As State Security Minister David Mahlobo delivered his opening address at the State Security Cybersecurity Conference, in Pretoria, on Monday, new global research from Grant Thornton’s International Business Report (IBR) on cybersecurity has revealed that cyberattacks continue to take a serious toll on business, with 10% of domestic private-sector businesses having experienced a cyberattack in the past year.
 
Grant Thornton Johannesburg advisory services director Michiel Jonker warned in a statement that the figures published for South African businesses were, however, based on qualitative surveys and not on verified quantitative data.
 
“At present, South African companies are not forced to report on cybercrime or any cyberattacks experienced in their organisations because this is not a legal requirement – hence the need for qualitative surveys to assess the current situation in the country.

“Parliament may recently have passed the new Protection of Personal Information (Popi) Act, but the full requirements will only come into force once the Popi Regulator has been appointed and is fully functioning,” he commented.
 
Jonker expected a fully functioning Popi Regulator to be up and running in South Africa by the end of 2016 or in early 2017, after which organisations would likely be given a 12-month grace period to secure their Popi compliance and estabish appropriate reporting processes.

As such, accurate data on the new requirements, any cyberattacks experienced, or appropriate security measures implemented would only be available after 2018.
 
“It is realistic to assume that South African entities will start reporting to the new regulator on security incidents by 2018, providing crucial data for the first time in the country’s history, about cybercrime, fraud, attacks and incidents. 

“We foresee then, that 2019 will be the expected watershed year for South African entities, including the public sector, to start informing their cyber security strategies with accurate forecasting data, gathered over 2018.

“We believe it will take South Africa another three years to collect an adequate quantity of sound data for quantitative forecasting purposes, which brings us to at least 2021 – with the use of the first full three-year set only in 2022,” he said.
 
The Popi Act, which was gazetted in November 2013, and which was currently awaiting an effective enactment date, pending the appointment of the regulator and other final elements, required widespread reforms to be introduced by the private and public sectors to ensure the personal information and data they collect were protected.

The new Act provided strict guidelines, among other things, on what data could be obtained, how that data could be used and the requirement that it should be kept up to date.  
 
The Grant Thornton IBR, which comprised a global survey of 2 500 business leaders in 35 economies, revealed that, as high-profile security breaches and hacks became more prevalent, many businesses had no comprehensive strategy to prevent or detect and contain digital crime.
 
The IBR results further revealed that cyberattacks were directly impacting the bottom line.

However, despite these risks, when executives were asked if their businesses had a detailed cybersecurity strategy in place to deal with any potential cyberattacks, nearly half of domestic businesses surveyed indicated they did not, while just over half of global businesses did have a strategy in place.
 
Jonker expressed concern regarding the lack of preparedness of South African businesses and of the public sector when it came to cybersecurity.
 
“Local organisations are being hacked. The problem is that many just aren’t aware that they’re being attacked or, at best case, they do know about the attack but are trying to deal with it silently without reporting it.
 
“Cyberrisk is ranked as the ninth biggest risk by consequence for the nation. Corruption, governance failure, unemployment and infrastructure and networks are the top four risks in South Africa, which further emphasises just how serious some other key issues are for the country,” he commented.
 
Grant Thornton cybersecurity global leader Paul Jacobs added that cyberattacks were an increasingly significant danger for business.

“Not just cost in a financial sense, but serious reputational damage can be inflicted if attacks undermine customer confidence,” he said.
 
Grant Thornton’s cybersecurity research revealed that the sector most concerned by the threat of a cyberattack was financial services, while only 10% of transport firms globally had reported a cyberattack in the past 12 months and just 27% perceived it as a threat.
 
“Vigilance alone won’t keep businesses safe. Proactive measures are needed. This is an issue which needs to be on the agenda in boardrooms, as well as information technology departments, particularly with Popi legislation on the South African horizon.

“Management teams need to be driving cyberstrategies which boost awareness of the threat among all staff, and of the policies and procedures in place to deal with the threat. Just as critically, clients and customers also need reassurance that effective robust and resilient controls are in place,” Jonker concluded.