If a client’s information is out there, it can be used for malicious purposes on the dark web.
MELITTA NGALONKULU: Welcome to the Small Business Conversations podcast. I am your host Melitta Ngalonkulu.
In recent weeks we saw the huge data breach involving Experian, whereby the personal information of millions of South Africans was stolen. This was the biggest data breach this year.
The IBM 2019 study on the costs of data breaches has revealed that the root cause for 52% of data breaches in South Africa was malicious or criminal attacks.
Today we are joined by Advocate Rian Schoeman, head of legal at LAWtrust who specialises in privacy and technology law, to speak about how companies can protect the information of its clients.
Rian, thank you so much for joining us. So how do these breaches actually happen?
RIAN SCHOEMAN: There are quite a few ways in which they can happen. The recent incident we had, where 20 South African stores’ data was compromised, is what we call ‘social engineering’. We don’t have all the details yet, but it seems that someone impersonated someone that a credit bureau knew. Because of that, they were able to get hold of all this information from people. So social engineering is basically an impersonation attack, where someone claims to be someone that you know and, based on that trust relationship, you get the information out of them that they shouldn’t be giving out.
And there’s also something that we call phishing. That is similar, but this happens over email, so someone could spoof an email address. Let’s take Amazon. Everyone knows Jeff Bezos, who’s the CEO. If the chief financial officer is going to get an email from email@example.com [that says]: “Pay this much money over to this account” or whatever, the CFO is going to jump at that, because they know it comes from the CEO. So if someone just registers a domain called “amazon.co” and they send that email from there, and you don’t look very carefully, you’ll think, oh, it’s from Jeff, it’s someone I know, in that way you can also be compromised.
MELITTA NGALONKULU: So now, when this data is actually stolen, what is it used for?
RIAN SCHOEMAN: It can be used for quite a few things. The most obvious one is obviously to sell it. On the dark web, you can get up to 20¢ per line of records. So someone would [be] paying 20¢ for a name, 20¢ for an email address, and so on. Just think, if you have 20 million people, each with 10 lines of data that is stolen, that is a huge amount of money. Big syndicates buy chunks of such information and they use it for online crime. But they can also use it for identity theft.
This type of information that was stolen is something that I can use to impersonate you. So, if I have your name and your surname and your ID number and things like that, I can apply for a credit card in your name. And, based on your credit report, I can get a credit card and buy things online.
You could buy someone’s entire personal details for $9 on the dark web – and just think of the damage you can do with that.
MELITTA NGALONKULU: Rian, this sounds really, really scary. How can small businesses secure their information?
RIAN SCHOEMAN: There are a few things they can do. The weakest link in cybersecurity is always people, your staff. So training is a very important part. You need to educate your staff about what social engineering is, what phishing is, and so on. There are so many free resources available online that one can make use of to help your staff and to educate them.
And then, from a security side, there’s a lot of basics that you can do – for example, using a complex password. And that is a password that has 15 characters or more, some uppercase, some lowercase, numbers and special characters. The problem with that is unfortunately that we forget them. If you have a list of complex passwords, you cannot forget that at some point.
There’s an easy way to overcome that. And that is to make use of a boss phrase.
That is something like ‘The hills are alive with the sound of music’, which is from a musical. That is very easy to remember, but it’s also quite a long phrase and it’s very difficult to crack. Another thing we need to consider is what we call ‘two-factor integration’. That is when you use a username and password.
But there’s a second factor, like a one-time pin. We all know online banking or unlocking the bank account with a fingerprint or something like that; that is two-factor integration. These days it’s become critical to have that, for all your accounts – not just your bank accounts, but your computer, your email accounts, all of them, They have two-factor authentication available. And I would strongly suggest that everyone activates that because even if someone gets all of your username and password, they can still not unlock your account without that second factor – and you’re usually in control of that.
And of course never share things like a pin number. Social engineers that we spoke about earlier will try to get the number out of you, or something over the phone to compromise your accounts. No financial institution will ever ask you to give them a pin number over the phone or something like that. So just be vigilant and don’t share that kind of information.
MELITTA NGALONKULU: How can small business owners train their staff to be aware of data breaches?
RIAN SCHOEMAN: I think whether your company is big or small, you need to talk about this. When it’s in the news when something happens, send out an email to the staff, remind them, look, this has happened again, make sure you don’t click on links in emails. Don’t respond to emails from people you don’t know. We’ve spoken about two-factor authentication.
And then there are things like encrypting your data. This means that you’re basically locking the information. So even if someone gets hold of that information, without the key to unlock it they will not be able to use that information.
Something that people don’t always think about is email.
Email is the biggest source of information being lost by companies globally. You need to start thinking about email encryption.
There are tools out there that you can use. Things we built, S/MIME, BGB and products like Zix that people need to start using to encrypt emails, to ensure that your information doesn’t get lost through negligence – someone sending out the wrong information by accident and there it’s out in the open.
MELITTA NGALONKULU: Rian, is training the staff and also ensuring that your company is secure from any form of data breach a costly process?
RIAN SCHOEMAN: It can be, and this really depends on the availability of the resources. So many of these cybersecurity companies really have a passion for cybersecurity, and they will offer some free programmes. These are typically just basic programmes, and vary from just some instructional videos to documentation you can read, and then higher-level programmes for companies with a budget that involves amazing programmes. So you can involve the staff where they can physically take part, where they actually simulate a data breach and how to respond. So there are really many options. It depends on what you can afford and how risky you think your businesses are.
MELITTA NGALONKULU: Rian, what is the importance of data security and the company’s responsibility? And would you say that this is of utmost importance for startups?
RIAN SCHOEMAN: Definitely. Data has become the new oil. I would say it’s become the new gold. Information is everything. If your information is out there, it can be useful for so many malicious things.
Cyberterrorism can even be committed in your company’s name and you can incur serious penalties, if not jail time if you don’t protect this information.
We have the Protection of Personal Information [Popi] Act, so it is punishable if you do not protect your data. It’s become a very important thing for us to give serious attention to.
MELITTA NGALONKULU: What recourse do consumers have if companies are negligent with their personal information?
RIAN SCHOEMAN: There are a few things that you can do. One of them is to lodge a complaint with the information regulator under the Popi Act. They’re on record as saying that they cannot enforce the act yet because of this one-year grace period for compliance. But I would say still report it, so we can start seeing which companies are irresponsible with information.
Fortunately we are in a position where you do have some recourse these days. [As I said] we have the Protection Of Personal Information Act that came into operation in July this year. I say report breaches. I know there’s this one-year grace period where companies can’t really be held to account, but we need to get into the habit of reporting data breaches or irresponsible conduct with our personal information, so the companies that are negligent can actually be held to account.
Then, if credit card information was stolen, you must report it to your bank. They must cancel that card immediately. In most cases they will refund you and, if they don’t do it, the credit card companies will. You can also report it to the South African police, but they are not [ready] for these types of complaints yet. They are busy getting cybercrime units in place, and so on, but at this point, you’re not going to have a great amount of success reporting cybercrime to Saps [South African Police Service].
One thing I would say is to register with the South African Fraud Prevention Services.
Their website is safps.org.za, and you can do a preventive registration there.
If you know that your details were compromised, you can register with them. And then whenever someone applies for credit in your name or something like that, the large companies will check with them. If you have registered a data theft or an impersonation type of crime with them, they will take extra care and make sure that they are communicating with the right person before they enter into that agreement with you. And of course, credit bureaux have their own authentication services. So anytime someone applies for credit, you can get a notification and then you will know if it wasn’t you and you can stop that transaction.
MELITTA NGALONKULU: Rian, thank you so much for your time. It has been an absolute pleasure having you join us today.
RIAN SCHOEMAN: Thank you very much. I appreciate it.
To listen to other Small Business Conversations podcasts, click here, go to Moneyweb.co.za, or follow Moneyweb News on the Moneyweb app, Twitter, Facebook, and LinkedIn for updates.