Although there are still loopholes to be plugged, South Africans can take comfort in the country's relatively robust anti-hacking laws, which allow companies to go in hot pursuit of IT intruders. However, attempts to trace cybercriminals could be stopped in their tracks if the attackers stage cross-border raids from countries where different laws apply.
"On paper at least, South Africa has one of the better anti-hacking regimes," says Dave Loxton, director in the Forensics practice at Werksmans Attorneys.
Currently, the two main anti-cybercrime laws in South Africa are the Regulation of Interception of Communications Act (RICA) and the Electronic Communications Act (ECA).
"By providing a database of 37 million SIM cards, RICA is the first port of call when tracing hackers using mobile phones – which have become the most popular hacking device for cybercriminals everywhere," Loxton says.
The downside of RICA is flaws in its implementation.
"Fictitious names such as Goofy and Mickey Mouse have sneaked through the RICA process," he says. "It is also common knowledge that SIM cards are sold on the black market without being subject to the RICA process, which effectively negates the entire process. However, such anomalies will more than likely be ironed out as the law matures and the authorities become more adept at RICA enforcement."
Arguably more effective than RICA in combating cybercrime is the ECA. In January this year, a former employee at a major bank was convicted of stealing her colleagues' PINs and passwords to pull off a R27.3 million heist. The charges on which she was found guilty included two contraventions of the ECA, involving the intentional interception of data without authorisation.
All economic sectors are vulnerable
According to statistics released by the Ministry of Justice and Constitutional Development in June this year, 155 cybercrime cases were finalised in the 2011/12 financial year, with an average conviction rate of 89%. Most of these cases involved the theft of passwords or cloning of bank cards for fraudulent electronic fund transfers. The highest reported loss to date was the R42 million taken in a cyber-heist against the Post Bank in January this year.
Loxton says cybercrime is by no means limited to the financial services industry and is raising its head across the economy, both in the private and public sectors.
"It is difficult to quantify the extent of cybercrime because, for reputational reasons, few organisations are willing to publicly acknowledge they have been targeted," he says. This low-key approach also explains why some South African companies still tend to underestimate the threat that cyber criminals pose.
"Fortunately, we are starting to see heightened awareness about cybercrime and the realisation that much more needs to be done to combat it."
Earlier this year, soon after the Post Bank cyber heist, South Africa's Cabinet approved the national cyber security policy framework, aimed at addressing security threats in cyberspace and stepping up the fight against cybercrime.
The Justice Ministry also announced that the police had begun intensifying cooperation with police services in the Southern African Development Community, as well as within Interpol, to fight crime syndicates, especially cyber criminals.
"Collaboration with other jurisdictions is critical, particularly as most cybercrimes committed around the world are linked to organised crime syndicates operating across borders," says Loxton. A London Metropolitan University study indicates that 80% of online crime is connected to organised gangs.
Underlining the need for stronger collaboration between countries is the divergence in cybercrime laws internationally.
"In the United States, the law prohibits companies or individuals from tracking hacking activity beyond their own networks, as this is the sole terrain of the authorities," he says. "In contrast, there are still some countries that have not yet criminalised hacking."
In between these extremes are many other variations in terms of the legal status of cybercrime. "South African companies cannot take it for granted that the leeway they have at home to protect their interests is necessarily available elsewhere. This is why it is so critical to understand the cybercrime laws in other jurisdictions."
Greater collaboration between companies needed
Loxton notes that when it comes to fighting fraud, more collaboration is needed between companies and organisations within South Africa. "Companies should not view themselves as competitors but, without giving away trade secrets, should assist each other in combating fraud," he says.
For example, should a company believe it is subject to a hacking attack, it might approach its ICT service provider to monitor the usage of the hackers' cell phones.
"What often happens in practice is that service providers refuse on the grounds of legal technicalities, insisting on a court order," Loxton says. "The ensuing delay can lead to serious breaches where the damage is too late to undo when a court order is obtained."
While this can be a complicated area of the law, which companies should navigate carefully, they should not allow themselves to inadvertently fuel the problem of cybercrime.
"Cybercrime is one of the most insidious forms of crime and cyber criminals are notoriously difficult to apprehend," he says. "We should not further stack the odds in their favour."
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.