Lesley Stones
10 December 2007
Johannesburg — NO MATTER how smart your information technology workers are, somebody out there is even smarter. Which spells trouble for companies as cyber criminals develop increasingly sophisticated ways to tap into corporate secrets and syphon cash from their customers' bank accounts.
Cyber crime is evolving into a major industry every bit as skilled and commercially focused as the companies under attack.
The bad guys probably have more fun, too, with little risk of detection as they make their millions by fooling the weak, ignorant, foolish and ill-prepared. Their work is made easier by instant global connectivity that lets hackers target anyone in any country at any time.
The steady rise of internet access means SA has lost the near immunity it once enjoyed. Online frauds and electronic corporate espionage are on the rise, as hackers try to find out which products a rival is working on or access its customer database.
SA already has the world's highest level of white-collar crime, with 72% of companies falling prey in the past two years, according to a PricewaterhouseCoopers survey.
Their average loss was put at almost R7,5m. That will rise as other countries tighten up their data protection laws and implement heavier governance requirements. As foreign businesses lock down, hackers will target rich yet lax companies in SA. Not surprisingly, CEOs have begun to take cyber crime and data security far more seriously, with 73% now recognising it as important compared with just 41% a year ago.
Companies that handle data protection well can tout that as a competitive advantage, says Michael Heaney, Ernst & Young's manager of technology and security risk services. If customers feel their privacy is protected and they can transact online in safety, corporate efforts to implement security not only limit the risk but increase the reward.
Data security has to be a board-level issue, Heaney says. "Due to the increase in white collar crime in SA, identity theft and data leakage of personal and business-related information is becoming a key focus area.
"There is a constant cat-and-mouse game between hackers trying to access information for financial gain and companies trying to catch the hackers."
One increasingly common scam is phishing, where crooks create almost perfect replicas of websites of financial institutions and ask customers to update their personal details. When customers enter that information, fraudsters can use those legitimate details to electronically enter their bank accounts.
Last month the Novalis Ubuntu Institute for orphans had R90000 drained from its account after criminals stole the identity of its chief financial officer by phishing. Then they cancelled her cellular SIM card and had MTN issue a replacement, letting the criminals receive a once-off password sent by the bank to access her account.
Human error is often the weakest link in the security chain, Heaney says. Companies must focus on their people and processes as much as technologies. "People spend a lot of money implementing the correct security controls, then a user puts their password on a Post-It note."
The main reason why companies are taking electronic threats far more seriously is simply to meet intensifying corporate governance demands. Although SA's rules are still fairly lax, companies that trade with European or US firms will soon need to meet the more intensive data security standards emerging overseas.
"In the last year more of our customers wanted to check whether people can get into their systems and that wasn't a question they asked a year ago," says Ernst & Young associate director Kulu Prinsloo. The fallout from not meeting required security standards can be enormous -- it could even kill a business. One US company saw its market cap plummet almost 40% practically overnight when it admitted it had failed to meet governance demands, Prinsloo says.
Yet companies must strike the right balance between risk mitigation and operational efficiencies. Banks could have let their clients transact online years ago, but locked them out for safety reasons. Keeping the doors closed too tightly can mean missing potential business opportunities, just as too many security hurdles can prevent employees from working efficiently.
Data-protection company Symantec expects to see a further increase in the professionalism of cyber crime next year. Attacks on cellphones will also be big business, predicts its senior security consultant Ivor Rankin.
Cellphones are the least protected devices in the computing arena. Yet most handsets have fully fledged operating systems and internet browsing software, so theoretically the threats now common to personal computers can migrate to cellphones.
According to a recent poll at a hackers' convention in Las Vegas, hackers are more interested in cracking mobile codes than anything else. Since numerous companies are using cellphones for e-mail, banking and business correspondence, the potential for data compromise is enormous.
Experts at McAfee take a slightly different view, warning that a rise in international cyber spying poses the biggest single security threat for next year.
Both governments and anti-establishment groups are using the internet for spying and committing cyber attacks, they say. Targets include critical national infrastructure systems such as electricity grids, air traffic control, financial markets and government computer networks.
Attackers have become well-funded and well-organised in their political, military, economic and technical espionage. And despite the huge resources of money and talent available to many governments, they are still vulnerable to cyber attacks and do not always understand the risks, according to North Atlantic Treaty Organisation insiders.
That means cyber crime is no longer just a threat to industry and individuals, but to national security too. "We're seeing emerging threats from increasingly sophisticated groups attacking organisations around the world," says McAfee Africa director Chris van Niekerk.
McAfee also predicts next year will bring more sophisticated threats to personal data and online services such as banking. A sustained cyber attack on banks could severely damage public trust in online banking and put the brakes on e-commerce. Critics fear the efforts to step up online banking security will not be effective enough or fast enough, Van Niekerk says.
Cyber criminals will also look for ways to exploit the popularity of social networking sites such as MySpace and Facebook.
As evidence of how cyber crime has turned into a new economic sector in its own right, criminals can rent ready-made international networks of remotely controlled computers to send out millions of phishing messages, and buy custom-written viruses designed to steal credit card data.
Be the first to Write a Comment!
Copyright © 2007 Business Day. All rights reserved. Distributed by AllAfrica Global Media (allAfrica.com). To contact the copyright holder directly for corrections — or for permission to republish or make other authorized use of this material, click here.
AllAfrica aggregates and indexes content from over 125 African news organizations, plus more than 200 other sources, who are responsible for their own reporting and views. Articles and commentaries that identify allAfrica.com as the publisher are produced or commissioned by AllAfrica.
