In recent years, data breaches at organisations and platforms as diverse as eBay, Morgan Chase, Yahoo, and Ashley Madison fully emphasise the importance of data and cyber security. Staying secure must be a priority for everyone in an organisation, and for communicators, they need know what systems there are to prevent a breach, and what to do if one occurs.
By Adam Wakefield
These topics came under the microscope at the PRISA Committee SaveTNet cyber safety panel on Thursday, 6 October, in Johannesburg.
The panel featured SaveTNet CEO and committee member, Rianette Leibowitz, Cell C chief information officer, Maria Pienaar, Norton Rose Fulbright senior associate, Nerushka Bowan, Brigadier Piet Pieterse, electronic crime section head at the Hawks, and Kirsty Sharman, Webfluential head of global operations.
Leibowitz, who has worked in communications for over 15 years beyond her work with SaveTNet, told the room that information security is the buzzword and that any PR professional worth their salt take the matter very seriously.
“If we had to look at the two types of risk, the one is you. You’re the biggest risk to your own companies and the brands you represent,” she said.
Do you know what is on that USB you brought from home and plugged in at a work terminal? What information is in your personal phone, from emails to contact details, if it gets stolen? Do you have the appropriate anti-virus software on your work laptop or PC? Whose responsibility is it to ensure that there is?
“Then of, there are disgruntled employees. Don’t forget about them. They are the biggest threat. The more serious guys, who hack and do specialised attacks, they are a bit extreme,” Leibowitz said.
“We forget internally we can be our own biggest threat,” she warns.
Big corporates have data recovery centres in case they suffer a technological disaster, but in Leibowitz’s experience, none of her previous clients informed her what their data recovery system entails, what happens if a data breach takes place and what their recovery process is.
“We should know, and we should be part of that discussion,” Leibowitz said.
“All of these types of things are what we as communications professionals need to keep in mind. What do we communicate to the board of directors and what do we communicate internally?"
Ultimately, a data breach can cause immense reputational damage to an organisation. As communications experts, they need to ask themselves whether they can handle what happens after a breach occurs.
Bowan, a technology and privacy lawyer, said when it comes to data breaches, the Protection of Personal Information (POPI) Act requires that if there is a reasonable suspicion of one having occurred, a notification requirement kicks in.
The threshold of what qualifies as a reasonable suspicion is low, such as losing your cellphone. This may require, depending on the circumstances, to tell an entire customer base what happened. This has reputational consequences depending on the nature of the breach, and if no action is undertaken when a breach occurs, penalties amounting to millions can be enforced.
Pieterse, who joined the police in 1979, became a detective in 1983 and later joined the Scorpions before its disbanding, said government is doing something about cybercrime and cyber security.
The national cyber security policy framework, of which Pieterse sat on the committee member which wrote the bill, was gazetted in December last year and, while not perfect, is going to Parliament with Pieterse responsible for the parts of the bill that affect law enforcement.
“What is quite important to me is to write it in such a way that a normal detective can understand,” Pieterse said.
Law enforcement officials need to be taught the fundamentals of cybercrime, which needs to be addressed in smaller instances in the same way a house breaking cases are. However, it concerns Pieterse that in 2016, we are still talking about going to a police station to report something.
“We should have a website and we should have people report online,” he said.
“It is amazing to find the criminals are not cleverer than us. They continue doing the same thing over and over again because they don’t get caught. They won’t stop until they’re caught. This is where the online reporting mechanism is so important.”
Pienaar, following Pieterse, said the two industries which are targeted the most by cyber criminals are banks and the telecommunications industry.
“The best way to stop cybercrime, or any social engineered fraud, is to eliminate human interaction. People think hacking is some kid sitting in their corner surrounded by screens and attack screens,” Pienaar said.
That description represents the minority, with the majority of social engineered fraud occurring through vendors providing system access to syndicates.
What the industry is doing is implementing systems that elevate trust to ensure that when a person logs into a particular system, they are who they say they are. In real life, you do not trust strangers, so why do so with people on the Internet?
Sharman, taking her cue following Pienaar’s remarks, said Webfluential connects brands, marketers, and PR agencies with bloggers, YouTubers, and Instagrammers, which are used as channels for advertising.
“We recently hit the 10 000 mark. We have 10 000 authorised influencers globally. That means we have 10 000 banking details, usernames, emails, passwords, and tokens. It means Webfluential must take data security very seriously, especially as those 10 000 people can potentially reach 400 000 000 people around the word."
While that reach is an asset in one sense, in another it represents the impact a hack can have. A link could be shared, people who follow that hacked account click on the link, therefore enabling the scammer.
If the wrong account is hacked, it can even cause mass panic, such as what happened to the Associated Press Twitter account in April 2013, which claimed the White House had been bombed.
Organisations must make sure that those who handle their data can be trusted, and they should have people in place who monitor the way data is used in an organisation.
The alternative? Just ask Yahoo, the AP or eBay.
For more information, visit www.savetnet.com or www.prisa.co.za.