On January 9, 2023, Business Daily reported that cybercriminals had breached Kenya Airways' (KQ) information systems and obtained sensitive data, including contact information and identification documents, from passengers, 3rd parties, airline staff etc.
Safaricom, Naivas supermarkets, Kenya Airport Authority (KAA), the National Transport and Safety Authority (NTSA), the Kenya Revenue Authority (KRA), and the Kenya Bureau of Standards (KEBS) have all faced comparable consequences as a result of data breach.
A data breach is defined as any security event that allows unauthorized parties to access private or sensitive data, such as personally identifiable information (name, address, social security number, phone number, email address, and so on) or corporate information (customer, intellectual property, financial information, employee, operational, and so on), or both.
And according to an IBM's 2022 research, the average cost of a data breach worldwide is more over $13 million. Breach scenarios can have an impact on organisations of all kinds and types, including public and private enterprises, Devolved and National governments, non-profit organisations, and large and small firms.
Healthcare, insurance, finance, gaming and betting, education, hospitality, property management, retirement benefits, faith-based or religious, telecommunications, direct marketing, transportation services, and the public sector, on the other hand, are particularly vulnerable to the negative effects of a data breach.
This is due to the fact that these entities handle sensitive and valuable data and are susceptible to rigorous regulatory penalties, fines, settlements, reputational losses, and legal expenses in the event of a breach. As a result, the Office of the Data Protection Commissioner (ODPC) has made their registration essential.
Data breaches can be caused by: Innocent errors, such as an employee emailing private information to the wrong person, malevolent insiders, such as irate or fired staff members or avaricious workers vulnerable to outsiders' bribes, or hackers, who deliberately conduct cybercrimes to steal data.
WHEN rather than IF
Following from the above, most organisations find that the question of when a data breach occurs becomes more important than if it will occur due to the complexity of today's interconnected environments, which include distributed hybrid work/home environments across teams and locations, remote and hybrid work, the "bring your own device" trend, employees' lack of security awareness, and increasingly organised cybercriminals using increasingly sophisticated attack methods.
Furthermore, it is far too easy for a small business to dismiss data breaches. All too often, these are perceived to be challenges that only exist in much larger organisations that process specific types of special category data. The notion that "it won't affect us" is exceedingly dangerous.
Nowadays, it is a matter of WHEN rather than IF a data breach would occur.
Moreover, data breach is not "just a risk-compliance issue"; rather, it is a business-critical one. Additionally, because of the recent attention that breaches have gotten, top management is now better aware of the risks and difficulties associated with them.
Because of the foregoing, organisations must plan for and anticipate the likelihood of a data breach. Everyone in the organization must comply with data protection regulations; nowadays, an organisation's culture must embrace data protection policies, and each party ought to play a role. When it comes to data protection compliance, people are equally as crucial as technologies, if not more so.
Finally, in order to construct resilient firms that can recover swiftly from breaches, the emphasis must move from pure prevention to detection and response planning. In essence, data compliance teams should plan for failure: Assume a breach will occur at some point in your company's history and take actions to mitigate the impact on a larger scale.
The writer is an advocate of the High Court of Kenya