As South Africa’s Minister of State Security, David Mahlobo delivered his opening address at the State Security Cybersecurity Conference in Pretoria yesterday (2 November), new global research from Grant Thornton’s International Business Report (IBR) on cyber security reveals that cyber-attacks are taking a serious toll on business.
The new survey highlights that one out of every 10 (10%) South African private sector businesses have experienced a cyber-attack in the past year (the global figure is 15%).
But Michiel Jonker, director: advisory services at Grant Thornton Johannesburg, warns that the figures published for South African businesses are based on qualitative surveys, and not on verified quantitative data.
“At present, South African companies are not forced to report on cybercrime or any cyber-attacks experienced in their organisations because this is not a legal requirement – hence the need for qualitative surveys to assess the current situation in the country. Parliament may recently have passed the new Protection of Personal Information (POPI) Act, but the full requirements will only come into force once the POPI Regulator has been appointed and is fully functioning.”
Jonker expects that a fully-functioning POPI Regulator will be up and running in South Africa by end of 2016 or early 2017.  He adds that organisations will probably then be given a 12-month grace period to get their POPI compliance and reporting in order which means that accurate data on the new requirements, any cyber-attacks experienced, or appropriate security measures implemented will only be available post 2018.
“It is realistic to assume that South African entities will start reporting to the new Regulator on security incidents by 2018, providing crucial data for the first time in the country’s history, about cybercrime, fraud, attacks and incidents.  We foresee then, that 2019 will be the expected watershed year for SA entities, including the Public Sector, to start informing their cyber security strategies with accurate forecasting data, gathered over 2018,” he adds. “We believe that it will then take South Africa another three years to collect an adequate quantity of sound data for quantitative forecasting purposes; which brings us to at least 2021 – with the use of the first full three year set only in 2022.”
The POPI Act, which was gazetted in November 2013, and which is currently awaiting an effective enactment date pending the appointment of the Regulator and other final elements, requires widespread reforms that both the private and public sector must introduce to ensure that the personal information and data they collect are protected. The new Act provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.
The Grant Thornton International Business Report (IBR), a global survey of 2 500 business leaders in 35 economies, reveals that as high-profile security breaches and hacks become more prevalent, many businesses are putting themselves in the firing line with no comprehensive strategy to prevent or detect and contain digital crime.
The IBR results reveal that cyber-attacks are directly impacting the bottom line. But despite these clear risks, when executives were asked if their businesses have a detailed cyber-security strategy in place to address any potential cyber-attacks, nearly half of SA businesses surveyed said no (South Africa: 45%) while just over half (52%) of businesses globally did have a strategy in place.
Jonker expressed concern regarding the lack of preparedness of SA businesses and of the public sector when it comes to cyber-security.
“South African organisations are being hacked,” says Jonker. “The problem is that many just aren’t aware that they’re being attacked (due to the lack of detective controls), or at best case, they do know about the attack but are trying to deal with it silently without reporting it.”
South Africa’s local municipalities currently hold a massive amount of personal data – potentially more than many other government departments in the country.  However, Jonker laments that just like many businesses, the municipalities are not at all ready to comply with the stringent POPI requirements.
He quotes a recent Risk Report 2015 by the Institute of Risk Management South Africa (IRMSA) which ranks the Top 10 South African risks by consequence.
“Cyber-risk is ranked as the ninth biggest risk by consequence for the nation,” Jonker says. “Corruption, Governance Failure, Unemployment and Infrastructure and Networks are the top four risks in South Africa, which further emphasises just how serious some other key issues are for the country.
“But globally, other countries around the world have already adequately addressed many of the four risk issues we’re still grappling with.  This means that they’ve made cyber risk a much higher priority and will therefore get on top of the critical issues, long before we will even have had any time to lift our heads high enough to see the threats on the horizon,” says Jonker.
Paul Jacobs, global leader of cyber-security at Grant Thornton, says: “Cyber-attacks are an increasingly significant danger for business. Not just cost in a financial sense, but serious reputational damage can be inflicted if attacks undermine customer confidence: just ask Ashley Madison. Despite this, nearly half of firms still lack a strategy to deal with the cyber threat.”
Grant Thornton’s cyber-security research reveals that the sector most concerned by the threat of a cyber-attack is financial services (74% of business say it is a threat) – this is also the sector with the joint-highest recorded instances of cybercrime globally (26%). At the other end of the spectrum, only 10% of transport firms globally have reported a cyber-attack in the past 12 months and just 27% perceive it as a threat.
“Vigilance alone won’t keep businesses safe. Proactive measures are needed. This is an issue which needs to be on the agenda in boardrooms as well as IT departments, particularly with POPI legislation on the South African horizon. Management teams need to be driving cyber strategies which boost awareness of the threat among all staff, and of the policies and procedures in place to deal with the threat. Just as critically, clients and customers also need reassurance that effective robust and resilient controls are in place,” Jonker adds.