As a rather more tangible virus spreads throughout the nation, it’s high time to consider how secure South Africa’s systems are against a digital foe…
South Africa is no stranger to financial data breaches. From 2018’s Liberty Life attack to 2020’s Nedbank incident affecting 1.7 million people and DDoS attacks in between, our financial institutions need to face up to an increasingly sophisticated spate of attacks.
While at both the state and civic level we’re preoccupied with the COVID-19 response and a cohesive attempt to flatten the curve, we may be opening ourselves up to digital attacks on an unprecedented level.
Fighting an Infodemic
World Health Organisation Director-General, Tedros Adhanom Ghebreyesus, stated at a foreign policy and security experts meeting in Munich in March: “We’re not just fighting an epidemic; we’re fighting an infodemic.”
The primary meaning here is clear, false information leads to confusion, polarizing debates, and questionable science.
The second key part of the infodemic is managing and controlling the mass data banks of information we have created.
In times of crisis, cybercrime seems to experience a surge. There are enough schemes running at the moment that even the WHO has had to issue a scam alert statement because would-be imposters have dressed their emails up to look like official WHO correspondence.
The current climate makes us prime targets for both misinformation and intercepted data.
Imagine, if you will, the millions of data transmissions sent every day from people working from home on networks that represent potential vulnerabilities because of the increased number of access points.
Already, the tools we are using to reshape the way we work have displayed early weaknesses.
Popular Skype alternative Zoom explained why recordings of users’ conversations were plastered all over the net. Meanwhile, competitor Houseparty is defending itself too, suggesting its own hack controversy was a next-level smear campaign (solve this mystery and there’s a US$1 million dollar bounty up for grabs).
Risks Facing Financial Institutions
So how are financial institutions rising to the challenge of a home-based workforce, and how safe are our financial data and assets now?
In a statement, the Financial Action Task Force (FAFT) encourages the “fullest use of responsible digital customer onboarding and delivery of digital financial services in light of social distancing measures.”
Responsible is the keyword here. Financial institutions should read that as a prompt to mobilize the full gamut of security measures at their disposal to make sure customer data and assets are as safe now as they were prior to the coronavirus crisis.
According to the Financial Times, regulators were quick to flag the heightened risk to individuals through phishing attempts and bank payment frauds. And the threat extends to businesses and investors.
Charles Delingpole, Chief Executive of ComplyAdvantage, noted: “We’ve already seen bad actors seeking to exploit the panic caused by the pandemic to defraud individuals…this shouldn’t be unexpected for any financial institution.”
Data from the National Economic Crime Centre (NECC) shows that in the UK, fraud reports jumped up to 396 in late March 2020, a notable rise from the 105 reported in the six weeks prior to March 18. Poor news for economies around the world already struggling to manage surging unemployment and private company bailouts.
A couple of leading cybercriminal groups, including Maze and DoppelPaymer, have sworn, keyboard to heart, that they will cease attacking healthcare institutions during the crisis. They’ve even offered assistance if a health provider is hit accidentally.
This is not altruism though, it’s an attempt to avoid literal blood on their hands rather than the metaphoric blood sweat and tears normally targeted. Tellingly, the same gestures have not been extended to our financial institutions and we should prepare.
What about South Africa?
At the national level, South Africa is not prepared to cope with a coordinated cyber threat, something the Mail and Guardian reported on in 2013.
Furthermore, security researchers have pointed out that “The structures that have been established to deal with Cybersecurity issues are inadequate to holistically deal with these issues.” This must change if our digital sovereignty is to remain intact.
At the civic level, we need to manage our digital interactions in the same way we now manage our physical interactions: as if others have a virus or that we could transmit a virus to others.
At the very least equip devices with VPN technology and sanitize digital points of contact as we sanitize our hands.
While one virus is tangible, another could silently rip through our carefully constructed and interlinked networks and take even more than we anticipated.