South Africa lacks a cyber security culture, as the country is yet to implement some of the critical policies adopted by the African Union Convention on Cyber Security and Data Protection.
That was the word from professor Basie von Solms, director of the Centre for Cyber Security at the University of Johannesburg, speaking during ITWeb Security Summit 2015, in Midrand, yesterday.
Von Solms noted the African Union (AU) Convention on Cyber Security and Personal Data Protection was adopted by the member states in June 2014, but SA has not moved to implement the policies.
Among other things, the convention seeks to mobilise all public and private actors for the promotion of cyber security, said Von Solms, adding it also stipulates cyber security measures to be taken at national level.
Nothing doing
However, the South African government was not doing anything to prioritise cyber security at a national level, he pointed out.
To put cyber security on the agenda at a national level, Von Solms called on government to encourage a culture of cyber security, forge public-private partnerships and encourage education and training.
"The AU urges the development of a national cyber security policy in collaboration with stakeholders. Do we have such a national cyber policy in SA? No."
As part of the promotion of the culture of cyber security, Von Solms said the state must adopt a cyber security plan; encourage the development of a cyber security culture in enterprises; foster the involvement of the civil society; and launch a comprehensive and detailed national sensitisation programme for Internet users, small business, schools and children.
The government must promote education for ICT professionals, within and outside government bodies, he added. It must also adopt measures to develop capacity-building in areas of cyber security. "Are we building cyber capacity in SA on a national basis? No."
Acknowledged flaws
According to Von Solms, the South African government has admitted to its shortcomings regarding cyber security preparedness.
In a 2013 report, the then Department of Communications acknowledged South African policies on e-commerce, cyber crime and cyber security have been largely fragmented and uncoordinated. There is lack of overall cyber security strategy and policy, he added.
"The AU Convention shows SA is far behind as far as cyber security is concerned. Government and private sector must work together to cyber secure SA."
He noted government must make efforts to boost cyber security awareness among small and medium enterprises (SMEs).
"Small companies contribute on average 55% to SA's overall GDP and 61% to employment," he pointed out. "About 66% of such small companies have online Web sites, and 70% of these small companies acknowledge that business without a Web site would not be possible."
Nonetheless, he pointed out, small businesses are reported to be the largest growth area for cyber attacks, adding 31% of all attacks targeted small businesses, as they are less prepared to handle cyber risks.
"SMEs typically do not have the financial and human capacity to deal with cyber threats," he said.