MOSS GONDWE: The public sector needs to do more against cybercrime

SA needs a sustained national public awareness campaign to inform, educate and mobilise the public against a growing pandemic of cybercrime.

While much progress has been made in educating the public about the dangers of Covid-19, promoting tips for reducing or preventing its spread and the rollout of vaccines, the same cannot be said for protecting citizens from falling victim to cybercrime. And unlike Covid-19, there is no “herd immunity” against cyber attacks.

Under siege at all levels

Interpol data found that cybercrime cost the SA economy $573m in 2016. An Accenture report five years later found that SA had the third-highest number of cybercrime victims worldwide, at a cost to the economy of R2.2bn a year.

The African Cyberthreat Assessment Report 2021 found that SA had the highest incidence of targeted ransomware and business e-mail compromise attacks of any African country.

Mimecast data supports these findings. The State of Email Security 2022  report said that more than three of every four SA organisations are getting an increased number of e-mail-based threats, with two-thirds saying they’re bracing for the fallout from an e-mail-borne attack.

Ransomware continues to plague our public and private institutions. Sixty percent of local firms were hit by a ransomware attack in the past year, up from less than half that number in 2020. The cost of such attacks can be devastating: a separate report in 2021 found that the average ransom payment by SA organisations was over R3.2m.

The past few years also saw several high-profile cyber attacks on private companies — including a hospital group and credit bureau — as well as public institutions and vital infrastructure, including the country’s justice system, ports and several government departments.

Sensationally, the matter received front-page attention after a hacker group threatened to release President Cyril Ramaphosa’s personal and private information publicly, proving that no person is safe from the scourge of cybercrime.

Awareness, action needed

There is presently a broad effort under way to upgrade SA’s digital infrastructure and build greater resilience against cyberthreats. However, there is also an urgent need to improve cyber awareness among the general population.

Nearly all successful cyber attacks worldwide are caused by some form of human error. At a personal level, clicking on an unsafe link or accidentally disclosing sensitive personal or financial information to a threat actor can lead to infected devices, being locked out of online accounts and, in severe cases, breaches of one’s online banking profile, which may lead to financial losses.

At a broader level, however, every person that falls victim to cybercrime is another potential threat to the security of the company they work for, their systems, their employees, customers, suppliers and partners.

More than eight out of 10 local organisations cited concern in a recent report about risks due to inadvertent data leaks by careless or negligent employees. Alarmingly, less than a third of local companies provide continuing cyber awareness training to their employees.

Past campaigns offer hope

There are useful lessons to be learned from the country’s past experience with national awareness campaigns.

The recent Covid-19 awareness campaign encouraged safe hygiene and helped limit the damage wreaked by the pandemic. Through regular public engagements, advertising on all mainstream media outlets, a dedicated web portal, in-person information sessions and the support of public and private sector partners, the government was able to ensure most citizens were aware of the risks of Covid-19, measures to protect against its spread, and best practices for staying safe.

In the 1980s and 1990s the “Zap-it-in-the-Zibi-can” antilitter campaign was a bedrock of family holidays, with a catchy song, advertising in mainstream media, an eye-catching mascot and a clear call-to-action that could be understood by everyone, young and old. We now need a similar campaign to bring awareness of cyber threats and mobilise the public around safe online conduct.

Increasing public awareness of cyber risks and teaching safe online conduct can be a vital first step in helping people protect themselves against cybercrime and improving our national cyber defences. But an effective national cyber awareness campaign needs to go beyond simply raising awareness and give people actionable steps to improving their online security.

Elements that should form part of such an effort include:

• A dedicated web portal with up-to-date information about the latest cyber threats, helpful hints for keeping safe, downloadable resources, and contact details of relevant authorities in case of someone falling victim to an attack. The site should be zero-rated to ensure it is accessible to citizens from all income groups.
• Frequent advertising of cyber safety tips on radio and TV in all official languages.
• A national PR campaign teaching online safety through accessible multilingual articles in popular print and online media titles.
• Social media mobilisation with a dedicated campaign hashtag to marshal online communities around cyber safety.
• Posters with online safety tips at schools, universities, colleges, clinics, train stations, taxi ranks and other places with high foot traffic.
• Engagement with public and private sector partners to help amplify campaign messages via their platforms and truly make this a national effort.

Without adequate protection against cyber threats, any efforts at building a strong economy will be undermined by relentless attacks and disruption. As the first and last lines of defence, citizens can become the country’s greatest asset in the fight against cybercriminals. A national campaign to inform, educate and mobilise every person in the country in this fight should be a matter of immense urgency for the government.

• Gondwe is public sector director at Mimecast.