Both the private and public sector must engage out-of-the-box complex systems thinking and more holistic security models to stave off the increasing threat posed by online and cyber-related crimes. That’s the view of Michiel Jonker, Director: IT Advisory at Grant Thornton Johannesburg.
“Due to the complex nature of cyberspace, whereby billions of users and infinite systems and networks are intertwined, it has now become virtually impossible to control the ecosystem,” he says. “Security therefore could not be treated in isolation but effective security management should employ a 360-degree complex systems philosophy that engages multiple conventional and unconventional (e.g. futuristic) models of security assessment.”
While statistics are not readily available in South Africa, numerous breaches have been recorded over the past few years. In 2013 Bloomberg reported that South African banks had lost tens of millions of rands to an international organisation that hacked the bank card details of fast-food restaurant customers. Based on data from the Payments Association of SA, the report found that every South African bank had been affected.
“Recent breaches, including JP Morgan Chase, The White House, Sony and even South African government website hacking incidents, have called into question the future of cyberspace as a means of safe transaction. Cybercrime holds potentially catastrophic consequences for businesses and government - not to mention the security of nation states. 2014 was a watershed year for cyberspace security and in 2015 the issues will become even more noticeable,” Jonker said.
“The current model of applying ‘best practices’ addresses many aspects of cyber security but is not enough. A new approach designed to deal with threats requires more than standard analytical IT frameworks because we are steadily losing the war against cyber criminals, like hackers and information thieves,” said Jonker.
He said that in addition to legislation, such as the Protection of Personal Information (POPI) partly enacted last year, and best practice guides, it is now imperative that measures be scaled up. The POPI Act, which was gazetted in November 2013, and which is currently awaiting an effective enactment date, provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.
In a recent Grant Thornton International Business Report (IBR) survey, for the first quarter of 2015, SA businesses were asked if their current business strategy plans included breaches to IT security as a potential threat to the future of the business.
“It is encouraging to note that 72% of the 150 SA business executives who were asked this question responded that their strategies DO include plans to prevent IT security breaches,” says Jonker. “One very important measure needed and which is often overlooked, is the thorough testing of systems by skilled individuals whose sole purpose would be to find compromising points of entry into the system. Ironically, the majority of cyber criminals do not have formal IT qualifications.”
Jonker suggested a holistic approach incorporating the futuristic concept of “exploration-discovery.”
“The IT security industry has to change its recruitment policies. There is a need for certain IT security personnel to come from non-formal education, those who employ outside-of-the-box thinking. These persons tend to think more in systemic ways - while formally educated IT professionals traditionally think analytically. We need to have conventional and unconventional IT skills in place that will test for infiltration by those whose sole purpose is to exploit the weaknesses of IT and online systems.”
He said the concept of “exploration-discovery” in systems development practice is not new. For example, when testing new systems, software companies will often monitor how children interact with the system – with the aim of detecting any unforeseen failures not picked up by standard testing procedures.
“A similar methodology in devising security for cyberspace would allow private and public sector organisations to view their systems as an outsider, or specifically as a criminal (i.e. to ‘think or explore/discover like a criminal’). This creates a vastly improved context for security as it not only allows mitigating the rational threats but the anticipation of those systemic threats for intentional nefarious purposes,” Jonker concluded.