South Africa Cyber Enforcement Comes as Attacks Rise
Authorities are poised to begin enforcing new data privacy rules, as Mimecast research shows an unprecedented level of cyber risk.
- South Africa’s Information Regulator has drawn a line in the sand, saying that the enforcement of data privacy rules under POPIA starts now.
- The new Cybercrimes Act is also ushering in additional compliance requirements for some companies.
- The increased compliance burden comes amid surging cyberthreats, according to Mimecast’s State of Email Security 2022 report.
When it comes to cybersecurity and data privacy, South African businesses today find themselves between a rock and a hard place. Authorities are poised to begin enforcing national cyber regulations that went into effect last year. But as companies have been striving to set up the protections required by law, Mimecast research shows that they’re facing an increasing volume, variety, and sophistication of cyberattacks.
Cyber Authorities Step Up
In June, South Africa’s Information Regulator signaled that enforcement would begin under the country’s Protection of Personal Information Act (POPIA), which went into effect in July 2021 and directs how companies collect, store, manage, and secure citizens’ data. Under POPIA, businesses that negligently expose personal information in data breaches or fail to respond to citizens’ requests to access, update, or delete data face fines of up to 10 million rand (US$6 million).
Information Regulator Pansy Tlakula issued a statement on June 29, saying: “The first five years of the Regulator have been the years dedicated to forming the institutional framework ... The next five years will be devoted to actively demonstrating that the Regulator is a shield that protects, the torchbearer that promotes and the hand that assists in protecting personal information.”
As one local headline reported the next day, “InfoReg’s Patience with POPIA Violators Is Coming to an End.” A total of 330 data breaches were reported over the past year, Tlakula said, promising that enforcement actions will result from investigations already underway.
Meanwhile, South Africa’s Cybercrimes Act went into effect in December, criminalizing cyberattacks. The business implications of the new law include a data breach reporting mandate for some companies, such as banks, as well as requirements to supply related information during official investigations.
Pressure is also coming from abroad. The International Monetary Fund issued a report in June that acknowledged progress in addressing the cybersecurity risks to South Africa’s financial sector, but called for “fully articulated standards” and stronger enforcement.
Cyberattacks Are Also Mounting
Companies’ added compliance responsibilities come as they are already straining to fend off a growing volume, variety, and sophistication of cyberattacks, according to Mimecast’s State of Email Security 2022 (SOES) survey.
South African security and IT professionals reported these troubling trends from 2021 into 2022:
- Three out of four companies saw more email-borne threats.
- Ninety-four percent were targeted by phishing emails.
- Fifty-five percent said attacks were increasingly sophisticated — for example, combining multiple techniques in one attack.
- Sixty percent were hurt by a ransomware attack, up from 47% in the previous year.
- Resulting downtimes lasted an average of about 11 days.
Growing Requirements Strain Resources
South African companies can see the goal posts moving as they try to maintain cyber resilience. Evidence of this, in the SOES report, is that 41% of companies thought they had an adequate resilience strategy in place in 2021, but only 33% feel that way today. This lack of resilience has come at a cost:
- Forty-nine percent have suffered business disruption.
- Forty-eight percent have experienced data loss.
- Forty-two percent reported an impact to employee productivity.
- Thirty-nine percent saw regulatory compliance drop.
In fact, South African companies experienced some of the largest increases in damages from cyberattacks in 2021 among their peers worldwide, with the total average cost of a data breach rising 50% over the previous year, to $3.21 million.
Over four in 10 South African companies said their security budgets are insufficient to meet this challenge, according to the SOES report. Cybersecurity budgets in South Africa are reported to be 12% of overall IT budgets, on average, but security and IT professionals believe 21% is needed. With the resulting shortfall, 62% say they don’t have enough to invest in training their security teams, and 59% report missing out on new technology innovations. Nearly two-thirds of companies that rely on Microsoft 365 experienced an outage in the previous 12 months, with nearly all respondents concurring that additional layers of security are needed to make M365 “completely secure.”
Now, as companies are facing new regulatory compliance burdens, it is with a certain ambivalence. Mimecast’s SOES report found only 35% expect that rules requiring minimum cybersecurity standards would significantly decrease the cybersecurity risk to their business. But about the same number believe their cost of compliance would increase, while they lose the flexibility to determine their own best course of action in fighting attackers.
Streamlining to Meet Security Challenges
Security professionals hold out hope that technology can help to ease the current budget crunch. Nearly three-quarters of companies in the SOES report expressed a preference for using integrated security solutions that can streamline their efforts — especially in the new hybrid environment of office and remote workers. Increasingly, security vendors such as Mimecast provide companies with more coherent, comprehensive, and automated ways to manage personal data, view cyberthreats, thwart attackers, and achieve compliance across their email cloud services, apps, and user devices everywhere.
Rising cyber risk in South Africa is coming from two directions— one from an increasing volume of ever-more-sophisticated cyberattacks and the other from regulatory compliance challenges. Read Mimecast’s State of Email Security 2022 report for more insight into security professionals’ perspectives in South Africa and worldwide.
 “South Africa: Financial Sector Assessment Program-Technical Note on Cybersecurity Risk Supervision and Oversight,” International Monetary Fund
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!