When the police release the latest annual crime statistics tomorrow, chances are there will be little or no reference to cybercrime.
Perhaps it is because the concept of cybercrime is still relatively new and not everyone is aware of the risks. Businesses are complicit in the lack of awareness of the threat because cybercrimes are hugely under-reported. This urgently needs to change.
In the words of Beza Belayneh, CE of the South African Centre for Information Security, cybercrime is a national crisis. Business is affected by crimes such as fraud, murder and robbery; and indirectly through the effects of crime on insurance, investment and business confidence. Cybercrime will also affect business, directly and indirectly, with direct losses including electronic cash theft, identity theft, information theft, deleting information from systems and rendering systems unworkable. The indirect effects includes the cost of securing against intrusions, replacing equipment, appointing specialist security staff, compensation to clients who suffered losses, insurance costs and loss of customer confidence.
According to a study by cyber security firm Wolf pack Information Risk, the three sectors hardest hit by cybercrime in South Africa were government, banking and telecommunications. They were conservatively estimated to have lost R2.6bn between January 2011 and August last year. What we do not know is how much cybercrime goes unreported or undetected.
Because police statistics do not precisely categories cybercrime, they do not tell us the extent to which South Africa has become a victim of it. What we do know is that it is a critical threat to be taken very seriously.
The National Cyber security Policy Framework was approved by the Cabinet in March last year, but is not yet publicly available. As a result, the only official definition of cybercrime is contained in the 2011 draft policy framework, which says cybercrime is "illegal acts, the commission of which involves the use of information and communication technologies." Police record all kinds of fraud, forgery, misappropriations and embezzlement as "commercial crime".
But crimes related to the "increasing role of computerization and electronic communication in commercial activity" is still referred to as "so-called cybercrime", without it being specified or quantified.
All businesses are potential targets, but small businesses are now on the front line. According to Symantec’s 2013 Internet Security Threat Report, 50% of all targeted attacks last year were aimed at businesses with fewer than 2,500 employees. The largest growth area for targeted cybercrime attacks was businesses with fewer than 250 employees.
David Szady, vice-president of the US security conglomerate Guardsmark, was quoted in South Africa safety and security magazine Servamus in August last year as saying thousands of intrusions into corporate networks, government systems and personal computers are occurring every day; though the real threat is in the "continuous transfer of wealth from national economies".
Szady believes that if the trend towards rapidly increasing cybercrime is not reversed, it will have a catastrophic economic effect, resulting in reduced economic growth, impaired competitiveness and job losses.
Verine Etsebeth, a lecturer in information security and data protection at the University of the Witwatersrand, says cybercrime is bigger than the global black market in marijuana, cocaine and heroin combined. She said earlier this year that there were twice as many cybercrime victims as newborn babies. It is useful to consider the experience of a country such as the UK, which has a substantially bigger economy and which is typically a few years ahead of South Africa in technology trends and risks. More than 9-million adults in the UK have had online accounts hacked and 8% of the population say they have lost money to cybercrime in the past year. Cyber security experts at the University of Kent report that 2.3% of the UK population reported losing more than £10,000 to online fraud and cybercriminals.