According to PricewaterhouseCoopers’ (PwC) Global Economic Crime Survey (GECS) 2022 report, cybercrime poses the biggest threat across organisations of all sizes because it is the most disruptive economic crime globally.
This assertion is linked to the resultant effect of the increasing inter-connectedness of the global technology landscape and technology developments such as the rise of Artificial Intelligence (AI) and cloud solutions. These have broadened opportunities for cyber criminals while at the same time promoting the sophistication by which cyberattacks can be launched.
Additionally, the emergence of platforms that provide ransomware and phishing as a service make successful breaches dramatically cheaper and more lucrative for attackers, exacerbating the cybercrime situation. The consequent 10.8 percent increase in the cybercrime statistic (which led to losses estimated at Shs19.2b cited in the Uganda Police Crime Report of 2022 is indeed of much concern.
‘Cybersecurity’ and ‘data privacy,’ two sides of the same coin, form the bedrock of our digital security and online safety. While cybersecurity shields interconnected digital landscapes, data privacy empowers individuals to control their personal information. These principles underpin various laws and policies which provide guidance for safeguarding system and data confidentiality, integrity, availability, authenticity, and non-repudiation.
However, the nature of threats still outpaces the evolution of protective measures. In today’s dynamic digital ecosystem, cybercrime tactics have evolved into a fusion of old and new strategies. Traditional tactics like phishing have morphed into highly sophisticated attacks. Cybercriminals leverage AI to bypass security measures and exploit vulnerabilities in advanced software and technology. By preying on AI’s strengths of understanding human behaviour, identifying patterns, anomalies, and signature-based detection systems to easily conceal red flags normally detected by corporate controls, cybercriminals are now better enabled to achieve a successful breach and within a shorter period.
The sophistication and threat of cybercrime attacks has also grown in tandem with the more nuanced motivations of threat actors. While financial gain remains a significant driver, we now see cyberattacks fuelled by a desire for notoriety (hacktivists), the thrill of the challenge/ the fun of it or the impact they create from disrupting nation-state infrastructure (sabotage). In some cases, threat actors weaponise cybercrime as a tool for espionage, providing a political advantage to their benefactor(s).
Furthermore, Covid-19 accelerated the use of technology platforms within organisations’ operations such as remote access to organisation systems via Virtual Private Networks (VPNs) and cloud solutions, deployment of bring your own device (BYOD) policy, use of video conferencing solutions, utilisation of social media platforms for customer engagement. While these solutions allow organisations to achieve “online anywhere at any time” objectives, they enlarge the attack surface and the amount of data that traverse through the public web which many cybercriminals take advantage of.
With an enlarged attack surface that hosts several systems which are interconnected and supporting several critical supply chains, the effects of a successfully perpetrated attack could be devastating. While such an attack could be a primary hit on one or more organisations which results in significant financial losses, data leakages, service disruptions and outages, these could easily cascade to a wider effect on sectors and the nation where the targets are a significant financial institution (SFI), a backbone operator or a government agency operating a nation-state system.
Therefore, organisations should integrate standard practices into their corporate controls such as, enhancing organisation’s technology capabilities in key cyber security areas, upskilling the current workforce fast enough to keep up with demands of the cyber landscape, continuous improvement of a cybersecurity framework to support regulations.
However, PwC’s DTI (Digital Trust Insights Survey) report 2024 highlights that over 30 percent of companies fail to consistently adhere to standard cybersecurity practices, leaving them vulnerable. A classic example of a recently reported incident where standard cybersecurity practices were not adhered to is the Uganda Securities Exchange (USE) which suffered a data security breach in July 2023 despite having an information systems policy manual and regulatory guidance.
Anna Grace Alwaro is an advisory associate at PwC.