I recently read with interest that the Scorpions, in collaboration with the banks, had arrested members of a cyber-criminal syndicate involved in an identity theft scam. Although this affected a small number of banking clients and the impact was minimal, it begs the question - how many other incidents went undetected? And how prevalent is the threat?
There is no end in sight for identity theft. Phishing attacks to trick users into divulging personal information and spyware to secretly capture personal information from computers and other techniques will continually be employed for financial profit at the expense of unsuspecting victims.
Internationally cyber-crime has overtaken physical crime as the biggest threat. It may be a long time before we see that in SA, although I`m sure most people would prefer to see that trend play out here, where physical crime hurts a lot more people than cyber-crime. However, fighting cyber-crime has to be among the top priorities for both business and law enforcement.
To start with, it is important to understand today`s cyber criminals. They are no longer lone hackers looking for bragging rights among their peers. Cyber-crime has evolved into elaborate, profit-driven schemes involving organised-crime syndicates that may be based around the corner or halfway around the world. It`s estimated that 85% of malware is created with profit in mind, yet only a small fraction of cyber criminals are caught and prosecuted.
Just as physical crime has changed our behaviour and affects where we choose to work and play, so cyber-crime will eventually make people reluctant to trust the Internet. This will hinder interchange between people, businesses and governments, impacting everything from education to commerce.
Just as physical crime has changed our behaviour and affects where we choose to work and play, so cyber-crime will eventually make people reluctant to trust the Internet.
Alkesh Patel, principal consultant of security and privacy services at IBM SA.
So, if cyber criminals are more organised today than ever before, our response to them must also take on new structure and focus. Individuals, organisations, law enforcement and technology solutions providers must join forces to take on this evolving challenge. New strategies and solutions are needed in four key areas: people, policy, technology and collaboration.
Let`s start with the people factor. Criminals are devising increasingly elaborate social engineering techniques to get to the information they need. Organisations must look at their security programmes, not only at a technical level, but down to the actions of each person and how they interact with the online ecosystem. Behavioural insight will help fight not only intrusions into the network but extrusions in which users may, inadvertently or knowingly, permit data to fall into the wrong hands.
Then there`s the matter of policy. Security policies enable the governance that protects one of the most valuable assets of a company - its data - relating to both corporate secrets and the private data of its employees and customers. Policies set the expectations for behaviours and outcomes to create a secure environment in which to do business. The challenge is to implement consistent policies across organisations, their business partners, and customers in an interconnected world.
No approach to fighting cyber-crimes is complete without careful consideration of technology. No one should underestimate the technical capabilities of today`s cyber criminals. New technology must be developed to go beyond rapid response, to anticipating and heading off new cyber-crime techniques. Today`s challenge is how to extend data protection to wherever that data lives. More than half of all vital corporate data doesn`t reside on a server, but on someone`s PC, PDA, or cellphone.
The IT community must also take more seriously the need for `security engineering` in the design and development of hardware and software systems. No one would add air bags to a car after it had been bought, but too often that`s how the IT industry has treated security: as an add-on. Enhanced security capabilities must be a part of the engineering mindset from the ground up.
And finally, there is collaboration. In the US recently a group of 40 leading companies, institutions and technology solution providers formed the Data Governance Council to clarify and resolve common data governance challenges and to explore solutions to security, privacy, trust and corporate compliance issues. In SA, we have witnessed the success of public-private partnership in fighting physical crime: Business Against Crime reduced crime in the Johannesburg CBD by 80%.
A much closer level of co-operation between businesses, government and law enforcement is required to develop the capability and capacity to fight cyber-crime. A recent report from the Centre for Strategic & International Studies stated: "Cyber-crime is the organised crime of the 21st century."
By marshalling the collective skills and expertise of individuals and organisations in both the private and public sectors, we can equip the people, implement the policies, and deploy the technologies that will help secure our networked world.
* Alkesh Patel is principal consultant of security and privacy services at IBM SA.
Share