The US Federal Bureau of Investigation has ranked South Africa sixth and seventh on the cybercrime predator list, which means that there is an increasing amount of fraud being perpetrated from the country, says computer forensics company Cyanre CEO Danny Myburgh.
Speaking at the ninth Chartered Secretaries Southern Africa Premier Corporate Governance conference in Johannesburg on Tuesday, Myburgh noted that cybercrime was becoming a major problem in South Africa. “It seems as if boards and non-information technology (IT) people are realising that cybercrime can totally devastate an organisation,” he said.
Myburgh highlighted three types of illegal cyber activities, namely cybercrime, cyberwarfare and cyberterrorism and that, in terms of the latter two, South Africa was not that high on the threat list, he said.
“Traditionally, we’ve had common law offences such as theft and corruption, where people perpetrate information using a computer to falsify invoices. The Electronic Communications and Transactions Act covers illegal access to information and damage to data.
“We are now waiting for the new Cybersecurity Bill to become legislation, which will define aspects such as defrauding a person through means of false websites,” he noted.
Myburgh pointed out that 79% of all online phishing victims lose their money, and that South Africa was the twenty-third highest attacked country in terms of hacking and cybercrime. For instance, one out of 14 emails sent in South Africa is a scam, according to Myburgh.
“South Africa is becoming a target internationally and we are falling victim to these types of crimes more frequently,” he said.
Myburgh added that 52% of global Internet users become victims of cybercrime, with a $476 loss on average per incident in South Africa.
Meanwhile, distributed denial-of-service attacks – where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet – increased between October and December. Attacks from Vietnam and Russia were at 22%, China was at 21%, Brazil was at 15% and the US at 14%.
Myburgh explained that syndicates had two different cyberattack methods, namely spear phishing, which focuses primarily on an individual; and whale phishing, which focuses on an organisation.
“They use what they call ‘social media engineering’ on their targets, which include going into a person’s social media, gathering information from their posts, and using that to populate the attack on you,” he noted.
Myburgh added that companies and corporations were becoming more at risk of cybersecurity breaches, and warned that they should be prepared and have a strategy in place for when it happens.
“Breached companies risk exposing financial and customer data, along with damage to their network and other IT infrastructure. Their intellectual property, bid data, legal strategies, and information about potential mergers and acquisitions are sensitive and vulnerable areas that could be compromised.”
Myburgh highlighted that companies in certain sectors also face fines for not complying with security rules.
“While calculating the direct cost of a breach is difficult enough, it can also impose indirect costs. This can include damaging companies’ reputations and souring customer loyalty.”
Myburgh noted that, if a major retail chain suffers a breach and customer credit card data is exposed, the business could lose money if customers no longer shop there.
In another situation, a health insurer could suffer a customer backlash if a breach exposed personal medical information.
A HIGHER STANDARD OF CARE
Directors also face increased liability for how they act, or fail to act, during a breach.
“Some recent high-profile breaches have prompted lawsuits against directors for fiduciary duty breaches and calls to remove them from boards,” said Myburgh.
He pointed out that awareness was the number one safeguard organisations could use in terms of protecting themselves, adding that their personnel needed to be aware of the threat of cyberattacks.
“Organisations should also update their security measures. Attackers only need to get it right once before they have all your sensitive information,” he concluded.