Cyber Security in South Africa: Toying with Risk

Mary-Jo De Leeuw

Cyber Security Hub speaks with Mary-Jo De Leeuw, founder of the Cyber Workspace and Women in Cyber Security Foundation, and President of Internet of Toys, a community platform that raises awareness on the security of connected devices for children...




CS Hub: Mary-Jo, what are the most striking examples of cyber security breaches you’ve experienced through your work?

Mary-Jo: Well, there are breaches with apps that most people know about. Most people know that you shouldn’t make a copy of your ID and put it on Facebook, for example. But people think that if they use apps on their phone, regardless of international borders, then nothing will happen. But there were breaches with Air Canada’s app, and one on British Airways – and those are the ones that are the most unexpected for average people.

And of course the breaches with the Internet of Toys – I think these are really worrying.

CS Hub: Are breaches within toys a common occurrence, or are these a few big exceptions to the rule?

Mary-Jo: No, it’s common. So much so, that we make fun out of it - it’s like a Dutch joke that I don’t know how to translate to English. We investigated one type of toy, every first Wednesday a month, and every single toy we investigated got breached. So, yes, I think it’s really bad.


'It’s not only about the breaches within the 'things', but also the lack of good protocols on the use of the connection.'


And if you have a look at the way people react to the breaches, I don’t think they really see the problem.

CS Hub: Really? They don’t see the issue?

Mary-Jo: No, and they couldn’t care less. About three weeks ago, I breached an app similar to WhatsApp that uses your Facebook profile and associated data. I showed people how I could gain access to all of their files and media and photos. And then I copied it and stored it somewhere else in the cloud. And the people were like, “oh, yes, but it’s only my Facebook data, what do I care?”

It’s quite difficult to understand why people don’t see why this is so important.

CS Hub: And do you think that all the companies that are using this data are aware that what they’re doing is illegal – is immoral?

Mary-Jo: I think they see it as good business – for example, the app from Air Canada. They just thought that it would create a better customer journey and better traveller experience, so they came up with the app to make life easier for the customers. But instead of making it easier they just breached all the data. So I don’t think most of the companies who come up with plans like this actually understand what it means if it gets breached, or if you lose all the data.

CS Hub: And are those working in your industry reacting well to this idea that we all need to take more care of cyber security?

Mary-Jo: I think, except for you and me, the entire world doesn’t actually see the problem. They understand cyber hygiene, and advice about usernames and passwords, but if you try to show them what it really means, they don’t.

CS Hub: So, people really don’t understand what they think is a simple concept?

Mary-Jo: Well, in England, for example, you have something going around called domestic violence by the use of IoT.

CS Hub: Really?

Mary-Jo: Yes! And there’s a professor from University College London that runs a taskforce to combat it. But I tried to get hold of numbers in Holland for this sort of thing, and I managed to contact a specific party. I also asked the NGO in charge of keeping track of all numbers in the country, and I asked the police about what they were doing, too.



CS Hub: And…?

Mary-Jo: They all deny the existence of domestic violence by use of the IoT. The police don’t even understand cyber bullying. They tell me it’s non-existent because they don’t have numbers or they don’t know how to run that specific complaint. If you go to the police and say that this has happened to you, they’ll send you home because they'll think it’s just a joke. In England you can get a jail sentence for a couple of years, but it’s not written in Holland’s laws, and there’s nothing we can do about it.

CS Hub: And do you think that the lack of women working in cyber security is making the problem even worse?

Mary-Jo: No, I don’t think so. Not only is it about the 'things', but also about the topical use on the connection – with some using an internet connection like Wi-Fi, and others using low-energy types like Bluetooth. It’s not only about the breaches within the 'things', but also the lack of good protocols on the use of the connection.

CS Hub: We’ve spoken about the situation in the Netherlands and the UK, but what are your views on the situation in South Africa? Is the uptake of cyber security better?

Mary-Jo: I can’t even find a nice word to describe the situation. The first thing I saw in Cape Town when I entered a toy store was a specific toy that was already banned from stores all over Europe. And I thought, oh, you can just buy it? And I bought it.

There are lots of small things. When you go to a restaurant, for example, and you want to make a transaction with your bank card, if you see the connection that some stores make in order to transfer the money, you can so easily detect the security measures.

There’s also a lot of skimming going on, too, so it’s worrying. It’s about time they buckle up for cyber security.

CS Hub: Do you think it’s a lack of experience there that’s the main problem?

Mary-Jo: I think it’s legislation, and of course they have some other problems. In South Africa, many people didn’t have access to internet for a long time, so most of the people aren’t used to securing things. The security is the least of your worries, if your daily problem is how to survive in a township.

If you compare it with Dubai or China, these countries had only one priority, and it was to gain more money. If you want your economy to blossom, you want to build stuff, generate more industry, and so on – so security is at the bottom of your priority list.

CS Hub: Because it’s seen as a barrier to growth.

Mary-Jo: But I don’t think it is in Western Europe. In Holland, there is yearly research on cyber security awareness, and last year, 50 percent out of all the people in Holland literally said, “I couldn’t care less”.


'The security is the least of your worries, if your daily problem is how to survive in a township.'


I think there needs to be a “dead body” before people in the West understand specific needs for security.

CS Hub: Why isn’t the threat to wallets enough to change attitudes?

Mary-Jo: Partly because people say they don’t have anything to hide, and they don’t understand things about identity theft. Most people think this is far from my house and it will not affect me.

I think it only affects you if you were on the Air Canada plane during the breach, for example.

CS Hub: So what would be the one thing you would change?

Mary-Jo: Mind-set. I don’t really believe in regulation or laws because I think the law is something that should make sure that if your data’s breached you get protected.

In Holland, they want to come up with a law that will forbid unsafe Internet of Things devices, but you cannot do such a thing because you only know if something is unsafe until you’ve played with it for months. So I don’t really believe in making laws because the politicians normally don’t get the problem.

So I believe in awareness, but it’s maybe just a mind-set. I don’t think another awareness campaign will work. I think if you show them what the problem is, if you put the hacked toy on table and show them that you’ve been eavesdropping, then people actually wake up. But I don’t think a new law will make a difference at all.

For the parents out there, I hope I haven’t scared you!