Whilst many IT (Information Technology) security providers choose scare tactics to force companies to rip and replace their existing systems to safeguard company data, a number of small business insurers are offering cover to transfer the risk of any security breach. Both approaches are highly questionable.
There is definitely no insurer that can insure loss of reputation that may result from a security breach. The fact is, the potential loss is uninsurable.
There is also no need to start a radical, costly and disruptive security rip and replace strategy. However, business owners must immediately identify any threats and reduce their exposure to data breaches where a large amount of company information can be stolen.
"There is definitely no insurer that can insure loss of reputation that may result from a security breach."
The penalty for this breach could be significant and could cripple any business. It is critical that IT Asset Managers can account for all IT assets within the organisation. They need to know how many devices (PCs, laptops, tablets, fax machines, mobile phones) the company owns, who has access to them and exactly where they are located.
More importantly, they need to know what software is installed and used on each device and whether they have data encryption installed.
With the rapid increase in the number of devices within organisations today, it is not uncommon to suffer a security breach on a device that is not even recorded on the asset register.
However, this will change dramatically with the introduction of new legislation. It will have major implications for not only the IT Asset Managers, but also the company directors. IT Asset Managers must understand the requirements of the PoPI Act and develop their own knowledge and skills as well as those of their organisations.
The PoPI Act will see the IT Asset Manager play a more active role in the overall security posture of the organisation and play a role as a compliance officer rather than being simply a financially-oriented or operations-oriented professional.
Companies that trade with EU businesses will also have to consider the [European Union's General Data Protection Regulation] (https://www.iAfrikan.com/tag/gdpr/) (GDPR), it imposes even more stringent controls around the protection of personal information.
The biggest challenges facing organisations in managing their assets is balancing security risks and value in managing assets. There needs to be the right level of funding to protect IT assets by using appropriate tools and techniques and technologies, while recognising that there is limited budget to achieve the required level of protection.
More importantly, balancing the security issues associated with IT assets which are 'BYOD' (Bring Your Own Device) that the company does not own but is nonetheless liable for if these devices are permitted to access company information.
A large part of this legislation is about the processes and operational aspects of data protection. In order to comply, businesses will have to implement proper security processes and train the relevant staff. In many cases, technology will be used to automate many of these processes to secure data.
IT Asset Managers must play a key role in ensuring compliancy. In short, it is important to know exactly what devices the company owns, devices that are accessing company information, where they are and what software they use. Without this basic information, it is impossible to protect company data.
Know who uses what devices and specifically where they are deployed. Also, know who has access to what data and through which software applications. This will enable the tracing of specific users in the event of a security breach.
Many security breaches are internal, either through negligence or deliberate. By implementing a software usage tracking and analysis tool, one can identify who is responsible for a data breach and in some instances, enable preventative measures.
It is critical to encrypt devices, portable media and mobile phones. This will ensure that all information is protected if the device is lost or stolen. A managed encryption service is quick and easy to deploy and provides data security in the event of a security breach.
"Many security breaches are internal, either through negligence or deliberate."
Most companies will be affected by the new legislation and will have to comply or take a chance that no breach will occur. However, the penalties following a breach are significant, so taking a chance is probably not the best decision.
For IT Asset Managers, if there is a lack of visibility of assets or the software and data that resides on them, a responsible approach would be to inform management immediately. Failing to do so, they will be putting their company at risk, including the staff and customers, all those that have allowed their data to be used.
Management can only make decisions about the risks if they are aware of them. Data breaches and issues related to regulatory compliance, associated costs and loss of reputation will have dire consequences for businesses that suffer data breaches.