Daniella Kafouris

Organisations need to understand what legislation is relevant to them and the industry within which they operate, and then get expert advice to ensure compliance.

This was the common message at the ITWeb Governance, Risk and Compliance Conference, which was held recently at The Forum, in Bryanston.

Absolute governance, risk and control (GRC) is not possible, according to John Giles from Michalsons Attorneys, who highlighted that organisations should first assess what the risks are and then get advice to mitigate those risks. He added that organisations must look at the King codes for good business governance, and get a legal framework to further assist in ensuring compliance.

An information overload exists today that never did before, according to Deloitte and Touche’s Daniella Kafouris. This leads to two defi nitions of the term “information”. The first includes the legal and regulatory compliance issues, and the other relates to information security, Kafouris said. The reason this happens is because information can be used to identify individuals or entities, she explained.

The Protection of Personal Information Bill (POPI) forces a single view of what information is, Kafouris said. She also highlighted that, within the legislation, it’s important to check what the requirements are for the industry the organisation operates in.

Organisations need to understand their industry in order to comply with legislation, before simply transacting, she said. She echoed Giles’ sentiments that organisations would not be able to comply fully with legislation, but that risks can be mitigated.

Organisations need to have a tactical approach to legislation, according to Pria Chetty from PricewaterhouseCoopers. RSA’s Chris Bridgland agreed, adding that there needs to be business context in everything that the organisation does.

Bridgland also noted that the problem organisations face is how to choose a GRC tool, and that this can be addressed by talking to people in a language that they understand, and empowering them by asking the right questions to get a solution that works for the organisation and the environment it operates in.

Chetty added there is a relationship between integrity and security, especially where information may be used for evidence admissibility. Speakers emphasised that although it is important to have controls in place to mitigate risks, users within organisations also need to be aware of what their rights are if they are being monitored. They noted that users must know what information is being monitored and must also give consent to their information being monitored.

Chetty emphasised that it is critical for organisations to take a bold step away from generalised and vague approaches to compliance.

UNSTRUCTURED DATA

Also speaking at the event was Grant Hodgkinson, Mimecast business development director. He said unstructured data is primarily the source of intellectual property (IP) within organisations today, yet the explosion of this information has negatively impacted governance.

“The problem of unstructured data is relatively new. In the past, the knowledge creators were the minority. The pie has shifted fundamentally today, and the majority of workers are involved in knowledge work.

“How quickly we can innovate and come up with new ideas collaboratively determines competitiveness today, and whether a business will last beyond its competitors,” explained Hodgkinson. “In 2006, when word processors and unstructured information utilities were still in their infancy, unstructured data was still in the minority. However, with a 67% compound annual growth rate of data per year, this resulted in a shift. In 2013, it’s expected 67% of information will be unstructured and 30% will be structured.”

Mark Eardley

He said competitive advantage for business lies with unstructured data; however, it’s also highly prone to theft. “Unstructured data is complex and expensive to manage. The board is bound to protect the assets in a company, including unstructured data. Legislation makes it necessary for unstructured data to be managed.”

As more devices become prevalent within an organisation, companies must think about the physical security of data sitting in those devices, and make sure it cannot get into the wrong hands. “Organisations need to adopt effective user management, rights and roles management, and technology protection. Cultural security is important to generate awareness of potential theft, provide continuous training and educate the mobile workforce.

“Collaboration of IP using unstructured data is not being done inside the office; it is being done outside of the perimeters of the organisation. It needs to be secured in an appropriate way.”

Hodgkinson said e-mail, which experiences 30% annual year-on-year volume growth, contains huge amounts of unstructured data and intellectual property, but in order to manage it effectively, the most relevant application is cloud computing. “We’ve seen customers’ [ability to] abdicate the archive and search requirement to a hosted service provider has resonated. It makes sense to do e-mail in the cloud considering scalability requirements.”

EXPLOITATION TROUBLES

Mark Eardley, of Eardley and Associates, spoke at the conference about the exploitation of cards, PINs and passwords (CPPs), and how they are the flaw of IT governance. This, he says, is why IT governance has largely failed globally. “The fact of the matter is that if a company is using CPP to protect important corporate information, it doesn’t have any control over that information. CPPs can be shared, lost, stolen and forgotten. CPPs also fail in that they cannot authentically identify a user.”

He claimed the answer to protecting corporate secrets and driving IT governance lies with the deployment of biometric and fingerprint technology. According to Eardley, SA is one of the world leaders in terms of biometric technology adoption.

Eardley said it does not matter how complex a password or PIN is, CPPs can still be easily exploited; but biometric technology can authenticate, authorise and audit IT activity.

He cautioned that governance and government forcing protection of custodial data shouldn’t be the only concern; it should be about protecting corporate secrets.

“Cyber crime is evolving and the market for stolen credit card details is saturated. Corporate secrets have become more attractive to cyber criminals; hence the rise of sophisticated targeted attacks.

“Over £27 billion was lost by the UK to cyber crime in 2010. Almost 60% resulted from cyber theft of corporate secrets; this amounts to £16.8 billion.

“Last year, software and IT services alone lost £2.5 billion due to the theft of corporate secrets. These figures illustrate that there is a general lack of IT governance within corporate IT,” he added.

According to Eardley, Verizon and the US Secret Service worked together for the past two years to create the Data Breach Investigations Report – the world’s biggest study of cyber crime that considered 1 700 cases. It found that cyber criminals have shifted their focus from stealing customer records to the theft of corporate secrets.

“In 2005, Symantec recorded 100 advanced persistent threat attacks on business; it’s gone up to 77 a day by the end of last year.”

Eardley explained that the consequence of compromised corporate secrets is not just about the high cost of legal action, but also the financial loss of reputation, loss of competitive advantage and how that data can be abused by villains.

“The 2010 RSA data breach cost the company $43 million just to remediate the loss; this doesn’t include legal action costs or loss of reputation. The Sony data breach, in May last year, cost $171 million to remediate,” Eardley concluded.