Going by the recent data breaches, businesses regardless of size and location are at risk of sudden cyber attacks. Although for Uganda’s case, the targets so far are mostly corporate organisations, cyber security experts have warned against complacency at all levels, indicating in no uncertain terms that every entity, is a potential target for cyber-attacks.
The Annual Crime and Road Safety Report of 2019, indicates that more than Shs41 billion was lost to criminals through pyramid schemes and other cybercrimes such as swapping SIM cards and hacking digital financial accounts.
Players in the banking and telecommunication economic sectors thus far remain the biggest victims of the regular cyber-attacks primarily because they are interlinked through aggregators or the same syndicated software.
Because of this, the motivation for cyber fraudsters and unethical hackers to tap into huge deposits of cash that the two custodians have in their disposal is much higher, explaining the mobile money heist and defrauding of the two banks (Stanbic and Bank of Africa) billions of shillings.
Early last week, the country was hit by shockwaves after learning of a mobile money heist that involved the two leading telecom companies, MTN and Airtel and banks, which was pulled off through a hack on the companies’ third party service provider, Pegasus.
Investigations into the case are still ongoing to unearth the perpetrators of the incident.
Cyber threats continue to rise as more organisations digitise their data and content. Therefore, no sector is safe against the growing dangers of fraudsters and hackers.
But where should organisations turn to safeguard themselves against cyber breach of their data/content?
According to Mr Kassim Walyaulya, an expert in the field of enterprise IT management, monitoring and security, some companies have for long relegated the cyber security and related issues to the periphery. This needs to change!
It is becoming increasingly difficult to ignore technology, given its function in enabling or easing processes. For example, companies will always be looking out for quicker, safer and flexible ways of either getting products to their customers or when receiving payment for their services.
This may seem as an obvious thing to do but for financial services providers such as banks and network solutions providers such as a telecommunications company, this is crucial because so much is at stake in terms of data, content and finances.
In this case, the bank and the telecom company will need to outsource an aggregator to secure safe and robust interaction between themselves to render proper services to clients.
“When this happens, it is critical that all the parties involved commit to ensuring data confidentiality, integrity and guaranteed availability,” Mr Walyaulya said in an interview.
He continues: “Failure on anyone’s part will result in the whole deck of cards falling apart.”
Mr Walyaulya further notes that organisations must set a standard for data security and maintain it for all parties. This should be beefed up with rigorous audits particularly of the people interfacing with the software, processes and technology for all the players involved.
Nothing should be cast in stone; the standard should evolve as this is all happening in a volatile digital space where new ways of breaching are being discovered day in, day out.
For banks and telecommunications companies, regulators will have to earn their pay by ensuring confidentiality, integrity and an availability clause as committed to by all the players involved.
The cyber security expert is also of the view that there is no sector that is safe from dangers or threats posed by the cyber space.
The only safe ones are those that don’t embrace technology. However, this is unlikely because trends suggest that organisations that do not embrace technology may be headed for self-destruction.
SMEs and cyber-threat
According to the executive director for the Federation of Small and Medium-Sized Enterprises Uganda, Mr John Kakungulu Walugembe, the sector he advocates for which is also one of the largest economic segments, is the most affected with cyber- threats and attacks. This may be directly or indirectly. But the biggest victims are the SMEs.
He says: “SMEs keep money with those institutions whose platforms are attacked. We also have data that we need to be sure is protected because it is private and confidential information. So if these are not guaranteed, then it is going to be hard for SMEs to partake or engage with the system.”
He continues: “Such attacks if not contained, undermine investment just like how lack of security in the country can jeopardise or prevent investors from investing here.”
Going forward, cyber-security must be prioritised because it determines whether an SME will invest in digitisation of data or not.
According to cyber-security experts, regular audits should expose the potential for a breach.
For example, a 360-degree audit would cover people (staff in all the companies involved in the delivery vehicle of the service), processes (such as looking at number of new Sim card owners in a month and verifying them, looking at the documents that were used for the registration process among others) and then the technology: Is it the right technology solution that can alert you of a breach in real time?
No matter the business you are involved in, you should use up-to-date data encryption, data back-up, and firewalls and anti-malware software. Implementing this alongside thorough and ongoing employee education on cybersecurity is one way of ensuring that the threat of cyber-attacks never becomes a fixture in your organisation.
As companies struggle with the growing threat of cyber crime, they must worry about their own employees who pose another security threat. Studies indicate that employees are the most common cause of data breaches as many don’t recognise external threats when they occur or have a good understanding of the daily actions that leave a company vulnerable to a cyber-attack.
For example, the UK Cyber Security Breaches Survey 2018, carried out by the UK government and Portsmouth University found that 43 per cent of UK businesses have experienced a cyber-security breach or attack over the last 12 months, with only 20 per cent of UK companies offering training to staff within the same time frame.
Such breaches were more common in businesses in which staff members use their personal devices for work. Businesses need to ensure sufficient security training and education for staff remains a key focus.
Where to begin
Mr Emmanuel Chagara, an ethical hacker and chief executive officer at Milima Security, says it is detrimental when Organisations focus more on the technology and ignore the human resource.
“People who are not ethical, people who are not trained and monitored will always be the biggest threat to the system,” he explains.
For any company to be resilient against a cyber threat, it must employ a multi-faceted approach which entails both human resource training and technological investment.
Research conducted by the firm last year found that Uganda had only 400 security professionals, which highlights the deficit in required man power.
He emphasized the need to train staff beyond those in the IT department on cyber security as well employing monitoring systems.
Research has also shown that the most common cyber-crime experienced in the UAE in 2017 was malware infection, which accounted for 53 per cent of all cyber- attacks.
However, the underlying concern of investing in technology and upgrades remains a hindrance for some businesses.
According to experts, businesses can employ a model of reducing costs of cyber security by employing shared infrastructure. For instance, using cyber security as a utility like Umeme, that you can use as much as you can in terms of risk based functionality that you have.
Even with the safest systems and elite staff, hackers with increased sophistication are chanced to break into companies. So, insure your business against cyber threats.
Mr Paul Kavuma, chief executive officer, Uganda Insurers Association (UIA) says insurers offer cyber insurance which combines insurance protection and risk management tools with access to independent experts that help in the event of a breach.
“These experts include forensic, legal and communication experts. We help businesses safeguard against data breaches,hacking, computer viruses and identity theft,” he says.
Mr Kavuma advises that as the industry continuously innovates with technology, they should also stress test their cyber resilience as insurers and develop policies and procedures to mitigate such risks.
How the hack happened
MTN has an account at Airtel and vice versa all of which are housed at Stanbic bank. In between is Pegasus which facilitates transactions across the two telecoms. When money is being transferred from MTN to Airtel, it is debited from a customer’s account. Pegasus then technologically reaches out to Stanbic to pay out money from the MTN account in Airtel and instructs it to pay the Airtel subscriber. It is believed hackers took over the system and instructed the bank to pay out money to about 2,000 simcards.
While the companies cover themselves with high-end technology to protect their systems, experts say some third parties which are smaller than their customers do not invest as much in their own security which creates vulnerability in the link.
Who are they?
Some banks and telecoms are interlinked through aggregators while others are linked directly to telecoms through open application programme interface.Uganda has about six aggregators including Pegasus, Beyonic and Cellulant among others that interlink systems of banks, utility companies, transport companies and telecoms. Aggregators facilitate a transaction from the bank to the phone, for instance, buying airtime or paying school fees similarly aggregators facilitate operations such as sending money across networks.
Tips for fighting cyber attacks
* Invest in 24 hour surveillance
* Ensure you have policies and clear responsibilities for staff
* Constantly invest in the latest technology as hackers also upgrade and update their software and skills
*Using old computer devices and outdated software opens the company up to technology breaches.
*Take action and not reaction