Cyber criminals now targeting SMEs - report

A new report has noted an increase in cyber-attacks on operations of small and medium sized, indicating a shift in which cyber-attacks had mainly been reported by large companies. 
The Cyber Security report authored by Summit Consulting highlights actual and attempted attacks, especially on small and medium enterprises. 
Mr Mustapha Mugisa, the Summit Consulting team leader, noted that cyber threat and attacks have spread, which creates an immediate need for SMEs to create protection walls. 
“While many SMEs, the newer ones, especially, have started undertaking regular digital risk assessments, many have [or don’t] do anything,” he said, noting majority of SMEs are currently struggling to put in place basic cyber security.  
“Our experience reveals that the most vulnerable organisations are players in the financial services sector specifically microfinance institutions, Fintech service providers, and telecoms,” he said.
The report also noted there has been less reporting on cyber-related losses although, 502 respondents, who were approached in the report, noted an increase in both threats and attacks. 
“Many cyber security breaches in Uganda and the EAC region at large are kept under the table, unreported, or oftentimes unsolved,” Mr Mugisa said, but did not explain why they are not reported.  
The Uganda Police annual crime report for 2019, reported a total of 248 cybercrime cases during the year compared to 198 cases in 2018.
These resulted in theft of Shs11.4b, of which Shs51.8m was recovered.
However, Mr Pius Babyesiza a Proactive Forensics, Security & Anti-fraud professional, said many organisations remain silent after hacking to avoid further exposure. 
“No financial institution would want a news headline that it has been hacked and all customer records and bank account details exposed,” he said. 
Recently, a cyber-attack incident was reported involving MTN, Airtel, and Stanbic Bank, in which it was reported that billons of shillings had been stolen. 
Such news, he said, cause panic and might instead turn more problematic. 

Accessing cost  
According to Mr Pius Babyesiza, many companies lack standard approach for accessing cyber breach loss, especially when no direct cash has been lost yet any cyber incident leads to both direct and indirect costs. 
“When money is transferred from customers’ bank accounts, and withdrawn by the criminals, that represent a direct loss. But the bigger loss is usually the indirect one in terms of time wasted in crisis management, post-incident investigation costs, and overall lost productivity due to incident response.”
In 2019, Summit Consulting handled 451 national and regional cyber security cases spread over 204 clients, of which 40 per cent were assignments that other firms outsourced.