Your SlideShare is downloading. ×
0
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation

757

Published on

Integrating the prevention of cybercrime into the overall anti-crime strategies of your organisation. Broad overview of the South African law that applies to cyber. Value of information governance …

Integrating the prevention of cybercrime into the overall anti-crime strategies of your organisation. Broad overview of the South African law that applies to cyber. Value of information governance and a hands-on approach to the detection and prevention of cyber crime in your organisation.

Published in: Business, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
757
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. www.pwc.comIntegrating the preventionof cybercrime into theoverall anti-crimestrategies of yourorganisation Africa Cybercrime Security Conference 31 March 2011 Adv Jacqueline Fick
  • 2. Agenda• Common cybercrimes in South Africa• Getting to grips with the Electronic Communications and Transactions Act• The value of information governance• Implementing a pro-active strategy in your organisation: a hands- on approach to dealing with cybercrimeIntegrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 2
  • 3. Common cybercrimes in South Africa• Unauthorised access (s86(1))• Unauthorised modification of data and various forms of malicious code (s86(2))• Denial of Service Attacks (S86(5))• Devices used to gain unauthorised access to data (s86(4))• Child pornography• Computer-related fraud• Copyright infringement• Industrial espionage• Piracy• Online gambling (leave to appeal pending)• Phishing/identity theftIntegrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 3
  • 4. Phishing attacksRSA Online Fraud Reports show thatSouth Africa does not fall within thetop ten countries hosting phishingattacks, but features high on the listof top ten countries by attack volume.For thirteen (13) consecutive monthsthe US, UK and South Africa havebeen the top three targets for massphishing.(RSA Online Fraud Report – March2011) RSA statistics for February 2011Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 4
  • 5. Getting to grips with the ElectronicCommunications and Transactions Act, No. 25 of2002 (ECT Act)Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 5
  • 6. The ECT ACTdata message means data generated, sent, received or stored byelectronic means and includes- (a) voice, where the voice is used in an automated transaction; and (b) a stored record;15 Admissibility and evidential weight of data messages(1) In any legal proceedings, the rules of evidence must not be applied so as to deny the admissibility of a data message, in evidence- (a) on the mere grounds that it is constituted by a data message; or (b) if it is the best evidence that the person adducing it could reasonably be expected to obtain, on the grounds that it is not in its original form.(2) Information in the form of a data message must be given due evidential weight.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 6
  • 7. The ECT ACTIn assessing the evidential weight of a data message, regard must be had to- (a) the reliability of the manner in which the data message was generated, stored or communicated; (b) the reliability of the manner in which the integrity of the data message was maintained; (c) the manner in which its originator was identified; and (d) any other relevant factor.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 7
  • 8. CHAPTER XIII: ECT ACTaccess includes the actions of a person who, after taking note of anydata, becomes aware of the fact that he or she is not authorised toaccess that data and still continues to access that data.86 Unauthorised access to, interception of or interference with data(1) Subject to the Interception and Monitoring Prohibition Act, 1992, (Act 129 of 1992) a person who intentionally accesses or intercepts any data without authority or permission to do so, is guilty of an offence.(2) A person who intentionally and without authority to do so, interferes with data in a way which causes such data to be modified, destroyed or otherwise rendered ineffective, is guilty of an offence.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 8
  • 9. CHAPTER XIII: ECT ACT(3) A person who unlawfully produces, sells, offers to sell, procures for use, designs, adapts for use, distributes or possesses any device, including a computer program or a component, which is designed primarily to overcome security measures for the protection of data, or performs any of those acts with regard to a password, access code or any other similar kind of data with the intent to unlawfully utilise such item to contravene this section, is guilty of an offence.(4) A person who utilises any device or computer program mentioned in subsection (3) in order to unlawfully overcome security measures designed to protect such data or access thereto, is guilty of an offence.(5) A person who commits any act described in this section with the intent to interfere with access to an information system so as to constitute a denial, including a partial denial, of service to legitimate users is guilty of an offence.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 9
  • 10. CHAPTER XIII: ECT ACT87 Computer-related extortion, fraud and forgery(1) A person who performs or threatens to perform any of the acts described in section 86, for the purpose of obtaining any unlawful proprietary advantage by undertaking to cease or desist from such action, or by undertaking to restore any damage caused as a result of those actions, is guilty of an offence. (2) A person who performs any of the acts described in section 86 for the purpose of obtaining any unlawful advantage by causing fake data to be produced with the intent that it be considered or acted upon as if it were authentic, is guilty of an offence.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 10
  • 11. The value of good information governanceIntegrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 11
  • 12. The value of good information governance• IT is the foundation on which we operate our businesses and information is fast becoming the most valuable asset an organisation has.• The value of information has also led to businesses focusing more on the information or data they host, process or use than on the technology employed to perform these functions.• Need for risk management.• The IT risk environment is influenced by both internal and external factors and measures must be put in place to ensure the protection, confidentiality, availability and authenticity of information, to govern the use of external service providers to host/process data, to regulate the access to company networks from remote locations and off course, to be sensitive to the threat of cyber attacks such as hacking, identity theft, cyber espionage, denial of service attacks, computer- related fraud and extortion.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 12
  • 13. DefinitionsInformation Governance• King III: … an emerging discipline with an evolving definition.• Wikipedia: … a set of multi-disciplinary structures, policies, procedures, processes and controls implemented to manage information on all media in such a way that it supports the organisations immediate and future regulatory, legal, risk, environmental and operational requirements.• …an enterprise-wide strategy and framework that establishes the policies, responsibilities and decision-making processes controlling the use of information owned, or accessed by a business. The goal should be to balance risk avoidance, cost reduction and increased business value. Information Governance should also be structured in such a way as to easily adapt to organisational demands, changes in technology and be flexible to provide for new information.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 13
  • 14. The value of good information governance• Information governance involves a balanced approach designed to meet the needs of the organisation and all of its stakeholders, including its customers, shareholders and regulators. Furthermore, information governance is one component of an organisation’s wider enterprise information management strategy, which itself should be directly aligned with the overall business strategy. (SAS White Paper http://www.eurim.org.uk/activities/ig/SAS_WhitePaper.pdf)Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 14
  • 15. Implementing a pro-active strategy in yourorganisation: A hands-on approach to dealingwith cybercrimeIntegrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 15
  • 16. Implementing a pro-active strategy in yourorganisation: A hands-on approach to dealingwith cybercrime• Cyber security is just as important as physical security. • Relationship between physical and network security.• Know and understand your organisation: • This includes an understanding of the external environment and the threats facing the organisation. It also refers to a thorough understanding of the internal environment and the way the organisation operates – its employees, levels of staff morale, business partners of the organisation, service providers, etc.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 16
  • 17. Implementing a pro-active strategy in yourorganisation: A hands-on approach to dealingwith cybercrime• Define security roles and responsibilities: • Although security should be everyone within an organisation’s concern, ownership of information security should be assigned to specific individuals, coupled with the necessary levels of authority and accountability. To assist with the process it is recommended that security roles and responsibilities be incorporated into job descriptions and that performance in terms of these areas be measured accordingly.• Ensure that you have proper policies and procedures in place for the use of IT.• Establish clear processes to enable end-users to report suspected cybercrimes.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 17
  • 18. Implementing a pro-active strategy in yourorganisation: A hands-on approach to dealingwith cybercrime• Effective public private partnerships: • The effective control of cybercrime requires more than just cooperation between public and private security agencies. The role of the communications and IT industries in designing products that are resistant to crime and that facilitate detection and investigation is also of critical importance. To effectively address cyber crime also calls for a less re-active and more pro- active approach to the prevention, detection, investigation and prosecution of these crimes. • Value of intelligence: Exchange information with law enforcement agencies. Know your opponent and use the information to develop and update security policies. Think like a hacker.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 18
  • 19. Implementing a pro-active strategy in yourorganisation: A hands-on approach to dealingwith cybercrime• Stay up to date: • Maintain awareness of new developments in both technology and services. Use a risk-based approach to determine when it would be necessary to upgrade or adapt current systems and processes to accommodate new developments.• Continuous auditing and assessment of process: • It is recommended that a process of continuous auditing be implemented to ensure that the strategy remains aligned to business objectives, adapts to changes in technology or identified threats, and to allow for the analysis of information that is gathered from the different implemented controls.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 19
  • 20. Practical Guidelines and Tips• Email is more than messages. It contains personal information, contact lists, sensitive company information, etc. Email policies: • Do not open suspicious emails. • Use spam filters.• Encrypt important files or records.• Choose complex passwords and change your password regularly. The Post-it problem.• Back up regularly.• Install powerful anti-virus and firewall software and keep it up to date. Regularly update security patches.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 20
  • 21. Practical Guidelines and Tips• Create good habits such as deleting your temporary internet files and cookies. This protects against hackers who can access your accounts from where you have been on the internet.• Turn off your computer and modem/disconnect from the internet when not in use.• Know what information you have, where it is stored and who has access thereto.• Be wary to provide personal information via a website you are not familiar with.• Never allow strange or unfamiliar individuals to use your computer, not even if they say they are from the IT department!Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 21
  • 22. Practical Guidelines and Tips• Educate users: • Teach IT users how to identify cyber threats and how to respond. • Share security information with all users of IT in the organisation. • Read up on the latest ways hackers create phishing scams to gain access to your personal information.Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 22
  • 23. In summary• Organisations need to realise the true value of information.• Cyber criminals steal information.• We can only effectively combat cybercrime if we share information and collaborate.• Know your opponent.• Be pro-active and not re-active.• Implement good information governance principles in your organisation.• Educate all IT users.• Protect your information with the same vigour as you protect physical property, brand names, money, etc!Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011PwC 23
  • 24. “Success in preventing cyber attacks depends as much on knowing what to look for as it does on rolling out the right security.” (Howard Schmidt, ComputerWeekly.com 27 March 2009)This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act uponthe information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as tothe accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC, its members, employees andagents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, inreliance on the information contained in this publication or for any decision based on it.© 2011 PricewaterhouseCoopers (“PwC”), the South African firm. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers in SouthAfrica, which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity and doesnot act as an agent of PwCIL.

×