WHEN the police release the latest annual crime statistics tomorrow, chances are there will be little or no reference to cybercrime. Perhaps it is because the concept of cybercrime is still relatively new and not everyone is aware of the risks. Businesses are complicit in the lack of awareness of the threat because cybercrimes are hugely under-reported. This urgently needs to change.
In the words of Beza Belayneh, CE of the South African Centre for Information Security, cybercrime is a national crisis. Business is affected by crimes such as fraud, murder and robbery; and indirectly through the effects of crime on insurance, investment and business confidence. Cybercrime will also affect business, directly and indirectly, with direct losses including electronic cash theft, identity theft, information theft, deleting information from systems and rendering systems unworkable. The indirect effects includes the cost of securing against intrusions, replacing equipment, appointing specialist security staff, compensation to clients who suffered losses, insurance costs and loss of customer confidence.
According to a study by cybersecurity firm Wolfpack Information Risk, the three sectors hardest hit by cybercrime in South Africa were government, banking and telecommunications. They were conservatively estimated to have lost R2.6bn between January 2011 and August last year. What we do not know is how much cybercrime goes unreported or undetected.
Because police statistics do not precisely categorise cybercrime, they do not tell us the extent to which South Africa has become a victim of it. What we do know is that it is a critical threat to be taken very seriously.
The National Cybersecurity Policy Framework was approved by the Cabinet in March last year, but is not yet publicly available. As a result, the only official definition of cybercrime is contained in the 2011 draft policy framework, which says cybercrime is “illegal acts, the commission of which involves the use of information and communication technologies.” Police record all kinds of fraud, forgery, misappropriations and embezzlement as “commercial crime”.
But crimes related to the “increasing role of computerisation and electronic communication in commercial activity” is still referred to as “so-called cybercrime”, without it being specified or quantified.
All businesses are potential targets, but small businesses are now on the front line. According to Symantec’s 2013 Internet Security Threat Report, 50% of all targeted attacks last year were aimed at businesses with fewer than 2,500 employees. The largest growth area for targeted cybercrime attacks was businesses with fewer than 250 employees.
David Szady, vice-president of the US security conglomerate Guardsmark, was quoted in South Africa safety and security magazine Servamus in August last year as saying thousands of intrusions into corporate networks, government systems and personal computers are occurring every day; though the real threat is in the “continuous transfer of wealth from national economies”.
Szady believes that if the trend towards rapidly increasing cybercrime is not reversed, it will have a catastrophic economic effect, resulting in reduced economic growth, impaired competitiveness and job losses.
Verine Etsebeth, a lecturer in information security and data protection at the University of the Witwatersrand, says cybercrime is bigger than the global black market in marijuana, cocaine and heroin combined. She said earlier this year that there were twice as many cybercrime victims as newborn babies. It is useful to consider the experience of a country such as the UK, which has a substantially bigger economy and which is typically a few years ahead of South Africa in technology trends and risks. More than 9-million adults in the UK have had online accounts hacked and 8% of the population say they have lost money to cybercrime in the past year. Cybersecurity experts at the University of Kent report that 2.3% of the UK population reported losing more than £10,000 to online fraud and cybercriminals.
In 2011, a UK government report said the overall financial effect of cybercrime on the British economy was £27bn a year. The main loser was British business, which took a £21bn hit, suffering high levels of intellectual property theft and industrial espionage.
And research published this year by the UK Department for Business, Innovation & Skills said more small businesses than ever face the threat of losing confidential information through cyberattacks. It said 87% of small businesses across all sectors experienced a breach in the past year. It cost small businesses up to 6% of their turnover — much more than the cost of protecting themselves from such attacks.
The UK government provides vouchers worth up to R7.5m for businesses to improve their cybersecurity by bringing in outside expertise. It also publishes guidance to help small businesses put cybersecurity higher up the agenda and to make it part of their normal risk-management procedures. And the UK government is spending £9bn on education, skills and awareness and will incorporate cybersecurity modules at schools.
South Africa can learn three things from the UK experience. First, we need to recognise and appreciate the huge threat posed by cybercrime. We have the opportunity to act early, based on the experience of others. Second, if South Africa tracks the UK experience, it can expect cyberattacks to increase substantially, with small business the worst hit. And, finally, there is a huge role for the government to play in the creation of awareness and skills to combat this threat to the economy.
In its April 2013 Crime Overview, the South Africa Banking and Risk Information Centre said the banking industry had experienced an average 25% drop in violent crime and a 20% average decrease in most categories of commercial crime. But electronic “phishing” incidents rose by 61% and the centre has graded cybercrime as a priority threat. Some local banking clients have been targeted by a sophisticated Trojan virus called Citadel, which infects computers, laptops or smartphones with malware that enables criminals to trick clients into sharing their banking login credentials.
There has recently been a belated and gradual realisation of how serious the threat of cybercrime is — not just to national security, but to business and the economy. The centre has taken the lead in organising the banking industry to resist the threat, and its member banks are establishing a Cybersecurity Incident Response Team, in line with government policy to create capacity to combat cybersecurity threats.
The overall responsibility for the development, implementation and co-ordination of cybersecurity initiatives, based on the National Cybersecurity Policy Framework, was given to the State Security Agency. It appears the agency will give preference to cybersecurity for government agencies, through the state-owned Electronic Communications Security Company. The Department of Defence is apparently tasked within its responsibilities to counter cyberthreats to also provide support for civilian agencies.
What is needed is a rapid acknowledgement by the government and business that cybercrime really is a potentially catastrophic threat, for which we need credible reporting and recording systems. Only then will we understand the threat, know if it is getting worse and be able to combat it.