The cybercrimes industry is expected cost business up to $6-trillion (R78-trillion) by 2021.
The statistic was mentioned by Paolo Passeri, Cisco’s consulting systems engineer for cloud security, at the Cisco Connect South Africa conference currently being held in Sun City.
Axiz has announced that the company has become the latest victim of the on-going “bank account number change” scam.
Axiz has released the following message to its clients:
Please be aware of the following warning from the National Treasury, when dealing with government departments:
Vehicle tracking company Ctrack has released it hijacking and crime statistics, detailing the hijacking hotspots across South Africa’s biggest cities, and the time of day you’re most vulnerable.
The report is based on data and analytics collected by Ctrack from January through December 2016.
Ctrack found that car and truck hijacking is most common in South Africa’s most populated province, Gauteng, followed by other built up provinces such as KwaZulu Natal and the Western Cape.
The majority of hijackings were likely to occur between 18:00 and 23:59 in Gauteng and KwaZulu-Natal, and between 00:00 and 05:59 in the Western Cape. You are also more likely to be hijacked on a Tuesday.
According to the latest crime statistics report released by the SAPS in September 2016, cases of hijacking have increased significantly across the country.
The most recent crime stats revealed that there were over 14,600 reported car hijackings between 2015 and 2016, up 14.3% from 12,770 cases in the prior period.
Statistically, this shows that 40 cars are hijacked every day in South Africa (versus 35 in 2015), or roughly one car every 36 minutes.
Cyber-crooks are sending out spam emails that falsely warn recipients that their PayPal account activity has been temporarily limited, citing an account fraud issue.
A phishing email scam that warns PayPal users of possible fraudulent account activity in hopes of scaring personally identifiable information out of them is currently making the rounds.
According to a blog post from ESET, the phishing emails falsely inform recipients that PayPal has detected “unusual activity” on their accounts and has “temporary limited what you can do” until the possible security issue can be resolved. Clicking the log-in button on these emails redirects victims to what appears to be a legitimate log-in screen – it even displays an SSL certificate to sell its supposed authenticity – but is actually a fake PayPal web page hosted on a malicious domain.
After victims “log in,” the fake PayPal site displays another message informing victims that they will not be able to withdraw funds for 15 days, unless the issue is addressed further. Those who click a “Continue” button to proceed are then asked to enter even more detailed information, including their Social Security number, address, phone number, birthdate and mother’s maiden name.
As phishing scams go, this one is convincing, but there are still some clues that PayPal did not send this alert, ESET reported. For instance, the email contains minor grammatical and syntax errors, and the fake web page’s request to enter your home country is unusual, considering it also asks for your Social Security number, which only applies to the US.
By Bradley Barth for www.scmagazineuk.com
The Deputy Minister of Justice and Constitutional Development, John Jeffery, said the country’s new Cybercrimes and Cybersecurity Bill will be tabled in Parliament soon.
The Bill has already been approved by Cabinet.
“The Bill aims to put in place a coherent and integrated cybersecurity statutory framework to address various shortcomings which exist in dealing with cybercrime and cybersecurity in the country,” stated the SA Government website.
The purpose of the Cybercrimes and Cybersecurity Bill is to:
- Create offences and prescribe penalties;
- Further regulate jurisdiction;
- Further regulate the powers to investigate, search and gain access to or seize items;
- Further regulate aspects of international cooperation in respect of the investigation of cybercrime;
- Provide for the establishment of a 24/7 point of contact;
- Provide for the establishment of various structures to deal with cybersecurity;
- Regulate the identification and declaration of National Critical Information Infrastructures and provides for measures to protect National Critical Information Infrastructures;
- Further regulate aspects relating to evidence;
- Impose obligations on electronic communications service providers regarding aspects which may impact on cybersecurity;
- Provide that the President may enter into agreements with foreign States to promote cybersecurity; and
- Repeal and amend certain laws.
How it will affect you
Michalsons law firm has published an overview of the Cybercrimes and Cybersecurity Bill, explaining why we need it and who will be affected by it. The bill is aimed at keeping South Africans safe from cybercrime and consolidates the country’s cybercrime laws into one place.
People who will be affected by the new bill include “everyone who uses a computer or the Internet”, along with:
- People involved with IT or POPI compliance;
- Electronic Communications Service Providers;
- Providers of software or hardware tools that could be used to commit offences;
- Financial services providers;
- Owners of copyrights and pirates;
- Information Security experts; and
- Anyone who owns an Information Infrastructure that Government could declare as critical.
What the bill deals with
The bill creates around 50 new offences, which are related to data, messages, computers, and networks, said Michalsons.
These offences include:
- Using personal information or financial information to commit an offence;
- Unlawful interception of data;
- Computer-related forgery and uttering; and
- Extortion or terrorist activity.
The penalties for these offences range from 1-10 years in prison or up to a R10-million fine.
The bill also aims to protect critical infrastructure of a strategic nature from interference and disruption.
This infrastructure includes that which aids in keeping the country’s security, defence, and law enforcement operational; and provides essential services.
Powers to investigate
“The Cybercrimes and Cybersecurity Bill gives the South African Police and the State Security Agency extensive powers to investigate, search, access, and seize just about anything – like a computer, database, or network,” said Michalsons.
As part of the requirements of the bill, the Minister of Police must establish a National Cybercrime Centre and a Cyber Response Committee, of which the chairperson will be the Director-General: State Security.
The Minister of Defence must also establish and operate a Cyber Command, while the Minister of Telecommunications and Postal Services must establish a Cyber Security Hub.
Those of us who don’t rent bank safety deposit boxes for our valuables probably imagine the set-up to involve fingerprint-accessed vault-like doors and a cobweb of alarmed beams, as in the movies.
It wasn’t quite like that, said one of the victims of the December 18 First National Bank Randburg branch heist in which 360 boxes were stolen.
“Zai” of Randburg, who did not want to be named, happened to be at the bank yesterday when most of the boxes were returned to the branch by what appeared to be a private security company.
Police found the empty boxes dumped near FNB Stadium in Soweto two days after the heist.
All the valuables, including watches, Krugerrands, and jewellery passed down generations were gone. Only documents such as title deeds were left behind.
Zai’s family had rented the box since about 2004, she said, and at the time of the theft were renting it at R120 a month.
“Ironically, it was quite a big deal for us to access our boxes,” said Zai, who last did so in October.
“You had to make an appointment at least 24 hours in advance.
“Someone would meet you and take you into a room, and lock the door behind you. I’d have to produce my ID, then he’d go into another room, a vault, where the boxes were kept, lock that door behind him and then pass my box to me through a slot in the wall.
“I never saw any of the other boxes. I opened my box with two keys, in my possession, and then I’d be left alone to do what I needed to do, and then I’d phone to say that I was finished, so they could take the box back into the vault.
“It seemed very safe and professional,” she said.
In early December Zai’s husband asked her to collect their six expensive watches from the box to have them serviced.
“But I was too busy and now they are all gone,” she said.
FNB’s safety deposit contract states the bank will not be legally responsible “under any circumstances for any loss or damage that may occur to the contents” and officials have said they had no way of knowing what was in the stolen boxes and urged clients to insure the contents of the boxes.
By Wendy Knowler for Timeslive
South African organisations need to prioritise the protection of confidential information or face putting their businesses at risk of hefty financial penalties, irrevocable reputational damage, and even legal repercussions, a leading information security company has warned.
With the average data breach costing South African businesses R28.6 million each year, Shred-it South Africa said organisations cannot afford to ignore the importance of implementing robust information security policies and practices. The loss of confidential information can also impact customer confidence and may also put businesses at risk of legal action.
“Many South African businesses are not aware of the costly impact that a data security breach can have, both in terms of lost business and non-compliance fines. It’s more than a financial risk; damage to a hard earned reputation is time-intensive and costly to repair. Prevention is always better than a cure, and I urge organisations in South Africa to make sure information security is top of the business agenda,” says Tony Fitzpatrick, country manager at Shred-it South Africa.
Businesses also need to be aware of the legal requirements when it comes to protecting confidential information. According to Shred-it’s Security Tracker Survey, only 37% of SMEs understand the implications the forthcoming enforcement of the Protection of Personal Information (POPI) Act will have on their business compared to 70% of C-Suite Executives. However, the enforcement of POPI will hold all businesses accountable should they abuse or compromise personal information in any way. Organisations could face substantial financial penalties of up to R10 million, or a prison sentence of up to 10 years could be imposed should an entity be in breach of the legislation.
“The clock is ticking for businesses when it comes to being properly prepared to meet the terms of the POPI Act. When the POPI Act comes into full effect, it is crucial that all businesses adhere to the outlined requirements of the legislation when collecting, processing, storing and sharing another entity’s personal information. Businesses should note that the POPI Act is more than a compliance checkbox exercise; it is ultimately for the benefit of business, by ensuring that all information is securely protected so that organisations can build trust with their customers, employees and partners,” Fitzpatrick concludes.
Shred-it, which helps businesses in South Africa to improve their information security practices and protect their workplaces against the damage caused by data breaches, has issued the following five tips to help organisations put information security at the forefront of business planning:
• Schedule regular information security audits to identify problem areas where confidential information could go astray, e.g. printer stations and meeting rooms. Put measures in place to ensure that documents are securely disposed of, e.g. reminding staff to keep documents secure and store them in locked consoles or containers when they are no longer needed, ready for secure disposal.
• Introduce a Shred-it all Policy, which means all documents are destroyed prior to disposal. This means employees do not need to make a decision as to what is or is not confidential when disposing of paperwork. The decision to use the recycling bin or shredding container is often left to chance or convenience where both options are available. In practice, when outsourcing to a secure destruction provider such as Shred-it, all shredded paper is recycled, keeping you secure and protecting the environment at the same time.
• A clean desk is one of the simplest yet most effective safeguards that can significantly reduce the risk of a data breach. A formal Clean Desk Policy directs employees to put away all paper documents and lock all electronic equipment when leaving workstations, so confidential information is not at risk of falling into the wrong hands or left vulnerable to ‘visual hacking‘ from unauthorised prying eyes.
• Ensure employees are informed about the risks associated with data protection breaches and are well trained on which documents they should consider shredding as well as how to dispose of electronic data.
• Work with a reputable professional information destruction company that not only has a secure shredding process but can offer guidance and help with implementing robust information security practices.
With about half of the world’s fastest growing countries based in Africa, the continent is quickly becoming a global business and economic hotspot.
However, hand-in-hand with this growth comes rapid industry expansion, recruitment of a global workforce and – of notable concern – increasing risk of qualification and CV fraud.
This is according to Ina van der Merwe, director and CEO of African background screening market leader, Managed Integrity Evaluation (MIE), who highlights that African qualifications carry a high risk of being fraudulent.
“As a whole, cross-border qualifications are more likely to be fake, altered or all together fraudulent. Our data suggests that risk indicators on these qualifications have increased from 40% in 2015 to 43% in 2016 to-date (January to October).
“Although a portion of this risk can be attributed to other confounding factors, it is clear that there is a greater propensity for qualification fraud with foreign candidates or in countries where background screening is not yet common practice. A candidate may be less likely to lie on their CV if they know that their credentials will be verified.
“Unfortunately, our research shows that the vast majority of cross border recruits are not being screened sufficiently. This means that while opportunities for global competitiveness are abundant, there are an overwhelming amount of job-seekers who are less than honest about their professional capabilities. And seeing that these facts aren’t properly checked, organisations are at high risk of financial and legal implications,” she explains.
Findings from Lex Mundi’s Emerging Africa Conference in Cape Town note that by 2040, Africa’s working age population will rise to 1,1-billion – greater than the working age populations of China and India combined.
With this in mind, Van der Merwe suggests that the drive for business, investment and employment within the continent is clearly justified. However, the risks associated with qualification and CV fraud means that businesses need to strongly consider implementing an international screening program.
“An international screening program ensures that all credentials are verified through relevant and accurate measures irrespective of that credential’s country of origin. This also includes various vetting services such as criminal record and credit history checks which, in addition to qualification verification, are in high demand across specific industries in Southern, East and West Africa specifically,” she says.
She adds that performing a background check on a candidate or employee with foreign work experience or qualifications is typically viewed as being far more complex than doing so locally.
“This is likely the major issue which has held businesses back from conducting such checks in the past. However, this simply cannot be the case moving forward.
“As globalisation continues to blur borders, international screening needs to become a priority and top vetting organisations have solutions and centralised teams in place to make it possible.
“Ultimately, to avoid taking a financial and reputational hit while exploring all Africa has to offer from a growth perspective, it is essential for businesses to know – and verify – their staff,” Van der Merwe concludes.
The functions of the Information Regulator include:
- to provide education about the Protection of Personal Information Act, for example, giving advice to data
- subjects in the exercise of their rights;
- to monitor and enforce compliance with POPI;
- to consult with interested parties;
- to handle complaints;
- to conduct research and to report to Parliament;
- to issue codes of conduct and make guidelines to assist bodies to develop codes of conduct; and
- to facilitate cross-border cooperation in the enforcement of privacy laws.
The Information Regulator will have the power to conduct investigations, order publicity of data breaches, and issue administrative fines of up to R10-million.
Regulations must be promulgated under POPI, for example, including regulations setting out the cost of making a subject access request and the prescribed standards for codes of conduct.
The announcement of a commencement date. Organisations will not be liable for fines or non-compliance for a period of 12 months from the commencement date.
If you haven’t started yet, now is the time for organisations to start or ramp up their POPI implementation efforts. Our virtual privacy lawyer, POPI Counsel, can assist with your privacy law questions and provide practical guidance through your implementation process. POPI Counsel produces legal opinions for you on demand, anytime and anywhere. Contact us for more information.
The chairperson, Pansy Tlakula, full-time members, Lebogang Stroom and Johannes Weapond, and part-time members, Tana Pistorius and Sizwe Snail, have been appointed to the Information Regulator with effect from 1 December 2016 and will serve for a period of five years.
By Nerushka Bowan for www.financialinstitutionslegalsnapshot.com