It’s difficult to believe that the zettabyte (or 1 000 bytes to the seventh power) didn’t exist before 2012. By the end of 2022, it was predicted that there would be 97 zettabytes of data in the world, with a single person generating 1.7MB of data every second. Not only that, but the data itself lives everywhere – from mainframes to corporate devices to hybrid multi-cloud environments.

Additionally, more and more companies are backing up their files, creating business continuity plans, organising incident response teams, and investing a significant amount of money in data protection and data loss prevention. But why do they do that?

Skyrocketing threats

As the number and severity of cybersecurity incidents rise each year, organisations are coming under increasing pressure to find measures to protect their customers’ data. Sixty to 70% of all data loss incidents warrant either public disclosure or have a negative financial impact. The cost of a data breach averages US$4.25-million per incident and businesses fall victim to cyberattacks on average every 11 seconds, but it can take around nine months to identify and contain a data breach.

If it were measured as a country, then cybercrime – which is predicted to inflict damages totalling $10.5-trillion by 2025 – would be the third largest economy after the US and China, and would be more profitable than the global trade of all major illegal drugs combined.

While external adversaries are continuing to evolve their tactics, it is worth noting that internal data breaches by negligent or disgruntled employees are also increasing – and account for nearly half of all data breaches.

The South African approach

To unpack how South African businesses are approaching data loss prevention, TechCentral hosted a roundtable conversation sponsored by Next DLP with some of the country’s leading executives across a range of industries at the Saxon Hotel & Spa in Sandton.

Attendees delved into the tools, procedures and best practices that are available to protect their data, as well as the role of leadership and employee education in developing an ethical, data-driven, security-conscious culture.

They all agreed that data loss prevention (DLP) is the responsibility of everyone in a business and that today’s companies require a holistic approach that fully confronts cybersecurity as a human behaviour and motivation problem, as opposed to a technical problem.

Employees remain the biggest threat

Most delegates agreed that while cybersecurity threats are always evolving and third-party contractors and vendors are a key risk to any entity, one consistent vulnerability remains the same: employees. People internal to an organisation are a frequent cause of data breaches, predominantly through negligence, but also with ill intentions in some cases.

To address this ever-increasing challenge, the attendees identified simple but critical interventions:

Amp up training and keep up to date. Many attendees shared that they have training programmes in place but agreed that the depth and breadth of the content, as well as the mode and frequency of delivery of the content, is not sufficient to drive meaningful changes in behaviour. Employees need training delivered in innovative, proactive ways, in real time at the point of an incident occurring. Businesses should also keep abreast of industry trends by sharing information and consulting with industry peers.
Make cybersecurity and data protection a priority. Delegates agreed that it is essential to focus security spending where it is needed the most, securing networks, systems, applications, devices, physical premises, developing security and sharing protocols, and implementing incident response processes. That said, there was consensus that while data loss prevention strategy and decisions are often handled by members of IT, data management and compliance teams: data loss prevention is everyone’s responsibility, and leadership support has become critical to operationalising an effective DLP programme.

The role of leadership security culture

As an often overlooked component of “people, processes and technology”, internal culture and security awareness are sometimes the only things that come between an organisation and a successful cyberattack.

All attendees agreed that modifying the existing corporate culture to drive a heightened level of security awareness requires buy-in and support from all leaders within the company. They should be responsible for supporting the initiative, leading by example, understanding information security, and being involved in creating items such as the incident response plan, business continuity plan and other key procedures.

Culture is not about words. It is about deeds. Employees notice what leadership teams do, not what they say.

Respect customer data, privacy

Back n 2010, Steve Jobs said: “Privacy means people know what they’re signing up for, in plain language, and repeatedly. I believe people are smart. Some people want to share more than other people do. Ask them.”

Over a decade later, those words are slowly but surely becoming a requirement for organisations that fall subject to privacy regulations, such as Popia and GDPR, especially those whose business models have their foundations in the processing of significant volumes of sensitive customer data.

Attendees agreed that, in addition to compliance with the law, smart businesses know that having a robust DLP programme in place is just good business. With the explosion of digital technologies consumers are deeply anxious about how their personal information may be used and protected and participants shared the view that their organisations are increasingly at risk of their customers switching companies or providers if their data practices are not robust.

In their view, an organisation’s data loss prevention programme can be a competitive differentiator. In fact, one large financial services firm shared that it is “very actively” looking to shape its data management policies and practices.

The role of AI, ML

Attendees were asked to unpack the role of artificial intelligence and machine learning in the context of security, specifically whether or not they have designed and future-proofed a programme with these technologies in mind.

It was agreed, despite the fact that AI and ML are already powering tools that give business decision-making processes a massive upgrade, myths around AI continue to abound, particularly concerns about job security.

That said, participants were of the view that the immediate and long-term benefits of integrating AI into a business’s cybersecurity ecosystem (such as improving protection and remediation due to AI’s ability to detect nuanced attacks and enhance incident response) should be explored further. This is particularly true when it comes to tools that enable an organisation to get visibility, analysis and understanding of data flows and activity across all users and endpoints have the ability to transform the landscape.

A holistic approach to DLP

Despite the numerous and sometimes divergent challenges faced by information security, data privacy and compliance professionals, the common sentiment shared by all attendees was that a holistic approach to data loss prevention is key.

This approach needs to combine the use of information security tools and technologies; employee behavioural modification training that reinforces good behaviour; and effective policies, procedures and standards. Furthermore, this approach is critical to effectively countering cyber threats, while simultaneously delivering additional value beyond data protection to the organisation.

TechCentral, in partnership with Next DLP, would like to thank all of those who participated in the roundtable discussion.

About Next
Next DLP (“Next”) is a leading provider of data protection solutions for organisations with valuable data that must uncover risk, educate employees, and fulfil security, compliance and regulatory needs. Next’s mission is to reinvent data protection for today’s distributed organisation. It is disrupting the legacy data loss prevention market with a user-centric, flexible, cloud-native, AI/ML-powered solution built for today’s threat landscape. The company’s leadership brings decades of cyber and technology experience from Fortra (previously HelpSystems), DigitalGuardian, Forcepoint, Mimecast, IBM, Cisco and Veracode. Next is trusted by organisations big and small, from the Fortune 100 to fast-growing healthcare and technology companies. For more, visit www.nextdlp.com or connect on LinkedIn and YouTube.