A lack of requisite skills and an immature judicial system could thwart efforts to enforce South Arica's Cyber Crimes Act.
This is according to Anna Collard, SVP of content strategy & evangelist at KnowBe4 Africa.
She says the Act is powerful in that it consolidates existing cyber crime laws into one piece and brings the country’s cyber security legislation in line with global best practices. But, as South Africa’s economy and dependency on digitalisation grows, so too will the interest from cyber criminals, and the country’s ability to enforce cyber crime legislation will be challenged.
South Africa – like the rest of the continent – sufferes from a lack of IT and cyber security skills, apathy regarding cyber security within governments, and a relatively low level of general cyber awareness, she says.
“We predict cyber extortion groups and cybercrime syndicates will shift their attention away from the more mature nations like the US towards emerging economies like Africa – where industries have a large cyber dependency, but lack the resources to adequately prevent, retaliate or prosecute cyber criminals. Legislation is a necessary step towards cyber security maturity, but plays only one part.”
Collard says no sector is immune to the impact of the global cyber skills shortage.
“Some of our private sectors, such as the banks have very mature cyber security capabilities, good processes, technologies and people. But even amongst those mature environments, employers struggle to find or retain cyber security talent. Public sector and some critical infrastructure organisations are much less well prepared.
"Similarly, in law enforcement, we will need more capacity building to adequately deal with cyber security incidents, victims and processes such as forensics and securing evidence chains.”
KnowBe4 Africa believes more public private partnerships and collaboration is needed to assist African organisations with the cyber security skill shortage, increase cyber security awareness and security culture, invest in relevant technology and processes as well as build up capacities to provide national incident response support.
South Africa was ranked 59th on the 2020 ITU Cybersecurity Index, which measures countries against five cyber security pillars: legal, technical, organisational, capacity development and cooperation measures.
Within Sub-Saharan Africa, South Africa is placed 8th, behind Mauritius, Tanzania, Ghana, Nigeria, Kenya, Benin and Rwanda.
KnowBe4 Africa said currently, only 14 out of 55 African countries have enacted specific laws against cyber crime. Another 11 countries have partial laws, and 30 have no meaningful cyber crime laws.
The KnowBe4 Security Culture Report 2023 showed wide varieties by sectors and by countries. For example, the South African banking sector outperformed all other industry sectors on the continent.
“This is no surprise as in South Africa banks have a long history of mature security culture, large SOCand CSERT operations and are one of the major employers for security professionals,” says Collard.
“The worst performing result came from another South African sector: the hospitality industry. Tourism is an important sector of the South African economy, but has been plagued by the COVID restrictions and lockdowns as well as the country’s electricity crisis. Many businesses suffered near or full bankruptcy which may explain a lesser focus on perceived non-business critical tasks such as cyber security culture.”
Background to the Cybercrimes Bill
- In 2021, president Cyril Ramaphosa signed the Cyber Crimes Bill into law and certain elements of that law came into effect as of 01 December of the same year.
- The Cyber Crimes Act outlines cyber fraud, theft of incorporeal property, harmful messages, unlawful images and incitement of damage as part of its mandate.
- The sections of the Act that commenced on 1 December 2021 include:
Chapter 1: definitions and interpretations;
Chapter 2: cyber crimes – only specific parts will commence (cyber crimes, malicious communications, assisting or instructing someone to commit a crime, competent verdicts, and sentencing);
Chapter 3: jurisdiction;
Chapter 4: powers to investigate, search, access or seize;
Chapter 7: evidence;
Chapter 8: reporting obligations and capacity building – all sections commence except section 54;
and Chapter 9: general provisions.
* KnowBe4 Africa is a sponsor of the ITWeb Security Summit 2023.