/ 14 June 2013

Defending SA’s cyber borders

State Security Minister Siyabonga Cwele
State Security Minister Siyabonga Cwele

With the low costs of mobile data and the increased reliance on smartphones to run businesses or engage on social networks, data security breaches can have a significant impact on all of us.

The public and private sectors as well as individuals are at risk of anything from financial and identity theft to a loss of corporate reputation and trust.

A Mail & Guardian Critical Thinking Forum, sponsored by Neotel and held on June 4 in Johannesburg, raised the question of what the state and business could do to prevent security breaches from happening in the country.

The panel comprised Beza Belayneh, who heads up a high-level team of experts at the South African Centre for Information Security, Adam Schoeman, the information security officer for FNB Private Clients and Dr Siyabonga Cwele, the minister of state security.

"When it comes to security breaches, there are three kinds of companies: the ones that have been breached and know about it; the ones that don't know about it; and the ones still to be breached. Although detection is always important, prevention is the key. With the threat landscape changing as a result of things such as cloud computing, big data and bring-your-own-devices, attacks are coming from all sides," said Belayneh.

Covering all angles
He said there was no silver bullet when it came to security because it had become so multi-dimensional.

"With individuals, companies and the public sector always susceptible, the question should be: are we all doomed? Unfortunately, the weakness of human nature — think greed, lust, and so on — is exhibited in cyber crime attacks. For example, phishing scams will appeal to those who find themselves in financial difficulty," he said.

Schoeman agreed about the inevitability of security breaches. However, he felt that companies should look at what could be done to ensure that breaches didn't become "game-enders" for organisations.

"We will always be outnumbered by our attackers and they will always have far more advanced tools at their disposal. Ultimately, they need to gain access to the network of an organisation just once to win in this game. But, we need to start changing the rules to avoid this from happening and focusing on the remediation cycle of security," said Schoeman.

For him, prevention was good but more had to be done when hackers broke into an organisation. This would minimise the impact of these breaches and ensure that malicious users wouldn't have access to all the data simply by getting through a single layer of security or backdoor.

"Companies need to start leveraging off their network infrastructure to improve security. They need to have improved communication to their hardware switches to get a clearer picture of where all their assets are. This will result in breaches being detected within a few hours instead of after days and weeks."

Cwele said that protection was a massive task not only for companies and individuals, but also for the state.

Cyber security policy
"Security is the very first duty of the government. Our focus is on protecting the entire country. At this moment we are finalising the drafting of the cyber security policy. It will be ready for public input by August.

"As government, we need to protect the databases that contain significant personal information on the citizens of the country. But it is not only against cyber crime that we have to be vigilant. Protecting against cyber terrorism is also vitally important," he said.

This meant that government not only needed to work closely with the private sector to protect the economy on all levels, but also with governments of other countries to minimise any potential damage done and risks on a cyber-level.

"While it is urgent to complete the cyber security policy, skills also need to be developed and people need to be trained across the public and private sectors to be aware of online scams and the importance of protecting personal information," said the minister.

Calling all cyber warriors to arms
Belayneh said that one way to do this was to take best practice examples from the international community.

"On its own, government cannot defend cyber space. We need to call on the cyber warriors in the private sector and academia to start helping protect the country. This is also a good way of seeing what skills exist in South Africa and what skills are required that need to be developed."

Schoeman said there were already initiatives between various banks to share information around security attacks, specifically regarding phishing schemes. The local banks were also working with Interpol to have phishing sites taken down quicker.

"We are monitoring those sites and learning from them about what they are doing and picking up on these cyber security trends.

"This has resulted in online backing security being continuously expanded. But it remains a public and private relationship.

"It is the responsibility of the entire industry to manage security breaches more effectively."

He said that the increasing use of mobile apps required a nuanced security approach.

"Any person can create a website that could be used for malicious deeds. Mobile apps are definitely more secure because they have to go through several checks and balances from the app store vendor."

Phishing is still prominent
Belayneh said that since 2011, South Africa had become the third most phished country in the world.

"This shows the clear need for public education when it comes to these scams. The way incidents are reported must also be made clearer and easier for people for the systems to be improved.

"Cyber crime has become a national crisis. It is no longer just about criminality, but has become a national security risk," he said.

Companies also had to improve their own security policies to be cognisant of personal devices. Hackers used devices that typically fell outside the corporate network to gain access to organisations, he said.

Information security is everyone's responsibility "Compliance is good, but it breeds a relaxed attitude. Public awareness needs to improve around information security. Not only do people lose money and their online identities, but it can also result in a potential loss of life if someone gains access to a police database that contains information on whistleblowers," he said.

Legislation had the potential to positively change things.

Belayneh said that instead of clients reporting instances of security breaches, the onus would be on organisations to defend the security systems they were using. Not only could they be fined if their security was found lacking, but the potential reputational damage if they were outed in a public forum would inspire the industry to protect itself.

"All of society needs to take information security seriously. It is not just about protecting your money, but also about protecting your personal information.

"There are different units in the government looking at defensive and offensive responses. We need to be able to be on the attack in order to prevent certain hacks from happening," said the minister.