Businesses in South Africa face a heightened risk of cybercrimes owing to the Covid-19 pandemic and subsequent lockdown, but there are several measures that they can undertake to mitigate this and there is legislative regulation to assist.
Speaking on April 24 during a webinar hosted by law firm Cliffe Dekker Hofmeyr (CDH), CDH Technology, Media and Telecommunication director Fatima Ameer-Mia noted that owing to the lockdown, companies had to very quickly adapt to let employees work from home.
Remote working is also likely to remain the new normal for most businesses for a while yet.
With remote working characterised by an increasing reliance on technology, Ameer-Mia noted that many businesses may be faced with an increased cybersecurity threat.
She noted that while there is various software available to employees to mitigate against this, there is still an inherent risk to accessing business servers from remote locations away from the office.
There have also been reports of increasing numbers of phishing scams related to Covid-19, she said, with these purporting to be health or governmental agencies with coronavirus-related information, which is actually a front to push malware or gain access to business information, for example.
With regard to laws around cybercrime in the country, Ameer-Mia indicated that the country has a high level framework related to this, and that cybercrimes are regulated under common law and various other regulations.
Moreover, government recently passed a cybercrimes Bill which will include new offences that are currently not accommodated for under South African law, and should provide business with an extra level of comfort, she informed.
With regard to how businesses can and should safeguard against cybercrimes, Ameer-Mia said the country’s law does not specially have a requirement for business to have measures. However, the Protection of Personal Information Act (POPI), which is still being implemented fully in the country, does call for this.
Therefore, in the interim, and in the current climate, she indicated that there are several measures that business can undertake to safeguard themselves and employees.
Firstly, she emphasised that businesses should review and adopt information security policies for employees to adopt, and that these should be properly communicated to employees, who should then be aware of and trained in these policies.
Moreover, she encouraged employees not to connect to public or unprotected WiFi when doing work; and that they should use a virtual private network, where possible.
Ameer-Mia emphasised that common sense should prevail from employees. With an increased use of video conferencing, employees should ensure that meeting requests are legitimate.
Moreover, they should shy away from shortcuts, and send work documents and sensitive work information only on trusted working platforms, rather than any social media platform.
Ameer-Mia highlighted the importance of such measures, given that data breaches, according to a recent report, can lead to an average cost of about R43-million, owing to the reputational damage and share price impact for businesses.
As such, she also advised that businesses could consider taking out comprehensive cyber insurance policies.
PRIVACY IN THE TIME OF COVID-19
Ameer-Mia also touched on the issue of the government accessing private data of citizens for contact tracing to reduce and mitigate the spread of Covid-19, with this gleaned from mobile networks and entered into a central database to track those who have been infected with Covid-19 and those who have had contact with such people.
While the privacy of citizens is upheld by the Constitution, there are certain legislative exceptions that allow for the government to infringe on this right; however, this comes with stringent conditions, and is only allowed under urgent circumstances, such as this outbreak.
Ameer-Mia noted that while citizens’ privacy is being infringed, it is done in accordance with these exceptions, and is only being done for a limited time and under proper controls.
Therefore, citizens should not be concerned that the government is spying on them, as this information is required to be terminated six weeks after the State of Disaster lapses or is terminated, and each person’s data that is obtained must be notified about this after this six-week period as well.
Also, this data can only be accessed by certain people, and can only be used for clearly defined purposes required to combat or reduce the spread of Covid-19.
Moreover, a specific judge will monitor compliance of the process and will make recommendations to the government.
Should the State continue to track an individual after the regulated time period, Ameer-Mia indicated that this person would be able to bring an action against the mobile service provider, provided they can prove that they are being impacted.
Therefore, she indicated that it is importance to continue to monitor how these regulations are implemented – while individuals will be required to give up their right to privacy, the government must comply in terms of lawful processing of this information.