Fast tracking the appointment of the POPI Information Regulator could help increase disclosure and dialogue around cyber security, says Jonas Thulin, security specialist at Fortinet.
Cybercrime is escalating globally, and South African organisations are targeted as much as any others around the world. However, because disclosure is not mandatory in South Africa, too many organisations have been lulled into a false sense of security. Aon estimates that over 70% of South African businesses are not prepared for cyber-attacks, and as attackers start to realise the extent of the vulnerabilities and financial opportunities here, we can expect to see an increase in attacks on local organisations.
You’d be forgiven for thinking South African organisations seldom get hacked, based on what you read in the media. In contrast, international breaches impacting big name companies such as Sony, Home Depot, eBay and Adobe make news all the time. Most recently, we learnt that Anthem, a US-based health insurer with nearly 40 million customers, had been attacked, compromising the personal and health information of up to 80 million current and former customers and employees.
Despite the availability of a wide range of advanced solutions and strategies for improved information security, some of the biggest breaches making headlines have occurred as a result of simple social engineering to steal employee user names and passwords, lack of data encryption or infection by Android-based malware.
Our reliance on technology and an interconnected world has made the surface area of attacks much wider than it has ever been before. With the proliferation of BYOD, and the Internet of Things, the more connected we get, the more we put ourselves as risk for cyber-attacks. This became evident in 2014 during the DefCon security convention in Las Vegas as researchers presented ways to gain access to technology such as cars, home alarm systems, and medical devices.
The attack vectors in South Africa appear to be focused around social engineering attacks, identity theft, and fraud. Businesses are not compelled to report breaches and it is unlikely from a cultural standpoint that they will. Partly because of a lack of public disclosure and dialogue around the extent of cybercrime in South Africa, local businesses have taken a laissez-faire attitude towards security and are more concerned about implementing technology to concentrate on value and performance.
It is likely that the full implementation of the Protection of Personal Information (POPI) act will help to change this attitude, forcing local organisations to implement more effective information security tools and strategies. However, many of the specifics around the implementation of POPI are still up in the air. While parts of the act came into effect in April 2014, an Information Regulator has yet to be appointed to enforce the act.
Timeframes for compliance are not yet known, and there is no indication of what measures the Regulator will introduce to enforce compliance. Ideally, we would see the appointment of the Regulator and the announcement of timelines soon; with measures such as mandatory disclosure of breaches raising awareness and dialogue around the extent of cybercrime in South Africa.
Once this happens, organisations will become more open about the level of security they have in place, allowing others in their sector to gauge the levels of security they should be implementing too. It should also raise consumer awareness of cybercrime risks, potentially driving companies to step up their information security to address customer concerns.
The sooner POPI is fully enacted and a Regulator put in place, the sooner we can expect the situation in South Africa to improve.