cybercrime is increasing at an alarming rate across the world and has become one of the biggest threats faced by companies, governments and individuals as the spread of digital technology and connectivity makes every form of human activity vulnerable to attack.
Global research company Cybersecurity Ventures predicts that the damages from cybercrime may cost the world $6tr a year by 2021, up from $3tr in 2015. Its estimates include everything from the damage, theft, and destruction of data, to stolen money, lost productivity, the cost of recovery from an attack and reputational harm.
A more grounded figure from US global computer security company McAfee puts global losses in 2017 at $600bn, which nonetheless amounts to more than the income of almost all but a few countries.
In the context of the worldwide internet economy, which amounted to $4.2tr in 2016, cybercrime could be viewed as a 14% tax on growth, it says.Part of the difficulty in calculating the impact of cybercrime is that much of it goes unreported and even undetected.
In the absence of laws forcing disclosure, companies are reluctant to publicise cybersecurity breaches.
“The reality is that no one has a good handle on it because a lot of cybercrime happens below the waterline,” says Brian Pinnock, director of sales engineering for the Middle East and Africa at Mimecast, an international company which focuses on email security. “Until people start disclosing their status, you don’t know how bad the epidemic is.
”Nonetheless, the figures which are available are alarming. McAfee says that nearly two-thirds of the people who use online services, or more than 2bn people, have had their personal data stolen or compromised.
The scale, frequency and impact of big cyber attacks are escalating as criminal syndicates become increasingly sophisticated and adopt new technologies – there were 181.5m attacks in the first half of 2018, up 229% from the same period the previous year, the company’s report shows.
There are literally thousands of flourishing cybercrime marketplaces on the dark web offering a broad array of tools and services for criminals, including ransomware, the fastest-growing cybercrime tool. Ransomware uses a technique called cryptoviral extortion to make the victim’s system or data inaccessible and enables the criminal to demand a ransom to decrypt it or to refrain from publishing private files.
“The way we are preyed upon by criminals has changed. We understand how to protect ourselves from physical crimes, but cybercrime is different – it is nameless, faceless and borderless. We can’t protect ourselves directly because most of us are not IT security professionals, and there is no failsafe system,” says Rohan Isaacs, who heads the technology and privacy team at law firm Herbert Smith Freehills in South Africa.
Email is the single biggest attack vector for cybercrime, accounting for about 90% of the total. Mimecast’s global email security report for 2019 shows that 61% of businesses believe it’s either likely or inevitable that they’ll suffer a negative business impact from an email-borne attack.
The frequency of the most common types of email attack – phishing, ransomware, and business email impersonation – have all surged, with 71% of respondents reporting that malicious activity was spread from one infected user to other employees in their company, up from 64% in 2018. Research shows that human error is the biggest cyber risk for any organisation, ranking higher than software flaws and vulnerabilities.
Training helps to mitigate the possibility of a data breach, but employees still represent the biggest risk, no matter how skilled, experts say. “The assumption that if people are conscious and aware, they can outsmart criminals, is flawed because there is no way that normal people can be one step ahead,” says Michiel Jonker, director for IT advisory at financial services firm BDO in Johannesburg.
“A normal person doesn’t get up in the morning and think – how can I commit fraud? Criminals are playing in that space and there will inevitably be breaches.”Pinnock says there is evidence to show that when criminals plan to attack a large and well-defended company, they will literally carry out a return on investment analysis to gauge whether the time and money they spend on an attack will make the endeavour profitable.
The cyber defences of large companies – which have more money to spend – are generally more sophisticated and harder to crack, while those of smaller companies offer less reward but are easier to breach. Once inside a company’s digital network, hackers can spend months there undetected before launching an attack. “Most organisations are blissfully unaware of the degree of cybercrime that’s out there. People believe they are well-protected, and they are definitely not – they are using yesterday’s technology to protect themselves against today’s threats,” Pinnock says.
Many South African companies also had their heads in the sand and the country is seen as a “hotspot” for cybercrime globally, he adds. The global Cyber Exposure Index ranks SA sixth on the list of most-targeted countries for cyber attacks, with the highest concentration of exposed businesses.
In its Financial Stability Report, released on 28 November, the South African Reserve Bank highlighted cyber risk as one of the main threats to the sector in SA, warning that cyber attacks could have direct material consequences for financial institutions through financial losses, as well as indirect costs, such as reputational impact. Again, the cost of cybercrime is hard to measure as South Africa has no laws requiring disclosure.
The Protection of Personal Information Act (PoPI) – which was enacted in 2013 but has yet to be put into practice in its entirety – will establish the minimum requirements which businesses must comply with when processing personal information.It also requires that third parties be notified as soon as possible if there is a privacy breach, so that they can take precautions.
“It is getting more and more urgent that this law gets passed into force,” Isaacs says. “If companies aren’t transparent about data breaches when they happen, and what they are doing about it, they suffer reputationally. Companies that are transparent can enhance their reputations for honesty and integrity.” According to an annual report from the SA Banking Risk Information Centre, there were 23 466 incidents across banking apps, online banking and mobile banking applications in 2018 – up 75% from 2017 – which led to R263m in gross losses.
Mimecast’s email security report showed that 51% of SA respondents believed that it was likely or inevitable that they would suffer a negative impact from an email-borne attack, and yet less than half had a proper cyber resilience strategy in place. Nearly 90% of the respondents said they had experienced a phishing attack, which refers to a fraudulent attempt to obtain sensitive information like usernames, passwords and credit card details by disguising the sender as a trustworthy entity.
More than 80% of the respondents said they had experienced an email impersonation attack, which is designed to trick key users into making wire transfers or other transactions by pretending to be the company’s CEO, CFO or an external organisation which works with the company. A “jaw dropping” 69% of the respondents who did experience that sort of attack reported that it had led to a direct loss involving data, finances, or customers, according to Mimecast.
The average total cost of a data breach in South Africa rose by 12.6% last year to R43.3m, according to a report conducted by the Ponemon Institute for IBM Security. The mean time to identify a data breach increased to 175 days from 150 days while the mean time to contain the breach rose to 56 days from 40 days. However, only 21 companies participated in the report, which means that the figures may not be representative.
Nonetheless, the list of high-profile cyber attacks in SA is growing, with the country’s largest data breach to date exposing the data of about 30m clients at insurance firm Liberty in June 2018. The previous month, the data of nearly 1m clients was leaked at traffic fines online payment website ViewFines.
In October this year, the cyber network of the Johannesburg City Council was shut down for nearly two weeks by hackers demanding a ransom. It followed a separate, similar attack on City Power in July.
Industry experts say that those attacks can be seen in the context of a volley of ransomware attacks on cities and local governments across the world, particularly those in the US, which often pay ransom to get back up and running. Cities are soft targets for cyber criminals because their digital technology is often outdated and they lack the skills to defend themselves.