Data protection isn’t just an IT issue


The average total cost to an organisation of a data breach is $3,86 million, according to a report released last month by multinational technology company IBM. Its “Cost of a Data Breach Report 2020”, surveyed from August 2019 to April 2020, covered 17 countries including South Africa, with 524 organisations that had experienced data breaches recruited into the study, and interviews with more than 3 200 individuals.


In South Africa, the average total cost of a breach for this year came in at $2,14 million, compared to $3,06 million last year, with an average of 228 days (compared to 280 days globally) to identify and contain a breach. “Although data-breach costs may have decreased this year, South Africa is still heavily prone to the issue,” says Lesiba Sebola, Information Technology Director for Bidvest International Logistics (BIL), one of South Africa’s largest logistics businesses that provides an end-to-end supply-chain solution across a number of industries.



Nowhere have data breaches been more pronounced than in the global supply-chain sector, with nearly 300 cybersecurity incidents reported last year. Ransomware attacks, which encrypt data and block access to systems until a ransom is paid, have become the most common and costly form of cyberattacks in the industry. At the end of 2019 a large US-based firm was hit by a malware attack, in which cybercriminals instal malicious software on the victim’s device/s without their knowledge to gain access to personal information, which cost the firm $7 million in less-than-truckload (LTL) revenue. And in February this year North America’s second-largest freight broker (by revenue) was hit by a cyberattack that saw an opening-up of carrier’s accounts, tax ID numbers and bank-account numbers.


While the problem has seriously impacted on supply-chain entities, the industry is by no means the only one affected. “There’ve been a number of reported security incidents, although not specific to the supply-chain sector, that have reverberated throughout the country,” says Sebola. These include the hacking of insurance giant Liberty Life’s email repository, the installation of spyware on transport operator Gautrain that cost the entity $661,351.00, a hack into the Civil Aviation Authority’s systems, a ransomware attack on Tracker, a stolen-vehicle-recovery company, and last week’s Experian incident which saw as many as 24 million South Africans’ personal information put at risk.


“In most of these incidents, the underlying cause was social engineering, which, in the context of data security, is manipulating people into divulging confidential or personal information that may be used for fraudulent purposes,” Sebola explains.


The IBM report revealed a growing divide between organisations that have advanced security processes and those with less advanced protocols in these areas. And while many people believe that data protection is an information technology (IT) issue, BIL doesn’t hold this view. “IT is just a component in the protection strategy,” Sebola notes. “There’s no specific point or phase in a typical supply-chain workflow when data is at its most vulnerable – it needs to be protected throughout. The financial phase may be the most targeted, especially when it comes to payment schedules, but the same can be said for information regarding expensive cargo being shipped, so throughout the process data needs to be closely guarded.


BIL office, South Africa (BIL Photo/Patrick Toselli)


“Every employee is a developer of data: they’re the first custodian of data that they’ve developed, so the responsibility lies with them on how to share and store whatever it is they’ve generated or received. Our industry is undergoing rapid digitisation, which means that data is increasingly being shared and stored by third parties like suppliers, vendors and other business partners, so the need to protect it couldn’t be greater.”


BIL developed a cybersecurity policy that includes controls such as employee conduct while utilising the company’s network, installing and running security programs, and ongoing security maintenance. The policy also maps out the roles and responsibilities for all employees pertaining to the issue, regardless of their role or level of seniority.


The IT department should then provide the necessary technology to ensure that this is upheld, says Sebola. And ideally, a data information officer, as prescribed by the Protection of Personal Information (POPI) Act, is ultimately the custodian of data protection within an organisation. He/she would develop a data governance framework that entails how the data is handled within the organisation.


As the exchange of data rapidly gathers pace around the world, several industries reliant on the global supply-chain market are at increasing risk of coming under cyberattack. Healthcare, energy, financial services and pharmaceuticals experienced an average total cost of a data breach significantly higher than less regulated industries such as hospitality, media and research, according to the IBM report. Global data-breach costs in the healthcare sector increased by 10,5%, with energy increasing by 14,1% to $6,39 million, and retail by 9.2% to $2,01 million.


BIL warehouse, South Africa (BIL Photo/Patrick Toselli)


The study also found that many organisations believed remote work during Covid-19 would likely increase data-breach costs, as well as the time required to identity and contain a breach. The study found that having a remote workforce would increase the average total cost of a data breach of $3,86 million by nearly $137,000 for an adjusted total cost of $4 million.


But, says Sebola, “There’s light at the end of the tunnel in all of this. Companies need to get the basics right as far as developing and implementing a cybersecurity policy, and then to adhere to it.” Fundamentals should include providing a new and continuous awareness programme for employees, conducting top-to-bottom security audits, keeping software and systems current and updated, performing regular data backups, and implementing a layered security environment.