In mid-June 2020, someone called requesting my help recover his personal Gmail address that had been hacked. You could hear his desperate voice on the other end of the call. He explained that since the coronavirus pandemic, board members decided to be sending all official documents and board packs to several preferred emails of each board member.
“Can you recover my Gmail password and get it from the hackers. I am afraid they are going to see all the board papers and details, which will be catastrophic,” he said.
Any victim of cybercrime needs their service restored as soon as possible. But it is not that easy. One must have practiced appropriate cyber hygiene to make the process easier. Online privacy and security are the top lists by all tech providers like Google, Apple, Facebook, Microsoft, and others. Many now provide multiple authentications. On any social media account or cloud email, you will find two-factor authentication ready. However, the individual user must take an interest in their security settings and enable the setup for improved security and protection against hackers within their profiles.
Few people make use of the security features available on many online platforms like Gmail. People rarely set the two-factor authentication to facilitate password recovery via their mobile phone using a code that is sent.
Failure to implement such setups, it easy for hackers to exploit their accounts quickly.
When the Institute of Certified Public Accountants of Uganda invited me to speak to its members about cybersecurity on 29th July 2020, I was elated. Accountants are custodians of financial resources. As ICT infrastructure spending for both hardware and software increasingly takes the lion’s share of the budget, accountants and finance officers must understand how to optimize the investment as well as protect the asset from loss due to cyber breaches and becoming outdated due to poor technology choices or software invested.
Below is a summary of my presentation to accountants about cybersecurity.
- Security is everyone’s responsibility
- In the next two hours, you are going to learn about why cybersecurity matters to you, the common attack vectors in Uganda, and the next steps. You will see a live demo of the keylogger and other phishing common security breaches
- To understand the profile of the members on this webinar, please take one minute to complete this quiz, https://www.summitcl.com/cyber-hygiene-2020/ How much do you estimate Uganda loses annually to cybercrime incidents. During the webinar, below are the results of the attendance survey. About 250 people attending the live webinar, completed the study. The results are in Figure 1 and Figure 2. Figure 1 shows that 64% of the members are managers. And 10% are at the shareholder or founder level, making the right audience since cybercrime plan must be driven from the top, just like all other critical initiatives. In Figure 2, about 43% of the members indicated they do not know the cost of fraud. And 27% reported that the loss due to cybercrime is less than Ugx. 5m about the US $1,370. The challenge with cybercrime incidents is like rape; many victims prefer to keep quiet and not report anything at all. Also, many companies lack mechanisms for cybercrime reporting, making people fail to understand the problem of fraud.
- The worst problem is the one you do not recognize. You cannot treat an illness; you do not know you have. And that is what makes cybercrime a problematic monster to manage.
5. You must be concerned about cybercrime regardless of your profession—the average cost of cybercrime incidents to organizations, US $13.0m globally as of today. The average cost of a single phishing incident is the US $17,700, compare this to an average cost of a single bank robbery/ theft incident is just the US $8,100.
6. According to the Uganda police cybercrime report, in 2019, cybercrime cases were 248 leading to an estimated loss of Ugx. 22.4 billion, compared to 2018, when the cases were 198 with a total loss of Ugx. 610 million. The average cost per case continues to rise tremendously due to increasing attack vectors and the sophistication of cybercriminals.
7. In Figure 3, electronic fraud accounts for over 68 cases. These are expected to continue rising.
8. Listen to the complete presentation below. You will also watch the demo.
9. To download the PPT, ICPAU-Cybersecurity-IT-Risks-Webinar.pdf (153 downloads)
10. The second short survey that was not answered due to time is, Link to the Survey, I request you take off a few minutes and complete this survey now.
After the presentation, members asked so many questions. These are detailed below:
With the threat of cybercrime (to businesses), it is clear there needs to be a shift in the conversation if any real improvements are to take place. But what happens if questions about cybersecurity are not raised? Do businesses need to have rained (and designated) information security experts as part of the staff or is a third-party trusted information security and risk advisor is adequate? Asked by Ajionzi Maurice
Many companies now have focused on board diversity in terms of skills. Boards have a slot for cybersecurity professionals. Where this is not possible, boards have an option for a technical advisor who may be co-opted on the board to help with matters to do with ICT investment and cybersecurity. Besides, many companies now have expert advisors to guide EXCO as independent experts to complement the internal ICT team. In simple, consider:
- a) Employing an Information Security Expert on a retainer (independent of the organization’s staff), or
- b) Work with trusted information security & risk advisors, through security as a service.
For detailed questions and answers
Copyright Summit Consulting Ltd, 2020. All rights reserved.