Moreover, many organisations have suffered a security incident but are unaware of it. Last year, the Ponemon Institute found that the average time to identify a breach was approximately 191 days, with another 66 days on average needed to contain it.
The fact is, businesses of every type need to have an incident response plan in place. In the context of data privacy, an incident would be something that happens that sees personal information being accessed by an unauthorised individual or individuals.
This is where the Protection of Personal Information Act (POPIA) comes in. First and foremost, POPIA introduces for the first time, a compulsory reporting requirement for data breaches, says Russell Opland, global privacy business expert, who will be speaking about ‘Incident response in the context of POPIA', at the ITWeb Security Summit, to be held from 21 to 25 May at Vodacom World in Midrand.Before the advent of POPIA, companies were not required to report such breaches, outside of certain narrow financial services regulations, he says.
"As we've seen overseas, with Uber and Yahoo examples, failure to report breaches in a timely fashion leads to a PR and regulatory disaster."
According to Opland, the first challenge with incident reporting under POPIA is determining whether or not to report as the current POPIA criteria are very vague. During his presentation, international criteria will be discussed to shed light on how our Information Regulator might proceed.
Secondly, he says if reporting is required, it is a non-trivial exercise, both in terms of timeframes, as well as establishing that it was effective and to the Regulator's satisfaction.
He will also present a real-world example of effective incident response that resulted in the Regulator closing the matter without further action.
To find out more about the ITWeb Security Summit 2018, go to: http://v2.itweb.co.za/event/itweb/security-summit-2018/?page=agendaday1