CYBER attacks are a growing risk to business in South Africa, but neither the government nor business are doing enough to combat it, according to cyber security experts.
A shortage of skills combined with a lack of urgency in implementing measures to tackle cybercrime have seen South Africa rank low on a number of cyber security assessments, according to Basie von Solms, director of the University of Johannesburg’s Centre for Cyber Security. Cybercrime has a negative effect on South Africa’s productivity, national security and its attraction as an investment environment.
SA Centre for Information Security CEO Beza Belayneh says South Africa is not doing well in global comparisons in terms of the number of victims and the amount of money lost. "Different surveys find SA is between third-and sixth-worst in cybercrime," he says.
The 2013 Norton Report has found that South Africa has the third-highest number of cybercrime victims, after Russia and China.
Prof von Solms says cybercrime is largely unregulated by government agencies. "Business is also guilty of not doing enough to tackle cybercrime, but government should be the guide," he says.
The Cabinet passed the National Cyber Security Policy Framework in March 2012. It took another 18 months for the Department of Communications to appoint the National Cyber Security Advisory Council in October last year.
The framework is supposed to co-ordinate government actions on cyber security and ensure co-operation between the government, the private sector and civil society on tackling cyber threats. The policy is not yet publicly available.
"It’s really stupid that guidance on how to secure cyber space in SA is kept under wraps, as many of the problems would be dealt with by this guiding document," says Prof von Solms.
The Electronic Communications and Transactions Act 2002, which provides for inspectors to enforce cyber security in South Africa, has not been fully implemented and is now being rewritten.
"The work of a cyber inspector wasn’t really spelt out in the act and after 12 years we haven’t seen a single inspector. We just haven’t got the skills," says Prof von Solms.
Mr Belayneh says the problem is Parliament’s inability to multi-task. He says the Protection of Personal Information Act, signed into law in November last years, was nine years in the making. During this time MPs were focused on dealing with the breach of privacy, and the issue of cybercrime was neglected. What is most concerning is that this neglect has put the country’s security at risk, he says.
Wolfpack Information Risk’s report, titled, The South African Cyber Threat Barometer 2012/13, identifies the lack of a national computer security incident res-ponse team as a major concern. Mr Belayneh agrees.
Should South Africa’s strategic infrastructure, such as aviation or financial systems, come under cyber attack, the country does not have a national response team to co-ordinate a cyber defence strategy.
"We need a national centre that could co-ordinate a plan for the cyber attack that people think could never happen, but can," Mr Belayneh says.
Director and joint head of Forensics at ENSAfrica David Loxton says that two years ago, the bulk of his practice was devoted to procurement fraud and business hijackings. However, in the past year it has shifted to cybercrime — "the forum of choice for white-collar criminals".
Mr Loxton predicts that in the next three years the fruits of cybercrime will outweigh the fruits of all other white-collar crimes.
Globally, governments and the private sector are taking cyber security increasingly seriously. It has moved from 12th place in 2012 to third place on the Lloyd’s 2013 Risk Index Report of concerns to global business.
PwC’s Global State of Information Security Survey 2014 has found that while organisations are spending more on security, cyber criminals "have done even more".
Detected security incidents had increased 25% over the previous year, while the average financial costs of incidents rose 18%, says PwC. This comes as respondents overall spent 51% more on security last year than the previous year. This, however, makes up only about 4% of their total IT spend.
Prof von Solms, recently returned from a sabbatical at Oxford University’s Global Centre for Cyber Security Capacity Building, says the UK has established 11 centres for cyber skills development allied to universities.
The Indian government is sponsoring the training of 500,000 "cyber warriors", while South Korea produces 5,000 cyber specialists a year, he says. "But in SA there is no national effort."
Mr Loxton says South Africa has a serious skills crisis in this area. In his experience, police lack the expertise to deal with cybercrime and there are "very few prosecutors in SA who understand it".