A study conducted by Verizon[1] on 50 global organisations, analysing data breaches and incidents over a period of 10 years, yielded some interesting results. In 2013 alone, a total of 63 000 security incidents were reported, with 1 300 confirmed data breaches, representing 95 countries impacted (with South Africa included in the sample).
Larger enterprises seem to grasp the reason for privacy legislation, like the Protection of Personal Information (POPI) Act, as they are more acutely aware of the risks and issues experienced, in some cases by themselves or their local peers, but even more so their global peers. Some SME players, however, tend to raise the question: "Why POPI?" more often. Based on this, here is some insight:
In July 2013, McAfee[2] reported cyber crime costs the global economy between $300 billion to $1 trillion per annum. Some comparative stats are also given to put it in context. Global statistics for piracy shown in McAfee's report was estimated to be up to $16 billion in 2005. Drug trafficking is estimated at $600 billion. Just like cyber crime, all of these crime categories are difficult to accurately estimate the cost to the global economy, but it's clear that cyber crime is definitely one of the key culprits.
Modus operandi
The main threat action reported by Verizon1 is predominantly hacking, which shows an exponential increase since 2009. Second preference is malware; however, the steeper growth curve of social gives an indication that social attacks will overtake malware as a preferred cyber crime strategy within the next year or so.
Within hacking, the most prevalent technique is to hack using stolen credentials or SQL injections. Phishing is the primary social attack technique, as this is also the most successful way (combined with key logging) to obtain credentials for hacking purposes.
What type of information interests cyber criminals? According to the Verizon1 report, the primary motivation for cyber attacks remains financial in nature, although there seems to be an increase in espionage as a motivation. One can argue that the ultimate goal of espionage remains financial.
Criminals motivated by espionage are interested in internal corporate data, trade secrets and other confidential information. However, the predominantly finance-motivated cyber criminals chase after credentials, bank account information, payment card information, and any personal information that can enable identity theft as another avenue of accessing finances.
Stolen identity
Moving into the area of identity theft, Javelin Strategy & Research[3] reports a steadily increasing number of identity theft victims in the USA, with the number of victims in 2013 reaching 13.1 million people (approximately 4% of total population), a 28% increase since 2010.
On home soil, it seems SA is not isolated in paradise when it comes to cyber crime. It has been estimated the economic impact locally is R5.8 billion[4] per annum. According to Compuscan[5], the SA Fraud Protection Services reported an increase of 27%, with over 14 000 new fraud incidents recorded in 2012.
All of these insights brings a realisation that cyber crime is a threat everyone faces globally. What makes this threat so challenging is the fact that cyber crime is extremely difficult to combat. For this reason, more and more countries are resorting to legislation that converts the "lack of accountability to prevent the crime" into a criminal offence. In the analogy of a physical burglary, what legislation like POPI effectively does is to turn lax and irresponsible behaviour, such as not having burglar bars on windows or alarm systems in the home, into a criminal offence.
So, yes, complying with POPI may be viewed as a burden. However, similar to a mother addressing a tantrum-throwing toddler, government is saying: "You will do this, because I know what is best for you."
One SME posed the question to me: "Why should we invest so much money and effort to secure personal information that so many individuals freely flaunt on social networks?"
My response to that: "Would you put your whole customer base at risk for the 2% that don't care about their own privacy?" Another consideration is that privacy is the individual's right to choose what is done with his/her information and no one else's. Compliance shows a respect for that right.
But, what's in it for me, really? There's the obvious threat of cost, of course. On allegation of a breach, the regulator could fine the perpetrator up to R10 million, depending on circumstances. Note that the fine becomes payable on allegation, and there's no burden of proving an offence. The only recourse for avoiding a fine is to choose to be tried in court. On top of the risk of penalty, there's a further risk of civil claims and class action.
However, the largest risk would be the risk to public image. Imagine losing 24% on a company's share price in three months[6], like Target Stores in the US. After almost a year, it is still struggling to recover. Target's huge credit card hack of about 40 million consumers in the US in November[7] resulted in a 16% drop in EBITDA since 2013.
For the entrepreneur, the PR risk can be transformed into a PR opportunity with proactive effort to comply.
Social attacks will overtake malware as a preferred cyber crime strategy within the next year or so.
Where to start, then? In most instances, a top-down approach is the most effective. Start by appointing an information officer that takes accountability for privacy in the company. Then, scan the company activities to identify the areas where personal information is processed, which effectively will imply an inherent risk. Then, systematically assess each of these activities, considering processes and systems for areas of non-compliance, and build the action plan into a prioritised roadmap.
Leverage the assistance of auditors or information management specialists to assist in this assessment exercise and ensure the company is focused and doesn't get lost, not seeing the wood for the trees.
There's a lot of hoo-ha, yes, but it is not for no reason. Complying with POPI will eliminate real risk that could have severe repercussions for a company. Addressing it proactively (and not procrastinating until the Act fully commences) will instil trust with all company stakeholders, and will give the company that competitive advantage.
[1] http://www.verizonenterprise.com/resources/infographics/ig_Verizon-DBIR-2014_en_xg.pdf
[2] http://www.mcafee.com/sg/resources/reports/rp-economic-impact-cybercrime.pdf
[3] https://www.javelinstrategy.com/news/1467/92/A-New-Identity-Fraud-Victim-Every-Two-Seconds-in-2013-According-to-Latest-Javelin-Strategy-Research-Study/d,pressRoomDetail
[4] http://businesstech.co.za/news/internet/60021/the-cost-of-cyber-crime-in-south-africa/
[5] http://www.compuscanacademy.co.za/identity-thieves-target-gauteng-men-ages-30-40/
[6] http://www.marketwatch.com/investing/stock/tgt
[7] http://www.nydailynews.com/news/national/target-struggles-win-back-customers-profit-takes-hit-article-1.1910945
Share