SA businesses under cyber barrage
South Africa has adequate measures in place to deal with the scourge of cyber crime,
That was the word from state security minister, David Mahlobo, opening the State Security Cybersecurity Conference in Pretoria yesterday.
The conference was attended by government departments, state-owned enterprises, private sector companies and academia. It aimed to map out the progress that has been made with regards to policy development and implementation, as well as to define areas of collaboration and partnerships with the private sector.
The State Security Agency is tasked, in terms of the Cabinet-approved Cyber security Policy Framework, with co-ordinating government's response to matters of cyber security.
According to Mahlobo, awareness is needed if SA is to make some gains in the fight against cyber crime.
The conference coincided with new global research from Grant Thornton's International Business Report (IBR) on cyber security which reveals cyber attacks are taking a serious toll on business.
The report was compiled after a global survey of 2 500 business leaders in 35 economies. According to the new study, one out of every 10 (10%) South African private sector businesses have experienced a cyber attack in the past year. The global figure stands at 15%.
However, Michiel Jonker, director of advisory services at Grant Thornton, Johannesburg, warns the figures published for South African businesses are based on qualitative surveys, and not on verified quantitative data.
"At present, South African companies are not forced to report cyber crime or any cyber attacks experienced in their organisations because this is not a legal requirement - hence the need for qualitative surveys to assess the current situation in the country," says Jonker.
"Parliament may recently have passed the new Protection of Personal Information (POPI) Act, but the full requirements will only come into force once the POPI regulator has been appointed and is fully functioning."
The POPI Act, which was gazetted in November 2013, and which is awaiting an effective enactment date pending the appointment of the regulator and other final elements, requires widespread reforms that both the private and public sector must introduce to ensure the personal information and data they collect are protected.
The new Act provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.
The Department of Justice and Constitutional Development has since invited comments on the Cyber Crimes and Cyber Security Bill. Any person wishing to comment on the Bill is invited to submit written comments to the department on or before 30 November. The Bill aims to give SA a co-ordinated approach to cyber security.
The IBR results reveal cyber attacks are directly impacting the bottom line. But despite these clear risks, when executives were asked if their businesses have a detailed cyber security strategy in place to address any potential cyber attacks, nearly half (45%) of South African businesses surveyed said 'no', while just over half (52%) of businesses globally did have a strategy in place.
Jonker expresses concern regarding the lack of preparedness of South African businesses and of the public sector when it comes to cyber security.
"South African organisations are being hacked," says Jonker. "The problem is that many just aren't aware they're being attacked due to the lack of detective controls, or at best case, they do know about the attack but are trying to deal with it silently without reporting it."
SA's local municipalities hold a massive amount of personal data - potentially more than many other government departments in the country. However, Jonker laments that just like many businesses, the municipalities are not at all ready to comply with the stringent POPI requirements.
He quotes the Risk Report 2015 by the Institute of Risk Management South Africa which ranks the top 10 South African risks by consequence.
"Cyber risk is ranked as the ninth biggest risk by consequence for the nation. Corruption, governance failure, unemployment and infrastructure and networks are the top four risks in SA, which further emphasises just how serious some other key issues are for the country.
"But globally, other countries around the world have already adequately addressed many of the four risk issues we're still grappling with. This means they've made cyber risk a much higher priority and will therefore get on top of the critical issues, long before we will even have had any time to lift our heads high enough to see the threats on the horizon," says Jonker.
He believes vigilance alone won't keep businesses safe. "Proactive measures are needed. This is an issue which needs to be on the agenda in boardrooms as well as IT departments, particularly with POPI legislation on the SA horizon.
"Management teams need to be driving cyber strategies which boost awareness of the threat among all staff, and of the policies and procedures in place to deal with the threat. Just as critically, clients and customers also need reassurance that effective, robust and resilient controls are in place," Jonker concludes.