accessing data from inside the company as well as from outside—and what they are doing with it,” ends McLoughlin.
** King IVTM, King IV Report on Corporate Governance and King IV CodeTM are all trademarks of the Institute of Directors in Southern Africa.