Most of the security issues faced within organisations may not necessarily be as a result of poor systems
4 years ago .
Managing cyber security as business risk
Most of the security issues faced within organisations may not necessarily be as a result of poor systems

By Cerinah Nalwoga

Africa is currently home to some of the world's fastest growing economies - coining the term"Africa is rising" to capture the positive economic outlook for the continent. According to the African Union Report for cybercrime trends, this has been thanks to the emergence of technology, the exponential growth of the internet and the spread of Information and Communication Technology (ICT) infrastructure with about 300 million users. 

However, statistics show that there is a correlation between economic growth and the rate of cyber-attacks. Uganda is currently facing several internet-related challenges aligned to security risk, intellectual property (IP) infringement and poor protection of personal data. In addition, the technical and the financial capacity required to combat cybercrime is not sufficient.

Majority of organisations in private and public sector currently view cyber security as an IT problem not business risk. Department heads focus on the efficiency for instance, IT departments solely focus on network and database infrastructure and upper level management focuses on corporate performance while neglecting the growing security needs within the organisation. Also, the public entities hold a wealth of government and citizen information to ensure service delivery meanwhile ignoring the prevalent threats this data is exposed to.

The above raises the question, who should be concerned? 

Most of the security issues faced within organisations may not necessarily be as a result of poor systems - organisations have established a number strong and well protected systems with the requisite security features, however, human error accounts for over 85% of the security threats in organizations. 

A number of employees who use computing devices in performance of their daily tasks are unaware of the possible risks they face being online. Through phishing, employees of an organization are easy can be targeted and used by the hackers to gain access to critical components of a network thereby compromising the whole organization. Furthermore, customer facing employees might compromise the company's network unknowingly by providing access to social engineers posing as maintenance workers or janitors.

"Rome wasn't built in a day" - the success of a business lies in its reputation and strong financial standing, which are built over a period. These can easily go down the toilet with just a stroke of a key by hackers, as they are constantly looking for the chinks in the armour with some of the following motives;

  • Some hackers are contracted by competing companies within the same industry to acquire information about upcoming products or services, Intellectual Property (IP), patents to gain a competitive advantage over their rivals.
  • For financial gain, hackers can make unauthorized transactions by breaching into financial institutions, steal money or information in a database and sell it to the highest bidder.
  • Hackers might manipulate critical data such as client and customer information, disrupt records or even add harmful code to the systems which upon execution, crashes with a purpose to sabotage the organisation. 

Using the organisation's information as leverage, hackers may extort the unsuspecting victims, milking thousands and manipulating them into whatever they want them to do. In May 2017, the world was hit by a ransom ware known as Wannacry which affected over 100 countries and left a significant number organisations across different sectors reeling. In the UK, Hospitals turned away patients and emergency services were re-routed, and business enterprises lost massive of money since the ransom demand was payment of over US$300 worth of bit coins per infected computing device. It was estimated that the total loss in an organisation amounted to US$4 billion. 

As the internet increasingly penetrates throughout the nation, and the number of smartphone devices connected online proliferates, there is need to take a risk based approach across the different departments in the organisation. 

Board of directors should take a lead role in mitigating cyber-attacks by implementing cyber policies in organisations and supporting their staff in acquiring security training. This will in the long run create a ‘cyber smart security culture' within the workforce and curb some of the threats within the organisation. Finally, citizens should be prudent enough to protect their personal identity and data stored on their devices. 

Writer works with Milima Technologies