In November, 2013, the President enacted PoPI and since that time there have been continual questions as to when all of the process will in effect. While some of the portions of the Act came into effect in 2014, there has been a number of substantial revisions that require future dates for such lawful processing as the protection of personal information. With so much still up in the air there are additional concerns that cybercriminals will take advantage of the momentum to increase their extortion activities.
The DoJ (Department of Justice) has taken steps to move forward in the fact that they are seeking nominations for the Information Regulator position who will be in charge of facilitating the remainder of the PoPI act. In the interim, some companies have already taken the lead to not only begin PoPI compliance but complete the process. These may be the forward thinkers or larger corporations with deeper pockets, but for the average business, this may not be the case. Many of the small to mid-sized businesses are waiting for all of the PoPI guidelines to be put into place. Taking the advice and lead from other organisations, they are quickly learning that the amount of work that is needed for PoPI compliance is vastly underestimated.
Given all of these variables, and the fact that there are many that have not adopted full compliance, this is an open door for cybercriminals. They are aware of the fact that organisations are waiting for all of the details and may step up their attacks to breach those that have not yet established the security that is required. The number of attacks on SA businesses has long come into question as the figures that have been published are dubious, at best.
Michiel Jonker, director of advisory services for Grant Thornton stated, “At present‚ South African companies are not forced to report on cybercrime or any cyber-attacks experienced in their organisations because this is not a legal requirement – hence the need for qualitative surveys to assess the current situation in the country. Parliament may recently have passed the new Protection of Personal Information (PoPI) Act‚ but the full requirements will only come into force once the PoPI Regulator has been appointed and is fully functioning.”
It is currently estimated that one in ten of SA businesses have been vulnerable to a cyberattack. Jonker continued to say, “It is realistic to assume that South African entities will start reporting to the new Regulator on security incidents by 2018‚ providing crucial data for the first time in the country’s history‚ about cybercrime‚ fraud‚ attacks and incidents. We foresee then‚ that 2019 will be the expected watershed year for SA entities‚ including the Public Sector‚ to start informing their cyber security strategies with accurate forecasting data‚ gathered over 2018.”
“Da Vinci Forensics has a history of working with businesses of all sizes to encompass all areas of cybersecurity. This has included analysis, recommendations and education across a broad spectrum. We are currently committed to assisting companies to take steps for PoPI compliance to assist in the protection of their proprietary data as well as that of their clients.”
Sharon Knowles, CEO of Da Vinci Forensics
Source:
http://www.kpmg.com/ZA/en/IssuesAndInsights/ArticlesPublications/Protection-of-Personal-Information-Bill/Pages/POPI-compliance-often-under-estimated.aspx
http://www.timeslive.co.za/local/2015/11/02/One-in-10-SA-businesses-has-experienced-cyber-attack-in-past-year
