African countries lost at least $2 billion in cyber attacks in 2016, a new report claims.
In East Africa, Kenya recorded the highest losses — $171 million — to cyber criminals. Tanzania lost $85 million while Ugandan companies lost $35 million.
Serianu, an information technology services and business consulting firm, which published the Africa Cyber Security Report 2016 in conjunction with United States International University-Africa’s Centre for Informatics Research and Innovation, says Tanzanians lost most of their money through mobile money transfers.
“In places like Tanzania, deep in the rural areas, we are seeing a lot of SMS attacks; people receiving threatening messages, people losing money on their mobile phones. There are a number of people tricking people into sending money via mobile phones,” said Serianu managing director William Makatiani.
The Africa Cyber Security Report 2016 ranks banking as the leading risk sector.
“The interconnection and complexity of modern banking systems has led to complex regulatory requirements, greater exposure to internal and external cyber security threats and concerns around data security and privacy across virtual borders,” says the report.
“In 2016, we witnessed more advanced attacks in banks mostly perpetrated by insiders, raising the concern that the banking sector is unprepared to deal with insider threats. Other sectors that have attracted criminals are the government, telecommunications, mobile money services, Saccos, microfinance and co-operatives, e-commerce and online markets, utilities (energy, water and electricity), manufacturing, hospitality and other financial services such as insurance, investment and brokerage,” it adds.
Complicity of insider staff
Mr Makatiani said Ugandans experienced the most spamming in Africa, and some of the emails were harmful.
“There are many people filling your inbox with unnecessary mail so that out of five emails, only one is work related, the rest are junk mail, something that affects work efficiency. Some send links that when clicked can lead to getting hacked,” he said.
The report cites a case in which 10 organisations in insurance, banking, government and financial services lost money through attacks on their computer networks.
The crimes are usually committed with the complicity of insider staff by hackers who capitalise on the weaknesses of the organisations’ ICT infrastructure and processes.
The insider staff manipulate the target firms’ computers and capture customer account information that hackers then use to commit fraud.
“The malicious insider staff steal passwords and approve transactions and move money out very late at night. In one particular case, the companies involved lost $13.5 million,” said Mr Makatiani. “In insurance schemes, when you have a life policy that is about to expire, the hackers change the beneficiary, so that when the pay-out is made, it does not go to the right person.”
In one case, between October 2015 and August 2016, hackers conspired with company insiders to install malicious keylogging and remote desktop software on computers dedicated to processing financial transactions.
The keylogging software was used to capture user keystrokes and send data (user account credentials, customer account information, e-mail and chat messages) to an external cloud infrastructure. Using these credentials, the attackers accessed the infected computers remotely and processed fraudulent electronic funds transfers, mobile and automated teller machine transactions.
Unaware of vulnerabilities
Savings and co-operative societies are increasingly being targeted by cyber criminals.
“Saccos have over time relied heavily on manual transactional systems to run their operations, but, with the increase in transactional volumes, some Saccos have started investing in technology, by automating their processes without investing in anti-fraud systems; that is where the exposure comes in,” said Mr Makatiani.
He said a typical small or medium enterprise in East Africa will have at least one or two of their systems fully exposed on the Internet, with the internal staff unaware of these vulnerabilities.
One of the findings that came out from the survey was that a majority of the organisations spent less than $5,000 annually on cyber security products while some had no budget and did not train their staff on cyber security.
“Organisations are making the wrong investments in security infrastructure and thus failing to anticipate, detect, respond and contain their cyber threats. What is more alarming from our analysis is the disparity between the cost of cyber crime and budget allocation to technology products,” said Mr Makatiani.
The report cites the top cyber security issues in Africa as low awareness, increased insider threats, inadequate budgets and management support, increased Internet of Things threats and emerging technology and enterprise resource planning. Others are poor vulnerability and patch management, poor implementation of regulation and policies, cyber bullying and ineffective identity and access management practices.
Mr Makatiani said that there is also a marked change in the number and type of software used to propagate the attacks, with the criminals increasingly using software that is harder to detect.
“A major challenge facing cyber security law enforcers is prosecution. In Kenya, only 3 per cent of reported cyber crimes were successfully prosecuted in 2016, as inadequate training and awareness among the law enforcement and judiciary officers make prosecution of these cases impossible,” said Mr Makatiani.
Risks of Internet of Things
INCREASED USE of smart devices carries associated risks, as they are poorly managed or configured, leading to the likelihood of compromise. Compromised IoTs have been used to propagate further attacks on the information technology infrastructure.
The pervasiveness of the Internet has introduced an online community via instant communication, one which endangers the lives of those exposed to it. The amount of personal information that Internet users publish on social sites has been used against them in cases of cyber bullying, stalking and harassment, with some cases leading to crimes such as kidnapping.
African organisations are implementing new technologies and automating their business processes without ensuring adequate security controls are in place. Most organisations do not have vulnerability and patch management programmes, weaknesses that lead to unpatched systems and insecure applications, exposing them to attacks.