With Papua New Guinea becoming more connected to the world through the internet and other digital platforms, the need to be alert to threats is becoming more important. Robert Blackman points out the risks, and considers the National Information and Communications Technology Authority’s recently-released draft policy on cyber crime.

The cost of cyber crime globally is high and appears to be increasing.

According to US Internet security awareness training firm KnowBe4, the losses attributable to cyber crime total US$113 billion (K316 billion).

Deloitte PNG’s Robert Blackman

A Cost of Cyber Crime Study conducted by US research centre the Ponemon Institute notes that costs for businesses that are victims of Internet-based attacks has risen 78% per year, on average, between 2010 and 2013.

Ponemon also says the time needed to recover from a breach has increased 130% over that time.

PNG business vulnerable

Papua New Guinea businesses are particularly vulnerable to cyber crime because our environment is very young. People are still getting used to the technology and, because the current controls in place are very minimal, we are easy targets for cyber criminals.

Typically, there are two crimes on the internet; they are old crimes using new technology and new crimes using new technology. The existing legislation does not address new crimes using new technology. The National Information and Communications Technology Authority’s new regulatory framework is designed to address these new crimes using new technology.

Main cyber crimes

The two main crimes I see are ‘data loss’ and ‘denial of service’ (that is, the attempt to make a machine or network resource unavailable to its intended users by, for example, flooding sites with spam).

Business—often banks, other financial institutions and credit card companies—is particularly vulnerable to ‘denial of service’ attacks,.

‘Public education and continually updating the public on the latest tactics and tools being used by hackers would go a long way to minimise the risks associated with cyber crime.’

But other attacks prevalent in many other countries include fraud, forgery, identity theft, misusing computers, hacking (or the penetration of computer systems for data) and industrial espionage.

Other international trends include breaches of copyright and breaches of confidentiality, remaining in an electronic system or network, intercepting electronic data or even interfering with it. These are addressed by NICTA’s draft policy, as are content-related offences, including child pornography, SPAM and harassment.

It is standard practice in most countries for police to access citizens’ computers, tablets and mobile phones ‘should there be reasons to believe that they have been used to commit an offence’.  This usually means getting approval from a judge.

Areas to improve

There are three areas where NICTA’s draft policy could be strengthened including establishing reporting systems for cyber-crime against business. Requiring companies to have their own policies to address information security would be very helpful.

‘We cannot completely get rid of cyber crime, but a holistic approach needs to be established to mitigate the impact’

The second is that of education. Improving public awareness on the latest tactics and tools being used by hackers would go a long way to minimise the risks associated with cyber crime. The United Kingdom provides an excellent role model with a robust and comprehensive approach to dealing with cyber crime.

The third area is being able to track and seize proceeds of crime, providing the legal framework so that prosecutors and police can trace seize money, often stolen through the internet.

Funds needed

NICTA’s policy is written by local people for local conditions which means it is more likely to be embraced by local people and the community.

As part of the process of adopting this important policy, I hope sufficient funds will be made available for NICTA specialist to align themselves with regional and international agencies so they can stay abreast of global anti-cyber crime developments.

We cannot completely get rid of cyber crime, but a holistic approach needs to be established to mitigate the impact—an approach that includes controls to prevent, detect and respond to inappropriate activities.

An IT director, chartered accountant and certified security system specialist, Robert Blackman is Director, Assurance & Advisory Services (IT) at Deloitte Touche Tohmatsu’s Papua New Guinea office.