Daniella Kafouris, Deloitte Risk AdvisoryDaniella Kafouris, Deloitte Risk Advisory

Daniella Kafouris, senior manager and lead data privacy/PPI compliance at Deloitte Risk Advisory, said companies need to prepare to take action on the Protection of Personal Information Bill (PPI), which is awaiting the National Council of Province’s approval before being signed into law.

She said the privacy law, which may be enacted this year, is the first consolidated piece of privacy legislation in the country, and dictates how and for what personal information can be used. It also dictates how data must be stored securely, and forces companies to tell people if their information has been breached.

<a href=<a href=

Gordon Love, Symantec" />Non-compliance will carry hefty penalties under the proposed legislation, with fines of as much as R10 million for breaches.

What companies must do now:
• Align policies and processes;
• Align roles and responsibilities;
• Start the foundation of an incident management function;
• Appoint privacy officers;
• Start educating the organisation, clients and third-parties; and
• Start addressing gaps in current policies and procedures.


<a href=<a href=

Craig Rosewarne, Wolfpack" />Cyber war is becoming a real threat as cyber attacks escalate from individuals, to enterprises, to country level, said Gordon Love, Symantec’s regional director for Africa.

“We are already seeing attacks on critical infrastructures, such as oil and gas infrastructures and nuclear facilities facilities. The potential for cyber war is a reality, and companies and government agencies are fast moving to establish Cyber Incident Response Centres to counteract the new threat.”

South Africa is consistently among the top five countries globally to be the target of phishing attacks, and has vulnerabilities in several areas, said Love.


Kayode AdesemowKayode Adesemow

There are several laws, regulations and governance frameworks that have an impact on information , as well as pending regulations and frameworks, said information specialist and academic professor , from the University of Johannesburg:
• Chapter five of the King III code on governance, which specifies that IT governance must be a board issue;
• Cobit 5, international best practices for the information and IT sectors, which was announced at the end of last year;
• ISO 27002/1, leading international standards for information ;
• The Electronic Communications and Transactions Act;
• The pending Protection of Personal Information law;
• The ICT policy review;
• The National Cyber Security Policy Framework; and
• Government-wide ICT Governance Policy Framework.


BYOD doesn’t have to be a threat to data , said , founder and COO of US-based start-up Bluebox.

<a href=<a href=

Alexander Polyakov, ERPScan" />BYOD has long been a concern for CIOs and CISOs as they grapple with the challenges of enabling a mobile workforce, using the devices of their choice, but still try to protect critical data across a range of platforms and devices, he said.

However, Ely pointed out effective management of BYOD is within reach: “It’s all very manageable. Mobile is just a new ecosystem, and management starts with an understanding of this ecosystem, how people use it, what data they are interacting with and what data they need. You need insight into where the data flows on and off the device, and apply proper controls in the right places.”

SA attacks based on simple tech Craig Rosewarne, MD of Wolfpack and founder and chairman of ISG, unpacked the key findings of the 2012/13 SA cyber threat barometer at the ITWeb Security Summit.

“From a strategic national point of view, there are no stats for SA. This is a problem, because if we don’t have these stats, it appears there are no problems.” The study found the majority of cyber attacks taking place in SA are executed by petty criminals using simple technology.

The top cyber services under attack are Internet banking, e-commerce sites and social networks, with phishing, the abuse of system privileges and malicious code infections the top methods of attack, the report found.

According to Rosewarne, on average, each person who was caught by a phishing scam lost about R10 000, and over the period in review, R94 million was lost to this kind of attack.

Hackers fail on CI scores

While the threats posed by organised cyber crime are very real, international forensic researcher, the Grugq, has pointed to flaws in global hacking organisational structures.

Phil Allen, Dell EMEAPhil Allen, Dell EMEA

He said hacking organisational structures today have some areas in common with the organised criminal underworlds of the late 19th and early 20th century. Notably, both have fairly flat hierarchical structures, and both comprise individuals who work largely independently.

The Grugq said there are four main intelligence threats to hacker organisations: penetration, technical monitoring, passive surveillance and media exposure.

“Informants remain a problem. If you’re doing something illegal, people are your biggest threat.”

The Grugq said in assessing the counter-intelligence capabilities of today’s hacker groups, that in general, they fail to assess their own flaws that lead to one of their own being caught, and fail to adapt their operations accordingly when one is caught.

“In the long run, hackers could be doomed because their organisational skills and counter-intelligence are poor.”

Web-based attacks on the rise

The rate of Web-based attacks blocked per day increased by 30% in 2012, while the rate of discovery of vulnerabilities has only increased by 6%, said Symantec.

The recently published 2013 Symantec Internet Security Threat Report indicates that Symantec blocked 250 000 Web attacks daily last year. One in 532 Web sites were infected, while 1.6 million new variants were discovered every day.

The rate of Web-based attacks blocked per day increased by 30%, while the rate of discovery of vulnerabilities has only increased by 6%. Approximately 53% of Web sites scanned were found to have unpatched, potentially exploitable vulnerabilities (36% in 2011), of which 24% were deemed to be critical (25% in 2011). The most common vulnerability found was for cross-site scripting vulnerabilities.

Ten basics for IT asset disposal

IT asset disposal (ITAD) is an indispensable part of a company’s day-to-day operations, said Kayode Adesemow, information assurance consultant, chartered engineer and project manager. Adesemow said effective and safe ITAD “is not rocket science – it is just a case of going back to basics”. He advised:
1. Plan for disposal at time of acquisition.
2. Invest in the continuous monitoring of IT equipment.
3. Put in place an ITAD process spanning the business unit, ICT and asset management.
4. Ensure the IT asset life cycle is integrated with an information asset register, configuration item and the organisation’s supply chain management system.
5. Only close service desk tickets after information reputation assessment has been carried out.
6. Think about information reputation disposal. The organisation must ensure that, as part of its ITAD process, a clear alignment with green IT and ISO 14000 is thought through.
7. Use a network concept. When an IT asset is moved from one resource to another, the information contained in the asset must be assessed and wiped off, either up to the degree of need of the next resource – or completely wiped off.
8. A residual information assessment should be carried out to ensure the organisation’s data is removed. Data cleansing must take care of administrative, legal and social responsibilities from start to finish.
9. It is critical to have clear-cut processes in place when retiring or redeploying IT assets. Leverage on investment in existing standards, regulation and best practices such as ISO 14000, ISO 27001, ITIL/ISO20000, COSO, enterprise risk management and asset management.
10. Engage the services of independent consultants to review and assess the organisation’s ITAD process.


The safeguarding of companies’ systems is more crucial than people may think, said Alexander Polyakov, CTO of ERPScan. He noted:
is the most popular business application in the world, with more than 180 000 customers worldwide.
• Seventy-four percent of the Forbes 500 companies run .
• In SA alone, had over 300 clients, as far back as 2004.
• Almost every single gover nment department runs .
is remotely exploitable.
• Many companies expose critical services to the Internet.
• Unauthorised access to means companies run the risk of espionage, sabotage and fraud.

, research director at NSS Labs, addressed ITWeb Security Summit delegates on the cyber crime kill chain versus the effectiveness of defence layers.


Identity and access management and governance is not just about technology – it is a business management issue, said Phil Allen, director of identity and access management at Dell EMEA.

“The information a company holds, and the people using this information, are really all that matters in companies today,” he added.

It is therefore critical to govern who accesses what information when: “Information access management is about giving the right people access to the right information at the right time, through the right means. For effective information access management, IT and business management need to ask who, what, how, when, where and also why the information should be accessed,” he said.

“There is no one-size-fits-all approach to information access management,” said Allen, “but information access management must support the business goals.”


, COO of Paladion, said the technology behind fraud is making it much easier to execute, and therefore fraud is on the increase, impacting multiple industries, from banking and insurance to telecoms.

In SA, telecoms fraud is a particular concern because of the relative maturity of banking and telecoms compared to other countries, and the common practice of payments being made over telecoms networks, he noted.