The State Of Transformation: 23 Years After The Employment Equity Act
May 29, 2021
Les Holbrook
Celebrating Les Holbrook: 29 Years of Service
May 29, 2021

Failure To Implement Cybersecurity At Your Peril

Image: Unsplash

By Jason Jordaan | Principal Forensic Analyst DFIRLABS

Every single business organisation in South Africa processes and stores personal information as defined in the Protection of Personal Information Act 4 of 2013. As such, every single member of the Border-Kei Chamber of Commerce is legally required to comply with the various provisions of this Act. One of the key rationales for the legislation is to protect so called personal information in your possession, and failure to do that could lead to significant consequences for an organisation. In terms of Section 107 of the Act, the Information Regulator could impose an administrative fine to any organisation that fails to adequately safeguard personally identifiable information with a fine that may not exceed R10 million.

The clock is ticking on the implementation of this Act, and on the 1st of July 2021, all organisations will have to be compliant with this Act. There are no exceptions to this, and the Information Regulator has made it very clear that they will be aggressively enforcing this Act.

Section 19 of the Act place a legal requirement for organisations to implement cybersecurity measures in a very clear an unambiguous tone. It requires organisations to take appropriate and reasonable technical and organisational measures to prevent loss of damage to or unauthorised destruction of personal information, as well as unlawful access to or processing of personal information.  To do this, organisations must:

  • Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control.
  • Establish and maintain appropriate safeguards against the risks identified.
  • Regularly verify that the safeguards are effectively implemented.
  • Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

Organisations are also required to have due regard to generally accepted cybersecurity practices and procedures which may generally apply. If there are specific industry or professional cybersecurity requirements that apply, then these must be considered.

What this means is that every single organisation must take cybersecurity seriously now. They must know and understand the cybersecurity risks that they face, and ignorance can no longer be an excuse.  Every organisation needs to have a realistic view of their cybersecurity posture, and what they need to do to implement effective cybersecurity in their organisations. And cybersecurity is not just making sure you have anti-virus measures and firewalls in place, it is more than that.