Recent incidents have highlighted the need for all companies and organisations to review the safety and security of their data and their IT systems, as standard approaches no longer protect against myriad vulnerabilities, an expert says.
"Even the highest judicial office in the land, that of Chief Justice, Mogoeng Mogeng, is not immune. Regardless of the source of the attack, about which there is much speculation, the fact remains that the office, which has security and cameras on the premises, suffered a major setback recently when several computers - containing highly sensitive information - were stolen," notes Wonga Ntshinga, Senior Head of Programme: Faculty of ICT at The Independent Institute of Education, SA's largest private higher education provider.
Ntshinga says many companies and organisations may be under the impression that their data and systems are adequately secured, when in fact that is not the case at all. It is therefore important for business leaders to take some time to ensure that arguably their most important non-human assets and resources are effectively protected against a range of potential attacks – both internal and external.
"The challenge is that it is very difficult to quantify the value of assets when we consider reputational loss and other intangibles, much less predict the rate of occurrence without large volumes of historical data. Besides the obvious steps, such as getting a comprehensive inventory of all network devices and software, leaders should also ensure that critical security controls are in place to protect sensitive data, and make provision for scenarios in which the security control itself is compromised," says Ntshinga.
He says it is crucial that sensitive information is protected at three stages: 1) at rest (data needs to be protected whilst being stored on the storage device), in transit (data needs to be protected as it is being transported) and in process (when the data is being processed).
Ntshinga says that in order to ensure a comprehensive protection strategy, companies must consider incorporating the following approaches to safeguard intellectual property:
This service is intended to perform live monitoring of the environment for emerging vulnerabilities and also to execute regular in-depth assessments to identify new weaknesses, for instance insufficient or weak security controls.
"Risk management can be an overwhelming task if tackled using only one methodology and ideally requires a strategy which addresses the entire scope of risks within an organisation," says Ntshinga.
"Additionally, critical security controls can be costly and therefore they require funding through annual security operating budgets. Ultimately, the security professionals need to understand what each service provider does in order to mitigate the risks, and data security should not be approached in checklist fashion."
Ntshinga says while it is unfortunate that not every risk can be pre-empted and disarmed, attempts to holistically tighten controls can unravel some of the risks that organisations face.
"Most importantly, senior leaders of organisations – whether public or private – must take ownership of security, even (or perhaps especially) where there is a perception that adequate protections are in place.
"They must ensure that they thoroughly identify and analyse potential risk, and then put in place adequate mitigation. Additionally, it is important to be well versed on the current legal environment in order to minimise an organisation's liability and reduce risks from electronic and physical threats, including losses from legal actions."
DID YOU KNOW?
The Independent Institute of Education (The IIE) is a division of the JSE-listed ADvTECH, Africa's largest private education group. The IIE is the leading private higher education provider in South Africa, and the only one accredited by The British Accreditation Council (BAC), the independent quality assurance authority that accredits private institutions in the UK.
By law, private higher education institutions in South Africa may not call themselves Private Universities, although registered private institutions are subject to the same regulations, accreditation requirements and oversight as Public Universities.
The IIE has a history in education and training since 1909, and its brands - Rosebank College, Varsity College, Design School Southern Africa (DSSA) and Vega - are widely recognised and respected for producing workplace-ready graduates, many of whom become industry-leaders in their chosen fields. The IIE offers a wide range of qualifications, from post-graduate degrees to short courses, on 20 registered higher education campuses across South Africa.