By Rading Biko
Most African countries have weaker legislations and experts who can tackle the fight on cyber-crime. In 2016 most African countries lost close to $2 billion in cyber-attacks according to a new report.
Kenya recorded the highest losses of $171 million within East Africa region. Tanzania lost $85 million while Ugandan companies lost $35 million.
Serianu, an information technology services and business consulting firm, which published the Africa Cyber Security Report 2016 in conjunction with United States International University-Africa’s Centre for Informatics Research and Innovation, says Tanzanians lost most of their money through mobile money transfers.
“Most people in rural parts of Tanzania, we are witnessing a lot of SMS attacks; people receiving threatening messages, people losing money on their mobile phones. There are a number of people tricking people into sending money via mobile phones,” said William Makatiani, Serianu Managing Director.
The Africa Cyber Security Report 2016 ranks banking as the leading risk sector.
“The interconnection and complexity of modern banking systems has led to complex regulatory requirements, greater exposure to internal and external cyber security threats and concerns around data security and privacy across virtual borders,” says the report.
“The attack have gone up in 2016,with more advanced attacks in banks mostly perpetrated by insiders, raising the concern that the banking sector is unprepared to deal with insider threats. Other sectors that have attracted criminals are the government, telecommunications, mobile money services, Saccos, microfinance and co-operatives, e-commerce and online markets, utilities (energy, water and electricity), manufacturing, hospitality and other financial services such as insurance, investment and brokerage,” it adds.
Uganda experienced most email attacks
According to Makatiani Ugandans experienced the most spamming in Africa, and some of the emails which were harmful.
“There are many people filling your inbox with unnecessary mail so that out of five emails, only one is work related, the rest are junk mail, something that affects work efficiency. Some send links that when clicked can lead to getting hacked,” he said.
The report also cited a case in which 10 organizations in insurance, banking, government and financial services lost money through attacks on their computer networks.
These crimes are usually committed with the complicity of insider staff by hackers who capitalize on the weaknesses of the organizations’ ICT infrastructure and processes.
Most of the insider staff manipulate the target firms’ computers and capture customer account information that hackers then use to commit fraud.
“The malicious insider staff steal passwords and approve transactions and move money out very late at night. In one particular case, the companies involved lost $13.5 million,” said Makatiani. “In insurance schemes, when you have a life policy that is about to expire, the hackers change the beneficiary, so that when the pay-out is made, it does not go to the right person.”
There were cases between October 2015 and August 2016, hackers conspired with company insiders to install malicious keylogging and remote desktop software on computers dedicated to processing financial transactions.
The keylogging software was used to capture user keystrokes and send data (user account credentials, customer account information, e-mail and chat messages) to an external cloud infrastructure. Using these credentials, the attackers accessed the infected computers remotely and processed fraudulent electronic funds transfers, mobile and automated teller machine transactions.
Sacco’s new target for hackers in East Africa
The Savings and co-operative societies are increasingly are the new targets for cyber criminals as per the report.
“Saccos have over time relied heavily on manual transactional systems to run their operations, but, with the increase in transactional volumes, some Saccos have started investing in technology, by automating their processes without investing in anti-fraud systems; that is where the exposure comes in,” said Makatiani.
He said a typical small or medium enterprise in East Africa will have at least one or two of their systems fully exposed on the Internet, with the internal staff unaware of these vulnerabilities.
One of the findings that came out from the survey was that a majority of the organisations spent less than $5,000 annually on cyber security products while some had no budget and did not train their staff on cyber security.
“Organisations are making the wrong investments in security infrastructure and thus failing to anticipate, detect, respond and contain their cyber threats. What is more alarming from our analysis is the disparity between the cost of cyber crime and budget allocation to technology products,” Makatiani comment.
The report mentions the top cyber security issues in Africa as low awareness, increased insider threats, inadequate budgets and management support, increased Internet of Things threats and emerging technology and enterprise resource planning. Others are poor vulnerability and patch management, poor implementation of regulation and policies, cyber bullying and ineffective identity and access management practices.
Makatiani added that there is also a marked change in the number and type of software used to propagate the attacks, with the criminals increasingly using software that is harder to detect.
“A major challenge facing cyber security law enforcers is prosecution. In Kenya, only 3 per cent of reported cyber crimes were successfully prosecuted in 2016, as inadequate training and awareness among the law enforcement and judiciary officers make prosecution of these cases impossible,” noted Makatiani.
The rise and risks of Internet of Things(IoT)
There is high number of users on smart devices which carries associated risks, as they are poorly managed or configured, leading to the likelihood of compromise. Compromised IoTs have been used to propagate further attacks on the information technology infrastructure.
The pervasiveness of the Internet has introduced an online community via instant communication, one which endangers the lives of those exposed to it. The amount of personal information that Internet users publish on social sites has been used against them in cases of cyber bullying, stalking and harassment, with some cases leading to crimes such as kidnapping.
African organizations are implementing new technologies and automating their business processes without ensuring adequate security controls are in place. Most organisations do not have vulnerability and patch management programmes, weaknesses that lead to unpatched systems and insecure applications, exposing them to attacks.