South Africa’s information security challenges

South Africa is one country that has been struggling to come to terms with the huge cyber security problem it faces. According to the Global Fraud Report, an annual publication that ranks regions according to the number of incidents of cybercrime, sub-Saharan Africa has the third highest exposure to incidents of cyber fraud of any region in the world. And, according to the research, incidences of cybercrime and cyber security breaches are rising.

South Africa is one of the leading targets for cybercriminals on the African continent due to its relatively high rate of internet connectivity in relation to other African countries. This opens it up to all kinds of threats, many of which businesses and private individuals are ill-equipped to deal with.

What type of risks does it face?

As with other countries around the world, South Africa faces and an ever-evolving range of threats. However, the Global Fraud Report ranks data deletion due to system issues as the most prevalent form of attack. After that, wire transfer accounted for 26 percent of cybercrime in the country, which was far above the global average of 14 percent.

Other prevalent forms of attack include viruses and email-based phishing scams, which cause such problems that short-term South African lender Wonga has recently produced a guide to help its customers identify genuine and fake emails.

The report also looked at the numerous threats to South African businesses, with unlawful acquisition or interference with sensitive data the most common. In fact, data breaches were found to have a total organisational cost of R20,6 million.

The introduction of the Cybercrimes and Cyber Security Bill

Until very recently, South Africa did not have any legislation in place to combat cybercrimes. On 21 February 2017, all that changed with the introduction of the Cybercrimes and Cyber Security Bill. That criminalised a number of activities that includes but is not limited to:

  • Unlawful acquisition of data

  • Unlawful acts in respect of software or hardware tools

  • Unlawful interference with a computer programme

  • Unlawful acquisition, possession, provision, receipt or use of password, access codes or similar data or devices

  • Unlawful interference with a computer data storage medium or computer system

The Bill also imposes a range of penalties for offenders which includes fines and custodial sentences of up to 15 years.

The first line of defence

Although the new legislation will make it easier to prosecute those involved in cybercrime, it will not help to protect businesses and private individuals in the first instance. When it comes to your personal finances, the onus is on you to protect yourself.

This can be done by:

  • Updating your operating system, software and internet browser

  • Regularly running up-to-date antivirus software

  • Keeping a backup of important files

  • Regularly changing your passwords

  • Learning to recognise the signs of phishing scams

Do you think the government is doing enough to combat cybercrime?

Perhaps you’ve been a victim?

Please share your experiences in the comments below.

Partner Content: This article is brought to you by Wonga.







HHS Publishes Health Industry Cybersecurity Practices | Privacy & Information Security Law Blog

The U.S. Department of Health and Human Services (“HHS”) recently announced the publication of “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (the “Cybersecurity Practices”). The Cybersecurity Practices were developed by the Healthcare & Public Health Sector Coordinating Councils Public Private Partnership, a group comprised of over 150 cybersecurity and healthcare experts from government and private industry.

The Cybersecurity Practices are currently composed of four volumes: (1) the Main Document, (2) a Technical Volume of cybersecurity practices for small healthcare organizations, (3) a Technical Volume of cybersecurity practices for medium and large healthcare organizations, and (4) a Resources and Templates Volume. The Cybersecurity Practices also will include a Cybersecurity Practices Assessments Toolkit, but that is still under development.

The Main Document provides an overview of prominent cyber attacks against healthcare organizations and statistics on the costs of such attacks—such as that in 2017, cyber attacks cost small and medium-sized businesses an average of $2.2 million—and lists the five most common cybersecurity threats that impact the healthcare industry: (1) email phishing attacks, (2) ransomware attacks, (3) loss or theft of equipment or data, (4) insider, accidental or intentional data loss and (5) attacks against connected medical devices that may affect patient safety. The Main Document describes real world scenarios exemplifying each threat, lists “Threat Quick Tips,” analyzes the vulnerabilities that lead to such threats, discusses the impact of such threats and provides practices for healthcare organizations (and their employees) to consider to counter such threats. The Main Document concludes by noting that it is essential for healthcare organizations and government to distribute “relevant, actionable information that mitigates the risk of cyber-attacks” and argues for a “culture change and an acceptance of the importance and necessity of cybersecurity as an integrated part of patient care.”

The two Technical Volumes list the following 10 cybersecurity practices for small and medium and large healthcare organizations:

The Technical Volumes also list cybersecurity sub-practices and advice for healthcare organizations to follow, with the noted distinction that small healthcare organizations are focused on cost-effective solutions while medium and large organizations may have more “complicated ecosystems of IT assets.”

Finally, the Resources and Template Volume maps the 10 cybersecurity practices and sub-practices to the NIST Cybersecurity Framework. It also provides templates such as a Laptop, Portable Device, and Remote Use Policy and Procedure, Security Incident Response Plan, an Access Control Procedure, and a Privacy and Security Incident Report.

In announcing the Cybersecurity Practices, HHS Acting Chief Information Security Officer stated that cybersecurity is “the responsibility of every organization working in healthcare and public health. In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”

The Cybersecurity Practices follow other key important cybersecurity documents published by HHS, including the checklist on cyberattacks and the ransomware fact sheet.



Information Security and Cybersecurity Efforts for 2019 | KirkpatrickPrice

As organizations plan their information security and cybersecurity efforts for 2019, we often hear a lot of confusion and frustration about things like frameworks modifying their requirements, the cost of audits and assessments rising, scopes getting bigger, and testing seeming to get more difficult.

The threats will do nothing but persist in 2019. You need to do more to protect your organization. When prices or scope or frequency increases, here’s what we’re going to ask you: don’t you want more in 2019 than you got in 2018?

Root Causes of Data Breaches and Security Incidents

Some things stay the same. The root causes of data breaches and security incidents center around three areas: malicious attackers, human error, and flaws in technology. Let’s dive into how these areas impact your organization’s information security and cybersecurity efforts.

These root causes, all connected to malicious attackers, human error, and flaws in technology, impact your organization’s information security and cybersecurity efforts in a significant way. Did you experience a negative impact from these areas in 2018? How are you going to mitigate the risks in these areas for 2019?

Cost of a Data Breach

There’s no denying that information security and cybersecurity efforts require a financial investment, but so do data breaches and security incidents. According to Ponemon, the average total cost of a data breach was $3.86 million in 2018 – a 6.4% increase from 2017. You can bet that in 2019, that number will grow again.

Organizations are usually surprised that the following elements drive up the cost of a data breach:

Take the City of Atlanta, for instance. When the SamSam ransomware attack hit in March of 2018, it was initially estimated to cost $2.6 million in emergency response efforts. Incident response consulting, digital forensics, crisis communication, Microsoft expertise, remediation planning, new equipment, and the actual ransom cost added up quickly. It’s now speculated that this ransomware attack cost $17 million.

As the cost a of data breach rises, so does the cost of information security auditing and testing. The threats are pervasive – how can you make a smart investment to avoid the cost of a data breach?

Your Plan for 2019

Now that you’ve learned about the persistent root causes of data breaches and security incidents, plus the cost of a data breach, what are you going to do about it in 2019? How are you going to modify your information security and cybersecurity efforts? Here are a few areas to consider as we head into a new year:

No defense is 100% effective. There are no guarantees that a data breach or security incident won’t occur. Organizations must be vigilant in doing what they can to prepare, detect, contain, and recover from persistent and sophisticated threats. Auditing firms must also commit to providing quality, thorough services that will empower organizations to meet their challenging compliance objectives. At KirkpatrickPrice, that’s our mission and our responsibility. Contact us today to discuss how we can prepare your organization for the threats of 2019.

More Data Breach and Incident Response Resources





Information Security Challenges And Solutions

Information Security Challenges And Solutions

For any organization, big or small, information security is the topmost priority.  There exists a precarious situation where data protection from hackers and cybercriminal is the biggest challenge and concern. And to mitigate that, all the big IT firms, software infrastructure vendors, network operators, application developers and countless research organizations have joined hands together and working really hard to fight this vulnerability of information, its theft and breach.

Security products, like firewalls and virus scanners are all outdated now. They are redundant and no longer give satisfactory protection against unknown threats and the thousands of mutations and variations of Spyware and viruses. And so to alleviate from this situation, what the technologies and new applications require is nothing but an entirely new archetype with a more robust infrastructure.

Let us now deliberate over some of the biggest information security challenges that the organizations are facing today and what could be the plausible solutions.


Confidentiality and Privacy is the biggest challenge faced. To ensure that only the intended addressees can access and read the information, lacks a well-rounded protection system. Hackers are pocketing login information and using those details to access sensitive information and application.

Second is Integrity of the data or information is another big challenge. Original information or material can easily be altered, tampered and changed.

Third is authentication. There is a lot of obscurity with the source, to know if the information shared or sent by the stated sender is authentic or reliable is a big challenge.
And lastly, it is the availability. That is, assuring that crucial information can be accessed or retrieved at all times and from all the places is quite challenging.


However, these challenges do have resolutions. What the companies need to do is to try and find out a single cybersecurity solution that effectually meets all the requirements and needs. Like the one that integrates cryptographic segmentation and role-based access control together to meet all the necessities.

3i Infotech is a titleholder when it comes to Information Security. The company knows that currently the networks are extremely dependent and interconnected and all that they need is an effective, operative security to avoid any sort of unnecessary invasions.

And so keeping up with today’s network needs and requirements, 3i Infotech provides an end-to-end security solutions to the organizations. The company believes that network security of the systems and networks should always be in pace and sync with the business activities. The security services of 3i Infotech are extremely advanced, with processes and technologies that provides secure access to business applications.

Moreover, the unique system integration team of 3i, provides a layered security approach that addresses the infrastructure as a whole. All these in combination, ensures no breach of information during any transaction or functioning of the business applications.

So there you go with information security, what it means, its challenges and solutions.

The post Information Security Challenges And Solutions appeared first on 3i Infotech.






Agreement On Proposal For Cybersecurity Act | Privacy & Information Security Law Blog

The European Commission (“Commission”), the European Parliament (“Parliament”) and the Council of the European Union reached an agreement earlier this month regarding changes to the Proposal for a Regulation on ENISA, the “EU Cybersecurity Agency”, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology Cybersecurity Certification (the “Cybersecurity Act”). The agreement empowers the EU Cybersecurity Agency (known as European Union Agency for Network and Information and Security, or “ENISA”) and introduce an EU-wide cybersecurity certification for services and devices.

The Cybersecurity Act was introduced in a wide-ranging set of cybersecurity measures adopted by the Commission on September 13, 2017, and proposed as a priority of the Digital Single Market Strategy. The objective of these measures was to deal with cyber-attacks and build strong cybersecurity in the EU.

More powers for ENISA

The Cybersecurity Act reinforces the ENISA’s centrality to better support Member States when facing cybersecurity threats or attacks.. The Cybersecurity Act grants more powers to and new tasks for ENISA, including:

ENISA will also be recognized as an independent center of expertise that will promote awareness to citizens and businesses and that will assist the EU institutions and Member States in the development and implementation of policies.

Cybersecurity certification framework

The Cybersecurity Act also introduces an EU-wide cybersecurity certification framework to ensure that the products and services sold in the EU comply with EU cybersecurity standards. This a great step forward as it is the first internal market law that enhances the security of connected products, Internet of Things or critical infrastructure by implementing a single certificate.

The hope is that consumers will benefit from this new regulation as manufacturers provide detailed information on cybersecurity for certified products and services including guidance on installation, the period for security support and information for security updates. The Cybersecurity Act, in this view, will increase consumers’ trust in products and services they choose to use as they will have warranties that these products and services are cyber secure.

Similarly, companies will also benefit from the Cybersecurity Act as they will save significant costs on certification. A one stop-shop cybersecurity certification means that companies and especially Small and Medium-sized Enterprises (SMEs) will not need to apply for certificates in different countries but one certificate will be valid throughout the EU. Certification will no longer be perceived as a market-entry barrier for companies but as a competitive advantage. In addition, companies may certify their own products for a minimum level of cybersecurity.

Better governance

To make future initiatives clearer and more transparent for industry, the Parliament requested that a Union rolling work program be a component of the cybersecurity certification framework’s governance, and involved in setting the strategic priorities on future certification requirements.

Next steps

The Parliament’s Committee on Industry, Research and Energy and the Council of the European Union must still formally approve the proposed agreement. If approved, it will then be published in the EU Official Journal. The Cybersecurity Act will enter into force twenty days following that publication.

The press releases of the Commission and of the Parliament can be found here.