Email Security

    South Africa Cyber Enforcement Comes as Attacks Rise

    Authorities are poised to begin enforcing new data privacy rules, as Mimecast research shows an unprecedented level of cyber risk.

    by Karen Lynch

    Key Points

    • South Africa’s Information Regulator has drawn a line in the sand, saying that the enforcement of data privacy rules under POPIA starts now.
    • The new Cybercrimes Act is also ushering in additional compliance requirements for some companies.
    • The increased compliance burden comes amid surging cyberthreats, according to Mimecast’s State of Email Security 2022 report. 

    When it comes to cybersecurity and data privacy, South African businesses today find themselves between a rock and a hard place. Authorities are poised to begin enforcing national cyber regulations that went into effect last year. But as companies have been striving to set up the protections required by law, Mimecast research shows that they’re facing an increasing volume, variety, and sophistication of cyberattacks.

    Cyber Authorities Step Up

    In June, South Africa’s Information Regulator signaled that enforcement would begin under the country’s Protection of Personal Information Act (POPIA), which went into effect in July 2021 and directs how companies collect, store, manage, and secure citizens’ data. Under POPIA, businesses that negligently expose personal information in data breaches or fail to respond to citizens’ requests to access, update, or delete data face fines of up to 10 million rand (US$6 million).

    Information Regulator Pansy Tlakula issued a statement on June 29, saying: “The first five years of the Regulator have been the years dedicated to forming the institutional framework ... The next five years will be devoted to actively demonstrating that the Regulator is a shield that protects, the torchbearer that promotes and the hand that assists in protecting personal information.”[1]

    As one local headline reported the next day, “InfoReg’s Patience with POPIA Violators Is Coming to an End.”[2] A total of 330 data breaches were reported over the past year, Tlakula said, promising that enforcement actions will result from investigations already underway.

    Meanwhile, South Africa’s Cybercrimes Act went into effect in December, criminalizing cyberattacks. The business implications of the new law include a data breach reporting mandate for some companies, such as banks, as well as requirements to supply related information during official investigations.[3]

    Pressure is also coming from abroad. The International Monetary Fund issued a report in June that acknowledged progress in addressing the cybersecurity risks to South Africa’s financial sector, but called for “fully articulated standards” and stronger enforcement.[4]

    Cyberattacks Are Also Mounting

    Companies’ added compliance responsibilities come as they are already straining to fend off a growing volume, variety, and sophistication of cyberattacks, according to Mimecast’s State of Email Security 2022 (SOES) survey.

    South African security and IT professionals reported these troubling trends from 2021 into 2022:

    • Three out of four companies saw more email-borne threats.
    • Ninety-four percent were targeted by phishing emails.
    • Fifty-five percent said attacks were increasingly sophisticated — for example, combining multiple techniques in one attack.
    • Sixty percent were hurt by a ransomware attack, up from 47% in the previous year.
    • Resulting downtimes lasted an average of about 11 days.

    Growing Requirements Strain Resources

    South African companies can see the goal posts moving as they try to maintain cyber resilience. Evidence of this, in the SOES report, is that 41% of companies thought they had an adequate resilience strategy in place in 2021, but only 33% feel that way today. This lack of resilience has come at a cost:

    • Forty-nine percent have suffered business disruption.
    • Forty-eight percent have experienced data loss.
    • Forty-two percent reported an impact to employee productivity.
    • Thirty-nine percent saw regulatory compliance drop.

    In fact, South African companies experienced some of the largest increases in damages from cyberattacks in 2021 among their peers worldwide, with the total average cost of a data breach rising 50% over the previous year, to $3.21 million.[5]

    Over four in 10 South African companies said their security budgets are insufficient to meet this challenge, according to the SOES report. Cybersecurity budgets in South Africa are reported to be 12% of overall IT budgets, on average, but security and IT professionals believe 21% is needed. With the resulting shortfall, 62% say they don’t have enough to invest in training their security teams, and 59% report missing out on new technology innovations. Nearly two-thirds of companies that rely on Microsoft 365 experienced an outage in the previous 12 months, with nearly all respondents concurring that additional layers of security are needed to make M365 “completely secure.”

    Now, as companies are facing new regulatory compliance burdens, it is with a certain ambivalence. Mimecast’s SOES report found only 35% expect that rules requiring minimum cybersecurity standards would significantly decrease the cybersecurity risk to their business. But about the same number believe their cost of compliance would increase, while they lose the flexibility to determine their own best course of action in fighting attackers.

    Streamlining to Meet Security Challenges

    Security professionals hold out hope that technology can help to ease the current budget crunch. Nearly three-quarters of companies in the SOES report expressed a preference for using integrated security solutions that can streamline their efforts — especially in the new hybrid environment of office and remote workers. Increasingly, security vendors such as Mimecast provide companies with more coherent, comprehensive, and automated ways to manage personal data, view cyberthreats, thwart attackers, and achieve compliance across their email cloud services, apps, and user devices everywhere.

    The Takeaway

    Rising cyber risk in South Africa is coming from two directions— one from an increasing volume of ever-more-sophisticated cyberattacks and the other from regulatory compliance challenges. Read Mimecast’s State of Email Security 2022 report for more insight into security professionals’ perspectives in South Africa and worldwide. 


    [1]Media Breakfast Briefing Address,” South Africa Information Regulator

    [2]InfoReg’s Patience with POPIA Violators Is Coming to an End,” ITWeb

    [3]Cybercrimes and Cybersecurity Bill,” South Africa Minister of Justice

    [4]South Africa: Financial Sector Assessment Program-Technical Note on Cybersecurity Risk Supervision and Oversight,” International Monetary Fund

    [5]Cost of a Data Breach Report 2021,” IBM and Ponemon

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top