Flexible and remote working arrangements may pose a substantial and costly risk to employers from a cybersecurity perspective and it is imperative for business to review and adopt an information security policy that employees must adhere to, multinational law firm Cliffe Dekker Hofmeyr says.
Companies should insist that any remote working arrangement should occur via its designated digital channels for remote working, such as virtual private networks or servers, say Cliffe Dekker Hofmeyr technology, media & telecommunications practice director Fatima Ameer-Mia and dispute resolution practice associate Krevania Pillay.
Although South African law currently does not impose a duty to implement cybersecurity measures in an organisation, the Protection of Personal Information Act – the substantive provisions of which have not yet commenced – does contain obligations on responsible parties, named data controllers, to implement reasonable technical and organisational measures to safeguard personal information in their possession or control against unauthorised access, which will likely include adopting cybersecurity measures, they highlight.
"Restrictions announced by President Cyril Ramaphosa to curb the spread of Covid-19 have resulted in companies implementing measures to allow employees to work from home or work remotely. With an increased reliance on technology, companies may be faced with cybersecurity challenges including cyber-attacks and cyber-related fraud. Employees who use public networks while working remotely are vulnerable to the increasing threat of cyber-attacks."
The most common forms of cyber-attacks include interception of email correspondence and phishing scams. This often occurs when cybercriminals monitor the servers of either the sender or recipient of an email communication and strategically intercepts the communication by posing as a sender, they say.
Email interception, hacking, identity fraud and computer-related extortion are recognised as offences under the Electronic Communications and Transactions Act, and the maximum penalty is an unspecified fine or imprisonment for a period not exceeding 12 months. The Cybercrimes Bill will, once effective, create a variety of new offences which do not currently exist in South African law and afford companies with a degree of comfort relating to the prosecution of cybercrime offences.
Employees should be encouraged not to connect to unsecure or public WiFi and use, where applicable, virtual private networks to protect their company's proprietary information. Common sense should also prevail; for example employees should check uniform resource locator addresses before clicking on any links and beware of suspicious emails.
With an increased use of video conferencing services, employees should also ensure that meeting requests are legitimate. Employees must also refrain from taking unnecessary or careless risks, such as sending documents to colleagues via unsecured instant messaging services, discussing confidential work matters on public chat platforms, saving documents to their desktop instead of on secure locations and using unencrypted personal devices for work matters.