Subscribe

Africa must share cyber security info

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 08 Nov 2013
In Africa, a shortage of government and private industry stakeholder initiatives increases risk for local governments, companies and citizens, says Wolfpack's Craig Rosewarne.
In Africa, a shortage of government and private industry stakeholder initiatives increases risk for local governments, companies and citizens, says Wolfpack's Craig Rosewarne.

Africa needs to share ideas on cyber security if it is to mitigate the risks posed by the ever increasing threats.

So said Craig Rosewarne, MD of Wolfpack, a local company specialising in information risk, during the CyberCon Africa 2013 Conference, in Johannesburg, this week.

According to Rosewarne, information sharing is crucial for the continent, as it will result in companies, governments and citizens being better prepared to deal with cyber crime.

In reference to Verizon's 2013 Data Breach Investigations Report, Rosewarne said no one is immune from attacks. The report found that more than half of the 44 million records that were compromised last year were through hack attacks, while external parties committed the bulk of the 47 000 security incidents reported.

Cyber security involves information security, ICT security, network security as well as Internet security, Rosewarne said.

He added that cyber threats fall into three broad categories, namely: cyber warfare, mainly motivated by destructive forces; cyber espionage, motivated by the need to extract information; and cyber crime, driven by financial gain.

However, he said: "Our defences are not as strong as they are supposed to be. In Africa, a shortage of government and private industry stakeholder initiatives increases risk for local governments, companies and citizens."

In SA, he said, at the national level, the country is not doing enough on vulnerability and threat management to prevent cyber crime. SA also does not have adequate skills to fight cyber crime in SAPS and the National Prosecuting Authority, he noted.

"A large percentage of the incidents are not being reported to law enforcement or government agencies. Of the cases reported, an even smaller percentage actually makes it to the courts, where successful prosecutions take place, and information is made available to the public domain.

"South Africa also has weak fraud detection mechanisms; does not have a computer security incident response team; and also suffers from minimal cross-industry collaboration. Smaller cyber crime cases in South Africa are also usually neglected; and the country lacks quantitative cyber crime figures. There is a need for improved or streamlined processes to deal with cyber crime," said Rosewarne.

He noted that other countries like the US and the UK have rated the danger of cyber crime as tier one threats, adding the recent 2013 Lloyd's Risk Index, conducted among global CEOs, rated cyber risk as the number three concern facing corporates today.

To mitigate risk, Rosewarne said enterprises must abide by suggested standards and best practices like King III, Cobit 5.0, ISO 27001/2, and SANS 20 Critical Controls.

He also revealed that organisations must manage cyber risk within their bigger governance, risk and compliance programmes, while government must set up national cyber security programmes that identify and engage stakeholders.

"Governments must also set vision, scope, objectives and priorities, and follow a national risk assessment approach. They must also take stock of existing policies, regulations and capabilities. It is also essential to organise cyber security as well as fostering R&D for cyber crime."

Share