An expert study on the status of cyber-security reveals wide-ranging levels of vulnerability at leading organisations that handle large volumes of personal data.
The study done over the last two years by Peter Bill Kisitu, a cyber-security analyst and researcher at BitSight, a cybersecurity and rating company, features banks, telecom companies and state departments.
The survey undertaken between October 2020 and August 2022 on 31 organisations, mostly in the financial sector, was aimed to gauge their efforts in protecting their information and the information of their clients. Of all the 31, none had a completely secure cybersecurity system in place, although some scored 80 per cent and above, with Uganda Revenue Authority leading with 97 per cent.
The vulnerability of an organisation is the number of successful attempts to breach the cybersecurity system, compared to the total number of attempts. Kisitu says many Ugandans have fallen victim to cyber-attacks but only those who are brave enough can confront the banks or telecoms to get their money back.
The score is partly determined by how swiftly the organisation responds to a detected attempt and how successfully it is thwarted, according to Kisitu, giving an example of how fast URA responded to a counterfeit portal that had been opened to defraud taxpayers.
“Banks have not given this problem the attention it deserves because many attacks go unreported yet this usually leads to credit risk,” he says. However, he adds, many financial institutions either take too long to react or no effort at all.
Kisitu says that when an organisation’s system is not secure, this can also put a risk to the customer’s systems when they get in contact with each other, including by mere exchange of emails. To counter this, a person or organisation dealing with such companies is required to always take extra care, especially where the system does not warn users before they use it.
However, even the company itself must keep checking for loopholes in its systems and do ‘due diligence on the others with whom it is doing transactions. According to Kisitu, a company’s effort at preventing infiltration is important because the police, the enforcement agency of cyber laws, is itself one of the most vulnerable.
In the case of MTN, the report shows that the biggest mobile telecom company in Uganda by subscriber base has not done enough to prevent attacks, both by external and insider perpetrators.
It says MTN should have by now learnt from the 2020 break-in, which investigators have concluded was done with the help of an employee.
But, the main concern for Kisitu is the failure of MTN to prevent sharing of files, especially media files between the employees and customers since both are allowed access to the same network. As a result, virus and botnet infections are alarmingly high on the MTN network, according to Kisitu.
“Surprisingly, the organizations that hold the most sensitive information are the ones making the least effort to secure that information.
Of the banks looked at, it was found that the central bank had some security weaknesses in protecting the information of its employees. The report shows, for example, that in April 2021, www.archive.bou.or.ug had an expired security certificate putting all the information in the digital archive at risk.
A website security certificate helps to encrypt information exchanged between the server and the user. Bank of Uganda, which scored 78 per cent in the study, could not give a response to the query put to management a week ago, as they were still scrutinizing the claim.
In the same period, the study notes, Stanbic Bank had two expired security certificates “and this went on for 13 months demonstrating a high level of negligence!” DFCU servers were also found to be highly vulnerable to attack but no effort was taken to reduce the risk of attack probably due to using older legacy encryption.
Given the example of the Kenya election and the security of the electoral system servers, Kisitu says any system can have attempts at breaching it, but it is up to those in charge to rectify the problem before much damage is caused.
MTN refuted the claims in the report about its security system, adding that the company has never faced any data breach to its customers or its corporate information.
Rhona Arinaitwe, Senior Manager of Communications at MTN defended the company saying have a robust ISO-certified security framework, and that it regularly undergoes cybersecurity testing audits on penetration and vulnerability.
“It is not factual that there was any insider threat management failure. MTN Uganda also has in place a Data protection and privacy framework to ensure the protection of customers’ data to remain compliant as an accountable party with the Data Protection Office of NITA,” Arinaitwe says.
Kisitu says there is a need for them and other organisations concerned to educate the public about matters of cybersecurity because many incidents occur due to the lack of awareness. Others do not know what to do when they notice that they are victims of the crime, especially when organisations, mainly banks refuse to divulge information on a breach for the sake of their image.
If my credit card credentials are used to do online shopping, then I prove that I didn’t do the shopping in question then the bank has a credit risk.
“This partly explains why URA is on top of the list because the mean-time to detect a problem and the mean-time to resolve that problem are some of the tools of evaluating security performance,” the report says.
However, it does not say the same for Stanbic Bank, the biggest in Uganda in terms of customer base.
“Around the same time, 96 websites resembling the official Stanbic bank website were discovered. The official Stanbic website is www.stanbicbank.co.ug, The cyber squatters set up websites such as www.stanbicbank.coa.ug, www.ctanbicbank.co.ug, www.stanbacbank.co.ug etc.
Thirty days later these fake websites were still active laying a trap for Stanbic customers yet it takes only five minutes to make a take-down request to the registrar of domain names or other internet authorities.” For most of 2020, the website of the National Information Technology Authority had an expired security certificate while the ministry of Finance used a free security certificate.
Kisitu also advises organisations to higher cybersecurity professionals, saying that instead, they are hiring IT experts yet the two are different. He says with the evolution of digital technology, there is software that can easily help one to detect a loophole.
Cyber-security is an effort that is undertaken to delay, detect or deter a cyber-attack, any unauthorized access to an organization’s information or the information of clients which is stored digitally or electronically.