How Business Owners can fight Back against Cybercrime against them

The digital age has brought with it both the pros and cons of success in business, which much needed in any Small and medium sized enterprises (SME). Most SMEs use the digital space to boost their daily output; from advertising, marketing, customer relations, seminars, business transactions among others. Unfortunately, Cybercrime and fraud has been rampant in the country with a number of entrepreneurs reporting several losses in product and customer fall outs. With such uncertainties as we foresee the Techno-future, SMEs need to have a fighting back strategy against cybercrime and fraud.

State of Cybersecurity in Kenya.

Kenya reported six million cyber-attacks in 2019 targeting both government and private institutions, according to the annual report presented in Parliament. The report on the state of national security indicated that during the year under review, the key cyber-crime incidents witnessed include SIM swap, unauthorized intrusions into IT systems commonly known as hacking, insider threat and identity theft and web application attacks.

Also Read:

1. Why MSMEs are still winning in the Kenyan Economy
2. Advice for small businesses to succeed in the new financial year
3. “SMEs are still prime but not yet protected” – Experts say.

The report tabled during President Uhuru Kenyatta’s State of the Nation address showed that majority of the cybercrime during the period under review was motivated by financial gain. According to the report, the vice is prevalent within key government ministries, departments and agencies (MDAs), savings and credit cooperative societies, banks and telecommunication service providers.

The President noted that a total of 1,203 cases were examined at the DCI Digital Forensic Laboratory compared to 992 cases received in 2018, representing an increase of 280 cases attributed to the emerging digital trends and transnational nature of crime.

“During the period under review, the country made remarkable stride in Information, Communication and Technology (ICT) sector amidst invariable rise in cyber-crime and online fraud cases,” read the report.

The report indicated that a total of 360 cybercrime cases were presented in courts during the year under review while there were 50 other on-going network forensic investigations at the Kenya Ports Authority (KPA) offices in Mombasa and KRA offices in Nairobi and Mombasa. The report noted that underlying factors such as limited human and capital resources such as forensic tools used at the laboratory have largely affected the government effort in combating cybercrimes in the country. The complex and trans-national nature of cyber-crime have also hampered the enforcement of the law at the national level.

With new technology and increasing Internet connectivity and activities, hackers are working round the clock to trap unsuspecting Internet consumers. As a result, information sharing has increasingly impacted our daily lives, improving communication networks across the country. While some Kenyan SMEs prefer accessing their accounts directly using mobile data bundles, others use their company’s Wi-Fi, which is a bit secure compared to public Wi-Fi.

1. The implemented reprieve

On 16 November 2020, Immaculate Kassait former IEBC director in-charge of voter education and partnerships took her oath of office as Kenya’s first Data Protection Commissioner. This marked a great milestone in the history of Kenyan legislation with the enactment of the long-awaited Data Protection Act, 2019. Over the years, Kenya had no law that focused on incidents of cybersecurity but depended on the Kenya Information and Communication Act of 1998 (KICA) which included cybersecurity-related provisions that prohibited various actions that would threaten cybersecurity.

These provisions prescribed criminal penalties for the same, ranging between a fine of Sh200, 000 to Sh1 million and/or a jail term of up to five years. Although KICA provisions were useful in the war against cybercrime, ICT experts said a lot needed to be done at the legislative and policy levels to help stem the tide of cyberattacks. The bill, gazetted in 2016 proposed to consolidate the law on cybercrime and to establish the National Cyber Security Response Unit, a governmental agency that will have powers to investigate incidents of cyberattacks.

As a result, data controllers and processors were unable to fully comply with certain obligations under the Act, such as the requirement to register with the Data Commissioner, conducting a Data Protection Impact Assessment, or approval of safeguards prior to any cross-border transfers. The appointment of Kassait marked the start of a long and complicated journey in enforcing these data protection principles.

2. Data Protection Act, 2019.

Section 8 of the Act sets out the functions of the Data Protection Commissioner including overseeing the implementation of and be responsible for the enforcement of the Act. Others are establishing and maintaining a register of data controllers and data processors, exercising oversight on data processing operations, either of own motion or at the request of a data subject, and verifying whether the processing of data is done in accordance with the Act. Also included are carrying out inspections of public and private entities with a view to evaluating the processing of personal data, promoting international cooperation in matters relating to data protection and ensure country’s compliance on data protection obligations under international conventions and agreements.

Another function is undertaking research on developments in data processing of personal data and ensure that there is no significant risk or adverse effect of any developments on the privacy of individuals are also among the functions.

3. The ground scenarios.

Despite this, cyberattacks continue to plague many business enterprises across the country. Many banks are grappling with online hacking that is estimated to cost the economy billions of shillings each year. But it’s not banks alone that should be worried. Cybercriminals are spreading their tentacles to all facets of our digital life.

Kenya reported more than 56 million cyber threats for the quarter ended December 2020, according to the latest Communication Authority (CA) data. This is a 59 per cent increase from 35.2 million threats detected in the previous quarter. Malware attacks were the highest at 46 million, followed by web application attacks at 7.8 million while 2.2 million Distributed Denial of Service (DDOS) out of the threats detected by the National Computer Incident Response Team Coordination Centre. The increase in cybercrime was recorded in the wake of the Covid-19 pandemic which saw many people operate online and increased uptake of e-commerce.

According to global cybersecurity firm–Kaspersky, Kenya is among African countries facing a possible increase in cybercrime in 2021, amid economic uncertainty occasioned by the Covid-19 pandemic. While the increase in these crimes will vary by country, African nations must prepare themselves for the inevitability of increases in malware that already topped 28 million by August last year, according to Kaspersky research.

Kaspersky security solutions in September reported 28 million malware attacks in 2020 and 102 million detections of potentially unwanted programs (pornware, adware among others), where South Africa, Kenya and Nigeria were the most affected. This led to Kenya being among the top 10 countries in the continent with the highest number of people exposed to cybercrime.

How SMEs Can Win Against This Economic Pitfall.

According to the Telegraph, for small and medium-sized businesses one of the biggest challenges is maintaining a secure IT network even while they expand and explore innovations. While it is the larger corporate security breaches that hit the headlines, the reality is that smaller-scale attacks are wreaking havoc daily on smaller businesses. But policy is only one step that businesses can take to protect their network. Here are five additional ways that businesses can improve the security of their network in the digital age.

• Train employees in cyber security

Understandably most people associate cybercrime with malicious attackers. To tackle the problem, new employees (including contractors and third-party users) need to be made aware of any corporate security policies as part of their induction process while refresher training should also be given to existing staff to keep them up to speed on cyber security issues. Particularly concerning for employers are phishing scams, with employees inadvertently downloading malicious attachments in emails that can put malware on to a device. This gives attackers a foothold in the organization from which they can move in search of valuable information. Many companies now send out mock phishing emails to make employees aware of any potential risk.

Malware can also be transferred to a corporate system through removable media such as a memory stick or the direct connection of a smartphone via a USB port.

• Keep all devices updated

Undoubtedly one of the greatest cyber security risks for businesses is not keeping their IT networks completely updated. Businesses should regularly update their computers, including desktops, laptops and mobile devices, making sure operating systems and web browsers are up to date, as well as installing firmware updates on hardware such as printers and scanners, to protect against the latest threats. If employees are using mobile devices for work, these should also be updated, including any security apps. Ignoring updates essentially leaves cracks in your defense system that can be exploited by hackers.

Also Read:

1. Here’s how Business Owners will benefit in a Savings Culture
2. How SMEs can avoid being caught up by the ‘Tentacles of CRB’.
3. The Masked truth behind Crypto heist in Poly Network as investors wail.

• Install a virtual private network

In an era where employees routinely use their own smartphone or laptop to access their work server from anywhere, installing a virtual private network (VPN) can help to make a network much more secure. Like firewalls, VPNs protect computer data when employees are online by creating a safe and encrypted connection over a less secure network, such as the internet – something particularly useful for employees who use public Wi-Fi in places such as coffee shops or airports. They are becoming increasingly commonplace, with packaged products from well-known cyber security companies giving credibility to a technology that can appear obscure to those not in the know. Another advantage is that VPNs can be used to view websites and use services that are restricted in certain regions, another annoyance for staff that travel regularly.

• Secure business Wi-Fi

An insecure Wi-Fi connection can provide an easy route in for hackers to access a business network. Businesses should secure their Wi-Fi so only employees can access it, ideally without them knowing the password. If you want open Wi-Fi for customers to use, it is best to use a separate network. Guests should not have the same Wi-Fi access as employees to help stop unknown people from accessing files. Finally, all internet-of-things devices that can access the network via Wi-Fi should be secured. According to business internet service provider Beaming, building control systems and networked security cameras are some of the most commonly targeted devices, attracting more than two in five (41pc) cyber-attacks.

• Manage user privileges

Businesses need to determine what rights and privileges users need to perform their duties, making sure higher-level system privileges are carefully controlled and managed. As well as individual logins for employees whenever possible, redundant accounts (including those of former staff members) should be removed immediately. Weak, easy-to-guess or shared passwords are a classic vulnerability. One option is to use a password manager tool to generate unique passwords and securely store your logins, so employees do not have to worry about writing them down or forgetting them. For some accounts it may be appropriate to have additional password protection, such as a code or token (known as two-factor authentication). Biometric authentication technology, such as fingerprint readers, are becoming increasingly widespread to secure devices.

With that in mind among many other precautionary measures SMEs can implement, it would be time to reconsider the drawing board for your business. Why the technology in place is efficient, and if not why it is in place like it is. Digital innovation continues to change every business. Understanding the threats and the opportunities is essential to stay ahead of your market.

Mombasa, Kenya.

Do you have a groundbreaking story you would like us to publish? Please reach us through our email news TIPS to news@msamag.com or WhatsApp +254712410460. You can also subscribe to get the latest news article on this www.msamag.com