War on cybercrime goes beyond creating awareness

Tuesday September 12 2017

Companies must more than ever be on the lookout for cybercriminals, who are becoming smarter by the day. Some companies are testing their employees by sending them infected links to see how they will react. FILE PHOTO | NMG

The risk posed by cybercrime is rising by the day with company boards now placing it high on their agendas. A number of attacks that occurred in the past make it the next most serious threat to business.

What is emerging is that companies are struggling to turn general awareness and concern into effective action in the face of pacy uptake of technology in transactions.

A report by the Institute of Chartered Accountants in England and Wales (ICAEW) has given updates on previous years’ insights and offers recommendations for companies’ boards – on why cybersecurity should be high on their to do lists.

It recommends cybersecurity training to staff - as criminals are now targeting workers to provide unauthorised access to data.

Accidental loss of confidential company information is as a result of workers’ actions such as clicking on infected links.

“Until businesses get better at linking cyberrisks with business objectives, and attaching real consequences to non-compliance with expected behaviours, cybersecurity training and campaigns are unlikely to have the desired impact,” ICAEW report said.


The UK-based accountancy and finance body report said while training and awareness - raising activities are important, they are only part of the wider picture.

Leading businesses recognise that good cybersecurity behaviour is a matter of organisational culture, meaning that security is integral to the values and goals of the organisation with strong leadership at the heart of this cyber security culture.

It said a good culture is reflected in responsibility for an ownership of cyberrisks. This should be spread across an organisation and not limited to IT or specialist functions.

On May 12, a worldwide cyber offensive targeted a number of organisations and around 19 companies in Kenya were affected, according to the Kenya’s national Computer Incident Response Team (CIRT) report.

A ransomware note, written in different languages, demanded $300 (Sh30,900) to $600 (Sh61,800) from the victims to decrypt their files.

Infection cases were detected in multiple countries worldwide, including the UK, where several medical institutions were hit, Russia, where governmental offices were affected, Spain, Germany and China.

The massive attack affected health, government, industry, transportation, communications and financial institutions among others.

According to the reports, more than 200,000 systems worldwide were hit.

However, it appears that only one of every 1,000 victims paid the ransom to the attackers.

Two weeks ago, there was an intercepted hack on Kenya’s commercial banks inter-bank transfer platform PesaLink.

Luckily, the authorities said neither cash nor customer data were lost.

The Kenya Bankers Association (KBA), which owns the platform reported the attack to Central Bank of Kenya (CBK).

The hacking discovery came as Kenya Commercial Bank (KCB) customers remained out of the PesaLink service for a couple of days in what the lender attributed to an ongoing upgrade of its software. The accountant’s report has recommended behaviour change. ICAEW said there is need to encourage employees to change passwords often, stop inserting infected USB’s to company machines, and lock computers when they leave their desks.

An interesting bit in the report showed how some companies are testing their employees by sending them infected links to see how they will react.

Offering specific training to employees handling data (customer data and financial data) is highly encouraged.

“If companies cannot keep their goods and customers safe, their ability to trade successfully will ultimately be diminished,” said ICAEW.

“While a digital infrastructure underpins the activities of most businesses today, many organisations only consider cyberrisks as an afterthought,” said ICAEW.

Similarly, companies’ boards should consider hiring correct skills – boards should get basics of cyberright by getting the right IT skilled people on their teams. And on the organisational culture - if the board, and C-suite staff have an understanding of cybersecurity and take time to emphasise it, employees will also start to care.