Johannesburg, 31 May 2016 -
More than three-fifths of small and medium enterprises (SMEs) surveyed and a third of larger organisations in South Africa surveyed believe the Protection of Personal Information Act (POPI) does not apply to their business raising concerns that there is a gap in basic information security knowledge across the country, a leading information security company said today as it launched the first South Africa State of the Industry - Information Security
The survey, conducted by research body Ipsos on behalf of Shred-it, highlighted a lack of awareness among SMEs and C-Suite organisations about the legal requirements around storing and disposing of confidential data outlined in the POPI Act partially enacted on 11 April 2014.
According to the findings, C-Suite Executives (70%) are more likely than SMEs (37%) to understand the implications the POPI Act has on their business. Although the POPI Act is yet to be fully implemented, once it comes into force businesses are given a grace period of just one year to comply. If the Act is not adopted after this time, organisations could face financial penalties of up to R10 million or a prison sentence of up to 10 years could be imposed.
Nearly half (46%) of C-Suite Executives and one-third (32%) of SMEs say the POPI Act will put pressure on their organisation to change their policies related to information security. Despite this, one-third (32%) of SMEs say they currently have no protocol for storing and disposing of confidential data. By contrast, C-Suites Executives are more likely to have policies in place with over half (57%) saying they have a protocol that is strictly adhered to by all employees. However, a further third (37%) with a policy in place admit that not all employees are aware of these protocols. This highlights a worrying gap in knowledge for employees resulting in personal information potentially being compromised as they are unaware of how to correctly protect, process and securely dispose of data.
Businesses can increase security by implementing a Clean Desk policy, which means all information must be secured, for example in a locked drawer, when an employee is away from their desk, and a Shred-it All
policy, which means that all office paperwork is destroyed before being recycled so that employees do not need to make a decision as to what is or is not confidential. Some companies have already responded to these security risks, with 80% of C-suites and 64% of SMEs stating that they have a Clean Desk policy in the workplace.
Commenting on the findings, Tom Bell, Regional Manager, Shred-it South Africa, said, “Understanding the legislative environment is crucial for businesses in South Africa to ensure they are implementing best practices to safeguard the confidential information of their customers, employees and partners. However, our Security Tracker results show that organisations are not prioritising this, nor are they putting policies in place to help employees understand how to securely store and dispose of sensitive data. By neglecting to put policies in place, businesses are at serious risk of a data breach, which causes significant legal, financial and reputational harm.”
The Security Tracker results also indicate a need for Government to take action and help South African businesses to understand their information security priorities. Both C-Suite (47%) and SMEs (55%) say the South African Government’s commitment to information security needs improvement.
Other Key Findings from the Security Tracker:
- Almost all C-Suites Executives (89%) and almost three-quarters of SMEs (73%) questioned say they have employees using flexible/off-site working models. Despite this, only 53% of C-Suite Executives have a policy in place for disposing of and storing confidential information both off-site and at home, while this is lower for SMEs (32%), therefore highlighting a policy gap and potential data breach risk for businesses.
- Just half of C-Suite Executives (55%) and SMEs (51%) say client/customer information would threaten the stability of their organisation in the event it was stolen, which is concerning as this information is often confidential and the loss of this data could cause significant legal, financial and reputational damage. Likewise, only 37% of C-Suite Executives and 22% of SMEs note that the theft of HR/Employee information would be damaging, despite the fact that this often contains highly sensitive personal information about individuals, highlighting a lack of knowledge from South African businesses around what information could put them at risk.
These results clearly show that many businesses in South Africa are struggling with information security putting confidential information at risk. Organisations, in particular SMEs, need to recognise that they may need to turn to experts for counsel, whether that’s Government bodies responsible for information security or an information destruction service provider.
- ENDS -
Notes to editors
Ipsos is one of the largest and best known research companies in the world. With a direct presence in 60 countries its clients benefit from specialist knowledge drawn from five global practices: public affairs research, advertising testing and tracking, media evaluation, marketing research and consultancy, customer satisfaction and loyalty.
Ipsos conducted a quantitative online survey of two distinct sample groups: small business owners in South Africa (n=401), and C-Suite Executives working for businesses in South Africa with a minimum of 100 employees (n=100). The precision of Ipsos online surveys are calculated via a credibility interval. In this case, the South Africa SBO sample is considered accurate to within +/- 6.6 percentage points had small business owners been surveyed, and the South Africa C-Suite sample is accurate to within +/- 11.2 percentage points had all C-Suites in been surveyed. The fieldwork was conducted between March 17 and March 23, 2016.
Every year, Shred-it develops the State of the Industry Report to highlight common Information Security trends and emerging challenges based on the Security Tracker’s key findings. In its first year, this report provides comprehensive insights and tips on how businesses can protect and mitigate risks when it comes to information security. Download the current report
to learn more about information security trends, as well as ways in which businesses, large and small, can protect their data.
For media enquiries:
Weber Shandwick SA
011 235 4639
Shred-it is a world-leading information security company providing information destruction services that ensure the security and integrity of our clients' private information. A wholly-owned subsidiary of the US based professional services company Stericycle, Shred-it operates in 170 markets throughout 18 countries worldwide, servicing more than 400,000 global, national and local businesses. For more information, please visit www.shredit.co.za