https://www.polity.org.za
Deepening Democracy through Access to Information
Home / Legal Briefs / All Legal Briefs RSS ← Back
Africa|Defence|Engineering|Infrastructure|Screen|SECURITY|Service|System|Technology|Training|Infrastructure
Africa|Defence|Engineering|Infrastructure|Screen|SECURITY|Service|System|Technology|Training|Infrastructure
africa|defence|engineering|infrastructure|screen|security|service|system|technology|training|infrastructure
Close

Email this article

separate emails by commas, maximum limit of 4 addresses

Sponsored by

Close

Article Enquiry

Cyber security is an organisational responsibility given the threats posed by AI

Close

Embed Video

Cyber security is an organisational responsibility given the threats posed by AI

Webber Wentzel

12th July 2024

ARTICLE ENQUIRY      SAVE THIS ARTICLE      EMAIL THIS ARTICLE

Font size: -+

While tools such as ChatGPT have caught the public imagination, artificial intelligence (AI) and machine learning (ML), a branch of AI, are now important tools in industries ranging from travel and insurance to media and finance. 

However, as AI's capabilities improve, so does the danger it poses to cyber security, increasing incidents and attacks. According to the South African Banking Risk Information Centre, cyber breaches and attacks in South Africa increased by 22% in 2023. More specifically, occurrences of phishing, ransomware, and unlawful access to information have all increased markedly, with the number of victims making ransomware payments increasing by 20% in 2023. The exponential developments in AI technology have had a notable impact on these statistics.

Advertisement

Furthermore, the National Cyber Security Centre in the United Kingdom published a sobering assessment earlier this year. Generative AI and large language models (a subset of ML) will make it difficult for any person, regardless of their cyber security understanding level, to assess whether an email, password reset, identity request, or social media engineering request is genuine or not. AI and ML tools are and have been trained to understand how a person reads and responds to an email, impersonating to such a degree that responders cannot tell the difference between the person and the tool designed to mimic them.

Employer considerations associated with AI and employee data system access

Advertisement

As an employer, cyber security risk primarily lives with negligent and intentional employees who either make judgment errors or intentionally subvert an organisation's cybersecurity policies and procedures. 

In cases where an employee is suspected of aiding or abetting a cyber security breach, they can be suspended ahead of the associated investigation. The suspension ought to be precautionary in nature and not punitive. There is no longer a legal requirement for an employer to afford an employee an opportunity to provide reasons as to why the employee should not be suspended, the employer may proceed with the suspension without obtaining reasons from the employee. 

Following suspension, and if an investigation yields a finding that prima facie evidence exists of fraud, a disciplinary inquiry can be initiated with dismissal as a possible outcome. Given current international trends, South Africa will likely soon see class action lawsuits due to data breaches, making data policy and cyber security matters of existential importance to any organisation that handles large volumes of consumer data.

Practical advice for corporate cyber security stakeholders to strengthen internal cyber security

Organisations can take several steps to prevent data breaches or reduce their exposure to cyber security risks. 

As a first step, organisations should do their utmost to understand where key vulnerabilities exist. Typically, these are:

  • Employees using weak passwords on their personal and work devices. Furthermore, employees who make password information publicly available to a passerby, such as an external service provider, by sticking a note on a monitor screen for ease of memory. 
  • Employees sharing their passwords with each other due to interdependencies or availability challenges. 
  • Improper handling of password-protected work devices, such as allowing family members or external associates to use them for non-work purposes. 
  • Phishing, which arises as much from employee error as it does from an organisation failing to update its security protocols and cyber security software. 
  • Employees regularly neglecting to update their devices. Updates are a vital defence of any IT infrastructure since they have the latest best practices built into them. 

Beyond the above preventative measures, organisations need to prioritise regular employee cyber security training and cyber security itself. Cyber security training should be mandatory and held regularly. Materials associated with cyber security best practices should be made easily accessible to employees. 

Proactive cyber security management must involve and be championed by an organisation's upper management. Organisational leaders have outsized influence over employees' ability to absorb training and best practices when directed. In addition, cyber security training has to be mandatory during the recruitment and employee onboarding process. 

In our experience, some employers have gone as far as providing cyber security training to potential hires before contract finalisation and then making the new employee do it a second time as part of their induction. Others run drills and simulations of cyber security threats so that their teams understand what decisions should be made in situations where speed is vital. 

Given the speed of AI development, employers are advised to codify data breaches or negligence relating to a data breach as misconduct within their disciplinary codes. Policies that govern IT use within an organisation should also be constantly updated to match as best as possible developments within the cyber security landscape. 

Written by Wendy Tembedza, partner, Dario Milo, partner and Dumisani Ndiweni, partner, Webber Wentzel

 

EMAIL THIS ARTICLE      SAVE THIS ARTICLE ARTICLE ENQUIRY

To subscribe email subscriptions@creamermedia.co.za or click here
To advertise email advertising@creamermedia.co.za or click here

Comment Guidelines

About

Polity.org.za is a product of Creamer Media.
www.creamermedia.co.za

Other Creamer Media Products include:
Engineering News
Mining Weekly
Research Channel Africa

Read more

Subscriptions

We offer a variety of subscriptions to our Magazine, Website, PDF Reports and our photo library.

Subscriptions are available via the Creamer Media Store.

View store

Advertise

Advertising on Polity.org.za is an effective way to build and consolidate a company's profile among clients and prospective clients. Email advertising@creamermedia.co.za

View options

Email Registration Success

Thank you, you have successfully subscribed to one or more of Creamer Media’s email newsletters. You should start receiving the email newsletters in due course.

Our email newsletters may land in your junk or spam folder. To prevent this, kindly add newsletters@creamermedia.co.za to your address book or safe sender list. If you experience any issues with the receipt of our email newsletters, please email subscriptions@creamermedia.co.za