When bankers were asked during a cyber-security engagement if their organisations had an ‘efficient budget’ to fight cybercrime, only one did.
With about 25 commercial banks, one development bank, and several micro finance institutions, several telecom companies and Fintechs; with such small budgets vulnerability to cyberattacks are high.
As technology continues to evolve, cyber threats continue to grow in sophistication and complexity making cyber threats and cyber-attacks a leading concern for Board members, CEOs, executives and regulators especially in emerging economies.
Cyber security experts also believe that cyber security measures are increasingly being rendered ineffective in an era where cyber fraudsters are devising newer and more sophisticated online artillery that will see millions lost.
“Things are changing fast and we should be able to adapt too. It is high time companies invest more in technology as they invest in human resources,” said Jonathan Kwofie, the regional head of Information and Cyber Security (ICS) at Standard Chartered.
Kwofie while addressing the Uganda Bankers’ Association (UBA) members at the Standard Chartered Bank Uganda’s Information and Cyber Security Industry Engagement, observed that emerging information and cyber threats surface in different forms hence companies need 24- hour defense strategies.
“The recent ATM frauds and system hacking attacks that have happened in Uganda are a clear indication that cyber risk is already here and bankers need to move ahead of the culprits,” he said.
While chief executive officers are grappling with budgets, another challenge lies in the lack of local cyber security skills in Ugandan organisations.
Kwofie said with the cost of cybercrime increasing every year across Uganda, this is still a challenge to the nation.
“We estimate that today, Uganda needs at least 3,000 cyber security professionals to keep pace with the number of organisations in need of this critical skill, yet we have observed that each year, just about 50 new personnel join the market,” he said quoting Serianu Cyber Intelligence.
In five years to come, going by the current rate of technology uptake; Uganda will need at least 30,000 cyber security professionals because modern technology gives fraudsters the platforms to instantly access millions of people.
Uganda is ranked 97th most attacked country in the world according to cybermap.kaspersky.com while Kenya is at position 47.
The threats present themselves in ways such as spear phishing denial of service attacks, Dedicated Denial of Service (DDoS), data espionage, natural threats; sabotage and computer frauds.
Other threats are malicious attacks, message falsification, vandalism, copyright violation Internet Protocol links, zip files, execution files, applications, malware and ransomware.
The nature of attacks is changing. But most Uganda corporate companies are grappling with how to handle the changes. Since banks don’t work in isolation, institutions which they integrate with sometimes have no budgets or commit small budgets for cybersecurity, and end up causing institutions loss by proximity.
Edward Muwanga Barlow, the chief risk officer, Stanchart said advances in Artificial Intelligence (AI), 5G technologies and electronic car companies should look at their budgets to be at speed with technologies.
“We work with telecom companies on services like mobile money and other Fintechs in the course of our work. It is high time other players are brought on board,” Barlow said.
He added: “The latest trends in technology are now a nightmare; this means if traditionally a fraudster would take a week to commit a crime, with internet speed like 5G, they could do a million frauds within the shortest time possible.”
Mr Wilbrod Owor, UBA’s executive director, admitted that whereas this growth presents phenomenal business opportunities for the industry, it comes with risks associated with electronic connections to clients and others.
“Information and Cyber Security risks have never been greater and the consequences of failure more impactful for our clients and firms. They should be scrutinised,” he said.
Mr Owor added; “…this implies that there is a very high likelihood of each one of us being impacted. It is therefore critical to counter cybercrime by sharing information in order to effectively tackle the ICS risk which is constantly growing in complexity.”
He also appealed to financial services sector to understand the risk environment, be security cautious and vigilant around cyber risks. They should also equip themselves with cyber knowledge that will help to lower the likelihood of cyber risk events.
A survey carried out by Africa Cyber Security Report – Uganda Serianu Cyber Intelligence in 2018 indicated that Uganda has only 400 cyber security skilled professionals. There is also a shortage of skilled professionals at senior and middle management levels.
In addition, it is indicated that 70 per cent of companies face talent shortage of cyber security professionals yet the country lost up to $52 million (Shs190 billion).
“Some of the constraints faced in the process of recruiting professionals include lack of experience and high remuneration rates. It is believed that between 2017/18, 25 per cent of the respondents spent above $10,000 [Shs36m],” Kwofie said quoting the report.
What the future holds
Kwofie believes companies are now able to detect and report cybercrime; he said 15 per cent of the incidences were reported and 5 per cent were carefully prosecuted.
“The most affected industries according to the survey were banking, financial services integrators, microfinance, financial institutions and service providers and government,” he said.
William Makatiani, CEO, Serianu Limited, wrote in the report that breaches will continue to outpace spending and threats will evolve faster than enterprise security hence security spending will be frequently increased.
Reducing exposure to threats
• In trying to address this threat, Edward Mugerwa, Director IT at Bank of Uganda said government through the ministry of ICT, is in discussions with bankers and other stakeholders about developing guidelines that will cushion the industry against threats.
“Guidelines will be on how service providers are dealt with, for example they have to be vetted and should be people of unquestionable integrity,” he said.
He added that there will be minimal standards for every financial institution since fighting cybercrimes should not only be left for banks.