Education and not just legislation is needed to tackle cybercrime, write Prof Rika Butler of the School of Accountancy at Stellenbosch University and Mr Martin Butler of Stellenbosch University Business School in an opinion piece published on The Conversation website on Thursday (10 March 2015).
- Read the complete below or click here to for the article as published.
Education needed as South Africans are increasingly targeted in cyber attacks
Cyberattacks in South Africa
The latest data from two independent sources indicate that cybercriminals are launching a digital onslaught on South Africa. In January 2016, South Africa jumped from 67th position to 22nd position on cyber security firm Check Point's Live Cyber Attack Threat Map, that tracks global cyber-attacks in real-time. Doros Hadjizenonos, country manager for Check Point South Africa, noted "an increase in phishing attacks targeting video-on-demand users, who are tricked into handing over their passwords under the guise that their accounts need to be updated."
Meanwhile, internet security company Trend Micro's latest report indicate that unsolicited bulk email or spam, a popular method used to launch email phishing attacks, peaked at 2 269 039 during 2015. In addition, a total of 6 185 personal computers in South Africa that are protected by their technology had banking malware installed on them. Malware is malicious software that is downloaded onto a computer to perform a malicious act – such as stealing personal information like passwords and account numbers – even without the user's knowledge.
The heightened levels of cyber-attacks has not gone unnoticed by government. Deputy Minister of State Security for South Africa, Ms Ellen Molekane, highlighted the risks associated with these attacks during her opening address at the State Security Cybersecurity Conference in November 2015 stating that "…the whole world is witnessing a number of security breaches involving people's personal information including passwords and related data."
Phishing
Despite a low level of sophistication associated with attacks and low success rates, the high volume of messages typically associated with phishing attacks see it remaining one of the most popular methods employed by cybercriminals to steal the personal information of South Africans. Adding to its longevity is the proliferation of online services that has seen these attacks moving away from traditional attacks targeting mostly online banking to attacks aimed at any potential online value that criminals could gain by getting access to video-on-demand and other online services.
Phishing describes a method of online identity theft, in which cybercriminals attempt to trick computer users into divulging personal financial information such as passwords and account numbers. Cybercriminals then use this information to steal money or commit fraud which can result in huge financial losses for the phishing victim. Computer network and security firm RSA's Online Fraud Resource Centre estimates the global cost of phishing attacks for December 2014 at $453 million and estimates the total 2015 losses due to phishing in South Africa at $49 million.
The most popular technique that cyber criminals use to launch phishing attacks is by sending emails to computer users. In these emails they often describe a 'problem' (such as an account that needs to be updated) and try to convince computer users that their passwords or account numbers need to be provided to solve the 'problem'. Alternatively these emails can contain malicious attachments or install malware onto the user's computer.
The Cybercrimes and Cybersecurity Bill
In an attempt to address the risks posed by cyber threats such as phishing and to improve computer security within South Africa, the Cybercrimes and Cybersecurity Bill for South Africa was published on 28 August 2015. The Bill defines various offences relating to data, messages, computers and networks and makes any person who acquires, possesses, provides or uses personal- or financial information to commit an offence, guilty of an offence. In terms of the Bill unlawful acquisition, possession, provision, receipt or use of passwords, access codes or similar data also constitutes an offence. The Bill further determines that "passwords, access codes or similar data" includes a secret code or pin, security token, a word or a string of characters or numbers, or a password.
To ensure that structures are created to address cybercrime the Bill provides for the establishment of various new structures and positions by the Ministers of Police, Defence, Telecommunications and Postal Services. Proposed structures also include a 24/7 Point of Contact, Cyber Response Committee, Cyber Security Centre, National Cybercrime Centre, Cyber Command, Cyber Security Hub and Incident Response Teams that computer users can use to report cybercrime for prompt investigation. Importantly the new Bill also grants extensive powers to the South African Police Service and the State Security Agency to investigate, search, access and seize anything related to the investigation of such matters.
After the Bill was published widespread comment was received. Valid concerns raised included whether South Africa has the necessary knowledge and expertise in the cybercrime field to properly implement the new Bill. A revision of the Bill is currently underway and a new draft is set to be released within the next few months.
Research to improve online security
However, legislation which makes phishing a punishable offence and creates structures to report and investigate phishing alone will not be sufficient to protect South Africans against phishing attacks. Various studies have indicated that the computer user remains a weak link in the security chain when they unknowingly respond to phishing attacks. Cyberattacks are also becoming more and more sophisticated and less easy to spot by unsuspecting cybercrime victims.
Educating computer users on the risks that cyberattacks pose, including awareness on how to prevent and detect these types of attacks, have been suggested by various researchers and is essential in the fight against cybercrime. These awareness initiatives could range from placing relevant information on websites of financial institutions, to media awareness through newspapers, magazines, radio and TV. It could also include formal training sessions.
Researchers from Stellenbosch University are currently conducting research to find out how South Africans view the threat of phishing and what steps they take to avoid falling victim to phishing attacks. The information will help the researchers find ways to improve online security within South Africa. Whether you think you're vulnerable to phishing, believe you're well protected or genuinely have no idea, you can contribute to this research by clicking here to complete the survey.
