One in ten SA businesses have experienced cyber-attacks in the past year according to the latest Grant Thornton cyber security survey
But stricter POPI reporting requirements will expose a far more critical situation by 2021
As South Africa’s Minister of State Security, David Mahlobo delivered his opening address at the State Security Cybersecurity Conference in Pretoria today (2 November), new global research from Grant Thornton’s International Business Report (IBR) on cyber security reveals that cyber-attacks are taking a serious toll on business.
The new survey highlights that one out of every 10 (10%) South African private sector businesses have experienced a cyber-attack in the past year (Global – 15%).
But Michiel Jonker, Director: Advisory Services at Grant Thornton Johannesburg warns that the figures published for South African businesses are based on qualitative surveys, and not on verified quantitative data.
“At present, South African companies are not forced to report on cybercrime or any cyber-attacks experienced in their organisations because this is not a legal requirement – hence the need for qualitative surveys to assess the current situation in the country. Parliament may recently have passed the new Protection of Personal Information (POPI) Act, but the full requirements will only come into force once the POPI Regulator has been appointed and is fully functioning.”
Jonker expects that a fully functioning POPI Regulator will be up and running in South Africa by end of 2016 or early 2017. He adds that organisations will probably then be given a 12-month grace period to get their POPI compliance and reporting in order which means that accurate data on the new requirements, any cyber-attacks experienced, or appropriate security measures implemented will only be available post 2018.
“It is realistic to assume that South African entities will start reporting to the new Regulator on security incidents by 2018, providing crucial data for the first time in the country’s history, about cybercrime, fraud, attacks and incidents. We foresee then, that 2019 will be the expected watershed year for SA entities, including the Public Sector, to start informing their cyber security strategies with accurate forecasting data, gathered over 2018,” he adds. “We believe that it will then take South Africa another three years to collect an adequate quantity of sound data for quantitative forecasting purposes; which brings us to at least 2021 – with the use of the first full three year set only in 2022”.
The POPI Act, which was gazetted in November 2013, and which is currently awaiting an effective enactment date pending the appointment of the Regulator and other final elements, requires widespread reforms that both the private and public sector must introduce to ensure that the personal information and data they collect are protected. The new Act provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.
The Grant Thornton International Business Report (IBR), a global survey of 2,500 business leaders in 35 economies, reveals that as high-profile security breaches and hacks become more prevalent, many businesses are putting themselves in the firing line with no comprehensive strategy to prevent or detect and contain digital crime.
The IBR results reveal that cyber-attacks are directly impacting the bottom line. But despite these clear risks, when executives were asked if their businesses have a detailed cyber security strategy in place to address any potential cyber-attacks, nearly half of SA businesses surveyed said no (South Africa: 45%) while just over half (52%) of businesses globally did have a strategy in place.
Jonker expressed concern regarding the lack of preparedness of SA businesses and of the Public Sector when it comes to cyber security.
“SA organisations are being hacked,” says Jonker. “The problem is that many just aren’t aware that they’re being attacked (due to the lack of detective controls), or at best case, they do know about the attack but are trying to deal with it silently without reporting it.”
South Africa’s local municipalities currently hold a massive amount of personal data – potentially more than many other government departments in the country. However, Jonker laments that just like many businesses, the municipalities are not at all ready to comply with the stringent POPI requirements.
He quotes a recent Risk Report 2015 by the Institute of Risk Management South Africa (IRMSA) which ranks the Top 10 SA risks by consequence.
“Cyber risk is ranked as the ninth biggest risk by consequence for the nation,” continues Jonker. “Corruption, Governance Failure, Unemployment and Infrastructure and Networks are the top four risks in SA which further emphasises just how serious some other key issues are for the country.
“But globally, other countries around the world have already adequately addressed many of the four risk issues we’re still grappling with. This means that they’ve made cyber risk a much higher priority and will therefore get on top of the critical issues, long before we will even have had any time to lift our heads high enough to see the threats on the horizon,” says Jonker.
Paul Jacobs, Global Leader of Cyber Security at Grant Thornton, said: “Cyber-attacks are an increasingly significant danger for business. Not just cost in a financial sense, but serious reputational damage can be inflicted if attacks undermine customer confidence: just ask Ashley Madison. Despite this, nearly half of firms still lack a strategy to deal with the cyber threat.
Grant Thornton’s cyber security research reveals that the sector most concerned by the threat of a cyber-attack is financial services (74% of business say it is a threat) – this is also the sector with the joint-highest recorded instances of cybercrime globally (26%). At the other end of the spectrum, only 10% of transport firms globally have reported a cyber-attack in the past 12 months and just 27% perceive it as a threat.
“Vigilance alone won’t keep businesses safe. Proactive measures are needed. This is an issue which needs to be on the agenda in boardrooms as well as IT departments, particularly with POPI legislation on the SA horizon. Management teams need to be driving cyber strategies which boost awareness of the threat among all staff, and of the policies and procedures in place to deal with the threat. Just as critically, clients and customers also need reassurance that effective robust and resilient controls are in place,” Jonker concludes.
Notes to editors
About Grant Thornton South Africa
Grant Thornton South Africa is a member firm of Grant Thornton International Ltd (GTIL). Grant Thornton South Africa was founded in 1920. We are leaders in our chosen market, providing assurance, tax and specialist business advice to dynamic organisations – listed companies, large privately held businesses and private equity backed organisations.
We employ 1028 people in South Africa with 90 partners and directors. Grant Thornton has a national presence with offices in Bloemfontein, Cape Town, Durban, George, Johannesburg, Nelspruit, Polokwane, Port Elizabeth, Pretoria, Rustenburg and Somerset West. In Africa we operate across 23 member firms in Algeria, Botswana, Congo, Côte d’Ivoire, Egypt, Ethiopia, Gabon, Guinea, Kenya, Libya, Mauritius, Morocco, Mozambique, Namibia, Nigeria, Senegal, Tanzania, Togo, Tunisia, Uganda, Zambia and Zimbabwe and are ideally positioned to facilitate clients’ expansion plans in these countries.
About Grant Thornton International Ltd
Grant Thornton is one of the world’s leading organisations of independent assurance, tax and advisory firms. These firms help dynamic organisations unlock their potential for growth by providing meaningful, forward looking advice. Proactive teams, led by approachable partners in these firms, use insights, experience and instinct to understand complex issues for privately owned, publicly listed and public sector clients and help them to find solutions.
More than 40,000 Grant Thornton people, across over 130 countries, are focused on making a difference to clients, colleagues and the communities in which we live and work.
“Grant Thornton” refers to the brand under which the Grant Thornton member firms provide assurance, tax and advisory services to their clients and/or refers to one or more member firms, as the context requires. Grant Thornton International Ltd (GTIL) and the member firms are not a worldwide partnership. GTIL and each member firm is a separate legal entity. Services are delivered by the member firms. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another’s acts or omissions.