The internet today is more than just a super-fast information technology tool. The internet connects people and systems, and facilitates transactions across borders in ways we never imagined. It offers enormous advantages to it users.
With the help of the internet, most of the hectic traditional way of doing most things has been simplified and made more accessible. The internet however can also be referred to as cyber space and any activity on the internet can be referred to as activities within cyber space. A lot of things go on within this space; business, communication, even crime, including theft.
These can make the space very unsafe for users of all ages; leaving the cyber environment as a warzone, where the fittest and the smartest are the ones who survive within it. Whether one is making a purchase, browsing the dailies, making a bank transaction or communicating, people need to provide information about themselves in a way that distinguishes them from others users. This gives the user an identity on the web. This then leads us to the case for the security of data we provide and more so within cyber space [data protection].
Simply, data protection is the practice of protecting any form of data from an unauthorized access and use. Data protection is also applied to manual file systems where certain files are classified by the manager and is under his lock and key from the rest of the employees. The same concept is applied to digital data as well, whether the data resides on the web or on the computer system locally. The issue here becomes how safely the data can be kept digitally bearing in mind the complexities of technology and the ever rising demand of data by users regardless their physical locations—one thing the internet has help simplified.
Over the recent years, we have witnessed a number of breaches of local computer systems and web based systems all over the world exposing very confidential details of the operations of the a businesses and some very wealthy individuals [victims and in most cases]. The exposure of information that follows such breaches more often concerns the customers who patronized services of the affected company.
Examples of some of the devastating breaches in history where consumers suffered the brunt of the carelessness of their service providers include the recent Equifax breach which exposed the personal details of 143 million adult Americans. The famous ecommerce website eBay suffered a breach which exposed 145 million customer details; Sony entertainment suffered a hack which exposed 1 million user passwords and thousands of music codes. This introduces us to PII.
PII is personal identifiable information which means information about an individual that uniquely identifies him or her. Examples of PII is username, password, email, pin number/code, social security number, date of birth, bank account number, residential/postal address etc. These are very unique identifiers of an individual that are not easily and frequently changed, and this is what most service providers demand of their customers to provide so they are sure of who they are providing their services to, especially web based service providers [who provide services virtually and need to have an idea of who and where their client base is and are].
However, at the corner of this good intention of knowing your client is the safety of the details your client provides. The details must be guarded with confidentiality, integrity and availability; the key primary principles in securing information.
The reality is rather a converse of the ideal. Most of the service providers in cyber space, and brick and mortar institutions who have migrated their traditional services to the internet always promise to protect whatever data they receive from their clients for processing safe. But every now and then, customers receive a “we are sorry” apology message from either the CEO or the CIO (Chief Information Officer) of their service provider stating that, their servers have been compromised and some amount of data including valuable PII has been accessed by the attackers.
This is happening in the most advance countries of the world with the most sophisticated systems and professionals manning it. How much more, a budding nation like Ghana. The interesting thing about PII is that, you can change things like your email, password or username when they happen to be exposed but how do you change things like your date of birth, driver’s license, back account number or credit card number.
These are unique identifiers that have identified you over the years and it is impossible in most cases to go back and change them from the various documents on which you have used them. The implication of this is that, for the rest of the victims’ lives, they live at the risk of a cybercrime in cyberspace.
Ghana has an expanding economy and an appetite of the economic actors, policy makers and entrepreneurs to go digital with processes, in both public and private sectors as a way of becoming at par with global economic partners and to plug into international markets regardless of time zones and differences in time.
As much as the idea is laudable, one may ask: how safe are data of Ghanaians and non-Ghanaians? Currently, Ghana lacks a single national database which is supposed to house basic information about citizens and non-citizens. Such a database would be of great value to all kinds of institutions; public and private can query and retrieve data about their customers, so that we have one institution responsible for collecting and processing personal data into a single national database; a centralized point from which others can then retrieve data about citizens and non-citizens who are customers whose data they want.
This will allow for a more stringent control over the data collected and implementation of the data protection act which stipulates that, data collected by data controllers must be used for the duration they promised and destroyed afterwards or apply for extension if need be for keeping it beyond the original duration and also making sure that, no data controller feeds another with the data of individuals it has without their explicit permission. It will also allow for a focused attention to the safety of the data considering the scarcity of professionals in the country.
The status quo is a scuffle. Every institution; private or public in the need of personal data from customers now sets up a data collection point within their premises to collect data from customers to the extent of collecting biometric data which by far is the most unique way to identify a human being.
The disadvantage of this is that, if the institution does not maintain high security procedures to process and keep the data being collected, it might fall into unauthorized hands and will end up on the internet black market for purchase by cyber criminals for malicious uses and it is a fact that, most of these institutions that collect personal data do not have secured systems and some are even not registered with the data protection commission at the very least. Most mobile phone users now receive advertisement messages from third party organizations advertising goods and services they provide whiles the users never subscribed for such a service. What it means is that, network companies are feeding third parties with user details for targeted advertisements without an express knowledge of the users— clear violation users’ privacy and a violation of the Data Protection Act.
A lot of purchases and transactions are going on at ecommerce websites in the country where payment is done using visa cards and debit cards, in some cases mobile money mediums. Those who offer delivery services like the food joints allow you to add location address. The big questions customers must be asking is are these ecommerce websites properly designed to resist cyber attacks to reasonable limits? Do they have any secured means of accepting user inputs to the web server? Are they registered with the data protection commission as required by law? These questions should engage users’ minds before they patronize their web services. Sadly, most customers are not even bothered.
The harm of this is that, customers are open to identity theft, which means that, in the event of a breach, the PII which has been used to identify a user and provide service to him or her could be accessed by the attacker who has breached the system and this attacker will sell the data on the black market on the internet for malicious people to buy and use for malicious reasons.
The result of it is that, you might begin to see strange deductions from your bank account in payments for goods you never ordered. Similarly, goods you never ordered get delivered at your doorsteps for you to pay for. Sometimes, your email is taken over by an unknown character who will establish communication in your name with your contacts and associates. Consumers must shy away from ecommerce website that are not accessed over https at least if they want to be safe.
Aside the burst of ecommerce onto the Ghanaian cyber scene, we are witnessing the various information technology interventions by our financial institutions. Banks are now offering internet banking, statements of accounts are emailed to customers, the various banking software at different brunches are talking to each other etc. These are very innovative ways of transforming the space to make funds available to users at their beck and call, but security still remains a huge concern.
Are the banks mindful of the security of the applications and web systems which are vehicles for internet banking which allow the electronic transfer of cash between customers? Are the web systems implemented of secured connections? It is a prudent decision to allow the different branches talk to each other but are these communications happening over virtual private networks to seclude the traffic from normal internet traffic? What are the IT policy benchmarks the industry regulator has set for these institutions to guide their IT operations?
In cyberspace, nothing and nobody is safe. These bank systems can be manipulated remotely through a compromised employee or customer. Attackers could mislead a manager through a phished email to gain access to internal systems and access user information like bank account numbers and account balance, assets and liabilities which the bank holds and other operational information which in normal proceedings should be available to bank officials only. Aside having access to information, the system intruders can shut an entire system, to demand a ransom.
This is how dangerous it can get for not securing systems. Attackers can manipulate the application or web system using various forms of injection vectors to make false deposits, fraudulent transfers between accounts etc. and cause a mess of the whole system. Are our financial institutions in the position to be able to fight off such attacks?
The good news however is that, Ghana has not suffered any serious cyber attack which has disrupted normal operations of a firm or brought the firm to its knees like is currently happening to Equifax in the US or as seen with Yahoo in the past. It doesn’t mean however that Ghanaian firms are operating a more resilient system but rather, attackers don’t find Ghana a lucrative destination to attack. This is testified by Norse Maps which creates a honeypot for attacks in order to monitor the originating and final destination of cyber attacks and this is done by the minute. For now attacks keep on flying away from Africa especially Ghana because they don’t think it is a lucrative destination.
Besides a data-protection legislation, The Data Protection Act, little has been done in the area of data security. We are on our own, and we are very much vulnerable. The day cyber attackers will find Ghana a lucrative destination, there will be a catastrophic implication across different sectors of economy.
So, policy makers should properly regulate cyber space with prudent policies and the legislature must make laws to address the excesses of cyber space activities.