The legislative framework governing cybercrime and cyber security is still in its infancy. Whilst the Electronic Communications and Transactions Act 2002, regulates certain acts of cybercrime, it does this in a limited fashion and is perhaps out of tune with the typical acts of cybercrime commonly encountered today. The Cybercrime Bill seeks to further expand on acts that constitute cybercrime and places reporting and other obligations on financial institutions and telecommunications service providers where a cybercrime has occurred.
On the 2nd of December 2020, the Cybercrime Bill was passed by the National Assembly and National Council of Provinces and sent to the President for his assent. It is unclear when the President will sign the Bill and bring it into force. In the meantime, the Bill provides an opportunity for companies to get their affairs in order and implement strategies that will safeguard their networks, while ensuring compliance with privacy and data protection laws in general.
There are a number of recommended actions that companies can implement in order to improve their network security. At the top of the list, educating and training of staff on cyber security threats remains pivotal. This is especially important for companies that process large amounts of customer data and/or transactional material. Companies are waking up to the need to employ the generally accepted principle of safe processing of data. However, many employees remain unsure of – or indifferent to – the legal and reputational implications that may arise out of their negligence or inability to act in a certain manner. IT policies need to be revised in order to address areas where cyber security threats exist. IT policies should, at a minimum,address the use of permissible applications and software, the accessing of secured Wi-Fi and hot spotting, the safe accessing of the company VPN and the identification of phishing schemes. Furthermore, these policies should be extended to apply to employees’ personal devices by means of a BYOD (bring your own device) policy.
There should also be appropriate security software and tools in place as well as properly crafted contracts with software providers and/or network security providers, as support and backup for this training. In instances where data is stored in the cloud, companies should review their cloud-based platforms and contracts to mitigate against any additional risks.
Equally important is the review or drafting of dawn raid procedures and other response type processes in the event that a cyber security breach occurs on any network. It remains to be seen how effectively the Cybercrime Bill will be enforced once it comes into law. However, the reputational harm and damages that could ensue should not be overlooked.
In summary, Covid 19 has been a huge disruptor and has forced many organizations to re-examine their IT practices. Adaptability to these changes is crucial, along with decisive steps to ensure governance and compliance. And, as Charles Darwin famously commented, it is not the strongest of species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.