The increase in data breach and cybercrime as modern technology takes over the world

July 1st, 2018
x
Bookmark

By Kgomotso Ramotsho

Mr Swales added that research statistics in 2016 show that most South Africans spend two to three hours on social media a day. He said that there is a variety of social media platforms and South Africans use them widely. He pointed out that an important aspect of social media is that everyone has become their own editor and can easily place content all over social media platforms, which sometimes includes defamatory content that many people can be exposed to. He noted that in earlier years for one to get published, they would have to write to a newspaper or have a similar kind of format to get ideas out to the public.Thomson Wilks attorney, Lee Swales said technology has become an indispensable part of modern life. He added that technology has changed the way people communicate and do business, and because of that technology has logically changed regulations in the technology environment. Mr Swales was speaking at the Lex-Informatica annual SA Cyber Law and ICT Conference held in Johannesburg on 24 and 25 May.  He noted that South African statistics showed that 15 years ago approximately 5% of the population had Internet access. Fast forward to 2018 and half of the population can access the Internet largely because of mobile connectivity. He pointed out that developing countries such as South Africa (SA), has distributed mobile connectivity which means that social media is used regularly and communication is changing and there could, in future, be some legal dispute arising over these mediums.

Mr Swales said that if you put something on a social media platform and delete it, it is likely that before it gets deleted someone would have liked or shared it with other users. He added that posting on social media has come to a point where one cannot control what gets out to the public. He highlighted cases where there have been social media explosions that have seen laws promulgated relating to data protection, cybercrime and cyberbullying, cases such as Trustees for the time being of the Delsheray Trust and Others v ABSA Bank Limited [2014] JOL 32417 (WCC).

Mr Swales noted a few current trends happening with regards to technology, such as:

  • Privacy concerns and new privacy laws. Mr Swales said that on 25 May, the European Union (EU) enhanced the General Data Protection Regulation (GDPR), a new privacy law designed to protect the personal information of EU residents. He added that it is only relevant to South African businesses if a business processes personal information of EU residents. He added that it is similar to the Protection of Personal Information Act 4 of 2013 (POPI), however, the GDPR seeks to achieve the same thing.
  • Rise of fake, online news sites (fake news).
  • Corporate and political use of social media as a tool for building narrative and selling products (paid twitter).
  • Services of legal process via social media.
  • Business regulation of Internet and social media use.
  • Continual rise in dismissals/warnings for social media misconduct.
  • Defamation online commonplace/hate speech being regulated strictly in future.

Mr Swales said people can manage risks when using social media by engaging in a manner that is professional, ethical and respectful. He added that if you would not say it, or show your message to a room full of people, do not post it on social media. He pointed out that one should not post personal details and protect one’s online privacy, understand the security and privacy details. He noted that people should be aware of fake news and must quantify what they share on social media or the Internet.

Director in Technology and Sourcing practice at Cliffe Dekker Hofmeyr, Simone Dickson, spoke about Cybercrime and Cybersecurity Bill B6 of 2017.

Overview of cybersecurity legislation

Director in Technology and Sourcing practice at Cliffe Dekker Hofmeyr, Simone Dickson, said the Cybercrime and Cybersecurity Bill B6 of 2017 (the Bill) gives effect to a number of cybercrimes. She added that cybercrimes are recognised under the legislation and pointed out that a lot of these crimes dealt with data. She noted that unlawful and intentional accessing of any data from a computer system or device is an offence under the Bill, as well as the acquiring of data which is unlawfully obtained. Interfering with data, hacking into a system and using specific data for unlawful and intentional purposes, performing any unlawful acts in respect of data whether software or hardware, tools that one builds, licence or buy to use to hack into a system to commit any cyber offences, also fall under offences in the Bill.

Ms Dickson added that the unlawful acquisition of passwords or access codes including a user’s password is an offence under the Bill. She said the crimes of fraud, extortion, and forgery have been given specific recognition as offences under the Bill, as well as intangible theft of software products. She pointed out that the Bill makes provision for a number of aggravated offences, which will result in serious loss if one had to commit that offence. She noted that the Bill stated that any hovering, concealing, assisting in any of the above mentioned crimes would constitute as an offence.

Ms Dickson said that the Bill also made provision for offences relating to malicious communication. She pointed out that if one person sent an e-mail to the next person and the e-mail purposely incited violence, condemned privacy or instituted discrimination it was a clear offence under the Bill. When data is sent out that is harmful, intends to bully or harass or intimidate it is also an offence under the Bill.

Ms Dickson added that another offence under the Bill was revenge porn. She said if anyone had not consented and there is a naked image of them, which was shared electronically it is an offence under the Bill. She pointed out that the remedies to these offences were that victims could make a case at the South African Police Service (SAPS) who in turn would issue an order which can order the service provider to remove or disable access to the data to prevent further distribution. She said that the SAPS has the power to inquire about the identity of the source where harmful content came from.

Ms Dickson, however, said the problem was that when data is placed on social media, it cannot be taken back but one can only try to prevent further distribution. She added that jurisdiction with cybercrime is different to any other jurisdictional issues, which are traditionally territorially based. She noted that there has to be cooperation and support between countries to combat cybercrime, because victims implicated in cybercrime may be located in different countries and the crime may be perpetrated from anywhere in the world.

Ms Dickson said that SA’s Bill has a very instinctive jurisdiction provision. She pointed out that a court in SA trying an offence has jurisdiction if the offence was committed in SA, or if any part of the preparation of the offence was committed in SA, if the offence was committed by a South African resident or person with South African residence, even though at the time they are not in SA or away on business, or a person who is on business in SA. This would include if the offence was committed on board a ship or aircraft registered in SA. She said that the Bill provides for fines and imprisonment, however, the current draft does not provide the value of the fines.

Ms Dickson added that there were various structures put in place to help enforce the Bill. She said the SAPS have been given power to search, seize and investigate cybercrimes. She said the Bill allowed the SAPS to search or seize without a warrant in certain circumstance. She pointed out that the Minister of Police is tasked with essentially a contact body, which will be active on a 24 hour basis to respond to immediate threats, investigate and assisting complainants with the potential offences. She noted that the Minister of State Security has been tasked with the responsibility of cybercrimes and cybersecurity within government.

Ms Dickson said the Minister of Defence has also been tasked to establish a cyber offence department, which will look at the coordination of cyber threats, not just in SA but on a mutual assistance basis with other countries. She pointed out that in her view on paper the Bill’s enforcement of powers are good, however, on a practical level the way the powers are split in different ministries may create problems and a lot of finger pointing. She added that the Minister of Telecommunication and Postal Services is tasked to work with the private sector by getting the private sector to buy-in and establish the necessary structures, directives and standardised procedures to make sure that cyber responses are uniform and consistent.

The impact of cyber security and data protection

Director at Snail Attorneys, Sizwe Snail said everyone has been a victim of cybercrime, whether it was successful or only an attempt. He added that IT law is a problem for everyone, be it government, minors at school or even adults who are surfing the Internet trying to buy things online. He went through some of the questions he and his co-authors Anthony Olivier and Jason Jordan answered in The Cybercrimes and Cybersecurity Bill Pocket Book 1ed (Cape Town: Juta 2018), which included: How does the Bill substantially change the legal position as it was in the Electronic Communications Transaction Act 25 of 2002 (ECT Act) regarding cyber criminality? Mr Snail summarised the answer and said that the Bill is the first piece of independent draft legislation in SA that combines the aspects of cyber criminality (procedural law and substantive law) and cybersecurity structures proposed in the Bill that are the result of the previous National Cyber Security Policy Framework of 2012. This means that all the sections dealing with cybercrime and cybersecurity in the ECT Act will be repealed.

Director at Snail Attorneys, Sizwe Snail said everyone has been a victim of cybercrime, whether it was successful or only an attempt. He spoke on 25 May at the Lex-Informatica annual SA Cyber Law and ICT Conference held in Johannesburg.

Mr Snail pointed out that there are cybersecurity structures and international cooperation to name a few –

  • the Cyber Response Committee (the Justice, Crime Prevention and Cyber Security Cluster);
  • the Cyber Security Centre;
  • the Cyber Command (within South African National Defence Force (SANDF));
  • the National Cybercrime Centre (within the SAPS);
  • the government security incident response team (e-gov Computer Security Incident Response Team (CSIRT)); and
  • the private sector security incident response team (private sector CSIRT).

He said that these structures already exist, however, they have not been put into one piece of legislation.

Mr Snail also dealt with a question on how the new Bill deals with cyberwar. He said that the Bill envisages the existence of cyber command, which will be housed in the SANDF. He added that there is an issue of cyberterrorism and said that in 2015 there was a section on terrorism, however, he noted that a decision was taken not to include cyberterrorism in the Bill. He pointed out that it was not meant to be included as there already was terrorism legislation that would deal with terrorists, he suggested that if an issue of cyberterrorism must be dealt with, the terrorism legislation should be amended to include cyberterrorism.

Mr Snail touched on the legal position on jurisdiction. He said s 90 of the ECT Act includes a section on jurisdiction and extra-territorial jurisdiction in particular that sets out the instances in which South African courts have extra-territorial jurisdiction. He added that jurisdiction was a problem and in some instances, there were countries who wanted to bully other countries, such as America calling on other countries to extradite criminals to their country. He pointed out that he was concerned about the concept of cloud service and that the South African government is looking into implementing a policy to move to the cloud. He said that if the government was not safe in a physical data environment, then how would they be secure at a cloud environment?

Mr Snail added that data breaches have been going on and they are still going to continue. He said the only difference now was that people were aware of them. He pointed out that it was important for businesses to have a competent IT specialist and department and to spend, money on cybersecurity for data breaches, defences and in certain circumstances spend on cybersecurity offences. He noted that the whole culture of protecting information needs to change and people should protect their personal information and protect their freedom of speech.

Digital forensic and managing insider threats

Digital forensic expert, Yusuph Kileo, said according to an insider threat report released this year, 27% of organisations said insider attacks have become more frequent. He added that insider threats are malicious threats to an organisation that come from within the organisation, such as employees, former employees, contractors or business associates who have inside information concerning the organisation’s security practices, data and computer systems.

Mr Kileo said types of insider threats are namely –

  • privilege escalation by impersonation;
  • privilege escalation by exploiting vulnerabilities;
  • own privilege abuse; and
  • social engineering attacks.

He added that insider threats mostly happen because of –

  • frustration with co-workers;
  • stress that an employee may have;
  • financial problems that employees may find themselves in;
  • unaddressed grievances;
  • feeling ignored or mistreated;
  • taking revenge for perceived injustices; or
  • acting on opportunity.

He pointed out that there were common insider threat indicators, which could include –

  • attempts to bypass security controls;
  • requests for clearance or higher-level or access without need;
  • frequent access of workspace outside of normal working hours; and
  • irresponsible social media habits.

Mr Kileo said that when dealing with risks from insider threats, organisations must do background checks as pre-hire screening of employees. Watch employee behaviour and make separation of duties and least privilege. He pointed out that employees need to work at their fields and only access resources relating to their work. He added that organisations must also control user access, make use of strict password and account management policies. Mr Kileo noted that organisations need to monitor user actions in terms of software monitoring, as well as video recordings of all user sessions, which security specialists can review. Organisations should implement policies and employee recognition programs, and include training and educating staff on certain security practices and consequences.

Mr Kileo said other key findings that were found on the insider report, was that the most popular technologies to deter inside threats are data loss prevention, encryption and access management solutions. He added that to better detect active insider threats, companies deploy intrusion detection and prevention and log management. He pointed out that organisations need to build successful insider threat programmes.

Mr Kileo noted that there are eight steps to building a successful threat programme and organisations should have the following –

  • gain senior leadership endorsement and develop policies that have buy-in from key stakeholders and take into account organisational culture;
  • develop repeatable processes to achieve consistency in how insider threats are monitored and mitigated;
  • leverage information security and corporate security programmes, coupled with information governance, identify and understand critical assets;
  • use analytics to strengthen the programme backbone;
  • coordinate with legal counsel early and often to address privacy, data protections and cross-border data transfer concerns;
  • implement a clearly defined consequence management process so that all incidents are handled following a uniform standard, involving the right stakeholders; and
  • create training curriculum to generate awareness about insider threats and related risks.

Mr Kileo pointed out that when developing an insider threat programme organisations should collaborate with stakeholders/other departments to identify critical assets, risk indicators, relevant data sources, compliance requirements, cultural concerns and privacy implications.

Kgomotso Ramotsho Cert Journ (Boston) Cert Photography (Vega) is the news reporter at De Rebus.

 This article was first published in De Rebus in 2018 (July) DR 16.

Loading...