In today’s digital age, access to information is the new way of being in and part of the world. But, it brings its own problems – and South Africa, unfortunately, is inadequately prepared.
In South Africa, there has been an increase in cyber crime and data privacy breaches in the past few years. Our country is viewed as a target where law enforcement is not adequately geared to deal with crimes of this nature.
Smartphones and smart systems leave room for “smart” criminals to operate. When is it too much access? What is the risk to people and companies?
With the COVID-19 pandemic, everything has shifted so much closer to home. Online interactions are becoming far more widely used by those fortunate enough to have access, leading to so much vital personal information being “out there” in the World Wide Web.
Criminal elements have the space to thrive.
Protection of Personal Information Act (POPIA)
The long-awaited Protection of Personal Information Act (POPIA) finally came into play on July, 1st 2020.
Companies now have a year to make sure they are fully compliant with what this law requires, more so now with additions related to how companies manage, store and delete personal information.
The European Union (EU) has long had the General Data Protection Regulation (GDPR) in place to manage the protection of personal information. South Africa has been a laggard.
First, we have had a slower adoption of online retail but, more importantly, we have been waiting for about seven-years for this law to finally come into effect.
The delay does have some pros in that we had time to learn from the execution of GDPR in the EU and policymakers could adjust POPI to be in line with ever-changing business and online landscape.
The cons are that hackers and scammers have exploited the regulatory inertia, perfecting their scams, leading to financial losses for companies and people.
Phishing scams have become the norm, forcing companies to send alerts, warning clients that they will not ask via email or text for your personal information.
Many banks require you to acknowledge reading that statement before proceeding to log into your banking profile, for example. This is to protect the consumer, but the banks are also covering themselves in terms of fair warning. This is really not enough, though.
According to a recent Accenture report, “South Africa has the third most cyber crime victims worldwide, losing R2.2-billion a year.” We would assume that number is even higher because that figure merely notes the crime that is reported and discovered.
The report further says: “Low investment in cybersecurity and immature cybercrime legislation make South Africa a target.” This is perhaps where the POPIA now can address some of these issues.
Cybercriminals are very sophisticated, have intricate operations and operate from far and wide.
South African banks have been a target for a long time. There was even a planned hit on the South African Reserve Bank (SARS) a few years ago which, thankfully, was thwarted.
Last year, we saw the hacking of Eskom’s systems where it suffered two security breaches in swift succession.
But the cyber criminals attack an array of areas, wherever they may find vulnerability.
A move to pre-paid electricity systems quickly became a target. Prepaid electricity is done through a virtual voucher system and there was a ransomware attack on one supplier last year, which saw many South Africans with no access to the electricity supply for some time.
The increase in different types of attacks is ever-concerning as all are in some way also related to breaches in the security of consumers’ personal information.
And now, more than ever, protection of personal information is critical.
With the stress of people getting paid less as well as rising retrenchments and redundancies, access to a person’s banking information really can wreak even more serious havoc in people’s lives.
What needs to be done?
South African banks and other companies need to invest in increased cybersecurity. It is the responsibility of every company to ensure that client information is shared safely and does not get into the wrong hands.
POPIA requires that a compliance officer be appointed in each organisation. There are heavy penalties for non-compliance and the compliance officer may be held personally liable, to some effect, for breaches of the act’s requirements.
The SAPS and relevant crime agencies need to gear up to tackle these crimes. We cannot afford data breaches at a government level or more attacks on government institutions like Eskom.
Strong enforcement of the POPIA regulations is needed.
Both government and companies also need to run awareness campaigns so that employees are always conscious of the risks. The cliché is apt: your systems are only as secure as your weakest link.
While we adapt to more online life, we have to remain ever aware as business that threats, while virtual, are as real as ever.
Cybercriminals are quicker and more agile than ever before – and have far more devastating effects.
This article was first published on SABC News.