According to a new report, Tanzanians across the board lost US$85 million from the attacks by digital criminals in 2016. In a related development, software giant Microsoft says the country is one of the top targets for cyber-terrorists, technology spies, hackers and digital fraudsters in the world.
The about 187bn/- loss at the current market exchange rate was mostly incurred through mobile money transfers. More Tanzanians are today using digital money platforms than ever before with the value of electronic payment services soaring by over 220 per cent in four years to reach nearly 90trn/- in 2015.
According to the Bank of Tanzania (BoT) figures, mobile financial services amounted to almost 43trn/- and SMs banking close to 2trn/- during the period.
“In places like Tanzania, deep in the rural areas, we are seeing a lot of SMS attacks; people receiving threatening messages, people losing money on their mobile phones,” said William Makatiani, the managing director of Serianu – the cyber security management service company that produced the report.
“There are a number of people tricking people into sending money via mobile phone,” he adds.
The report has it that mobile money in Tanzania experienced numerous attacks through social engineering, use of malware and account impersonifcations. As one of the alternative channels for most banks, it explains, hackers are now exploiting the weak security controls around the mobile money platform to steal millions of dollars.
Titled: Tanzania Cyber Security Report 2016 - Achieving Cyber Security
Resilience: Enhancing Visibility and Increasing Awareness, the study comprises technical findings from analysis of over 1.6 million publicly accessible IP addresses and 138,000 network security events.
Among its authors is Robert Matafu of Kabolik Company Limited of Kijitonyama in Dar es Salaam who says that one of the most critical challenges facing Tanzania is the lack of awareness amongst technology users. According to him, many of these users – mostly customers and employees, have little knowledge of the level of risk they are exposed to.
In the foreword to the report, Matafu says that as more and more Tanzanian organisations move to digitise their business processes and connect to the Internet, the potential of cyber attacks has risen across the country. This requires more capacity on the part of these organisations in being able to anticipate, detect, respond and contain (ADRC) such attacks, he argues.
Unfortunately, he adds, many mid-sized businesses in Tanzania lack these controls and will have at least one or two systems exposed to the Internet with little or no security to prevent an attack.
“We have estimated the cost of cybercrime in Tanzania to be US$85 million. Perhaps more alarming from the analysis was the disparity between the cost of cybercrime and budget allocation to cyber security related products,” Matafu notes in the report published in conjunction with Nairobi-based United States International University-Africa’s Centre for Informatics Research and Innovation.
“While there are high levels of investment in technologies and automation across government and the private sector, the study found that there was no matching investment in cyber threat prevention tools. Out of the organisations surveyed, (98 per cent) did not spend any money or spent less than US$5,000 (about 11m/-) annually on cyber security related products.
In a related report titled: Africa Cyber Security Report 2016, Serianu says African countries lost at least US$2 billion (about 4.4trn/-) in cyber attacks last year. In East Africa, Kenya recorded the highest losses — US$171 million — to cyber criminals. Tanzania lost US$85 million while Ugandan companies lost US$35 million.
The report ranks banking as the leading risk sector.
“The interconnection and complexity of modern banking systems has led to complex regulatory requirements, greater exposure to internal and external cyber security threats and concerns around data security and privacy across virtual borders,” says the report.
“In 2016, we witnessed more advanced attacks in banks mostly perpetrated by insiders, raising the concern that the banking sector is unprepared to deal with insider threats. Other sectors that have attracted criminals are the government, telecommunications, mobile money services, Saccos, microfinance and co-operatives, e-commerce and online markets, utilities (energy, water and electricity), manufacturing, hospitality and other financial services such as insurance, investment and brokerage,” it adds.
According to it, the top five victims of the attacks in Africa were Nigeria, Kenya, Tanzania, Ghana and Uganda, which lost US$895 million in total, about 1.97trn/-. Nigeria led the chart with a loss of US$550 million while the loss incurred by Ghanaians was US$50 million.
A further breakdown of the statistics in the report show that there were an estimated 340 million internet subscribers in Africa last of which 97.21 million were Nigerians. About 37.7 million people had access to the information superhighway in Kenya while Uganda, Tanzania and Ghana had about 19.12 million, 17.26 million and 14.56 million users respectively.
Makatiani said Ugandans experienced the most spamming in Africa last year.
“There are many people filling your inbox with unnecessary mail so that out of five emails, only one is work related, the rest are junk mail, something that affects work efficiency. Some send links that when clicked can lead to getting hacked,” he said.
“Technology has changed the business landscape in Tanzania dramatically. From strategic options to creation of new opportunities for innovation in products and services, technology is now incorporated in many if not all aspects of business. Internet usage has also seen a tremendous increase especially within Tanzania,” he notes in the report.
“However, as more businesses digitize their business processes and move to the internet, the potential attack vectors for these organisations expand. The main objective for this study and in essence this report was to understand the current top threats, risks and levels of awareness in Tanzania.
“The past year was a particularly tough period for local organisations with respect to cyber security. The number of threats and data breaches increased with clear evidence that home grown cyber criminals are becoming more skilled and targeted.”
The president of the ISACA Tanzania Chapter, Neemayani Sanare Kaduma, says that with the proliferation of systems, various applications and automated services such as mobile money, cybercrime is closer to home than it ever used to be.
According to the PwC Tanzania risk assurance services expert, cases of user accounts being hacked, corporate frauds propagated through information systems and tampering of e-money or cash losses in the mobile money space are increasingly becoming too common in the country.
To her, the passing of the Cybercrimes Act 2015 has been one good step forward to help deal with the problem but more needs to be done to create awareness in the society (user community) in general as this is still very low in Tanzania.
As noted in the 2017 Global State of State of Information Security Survey conducted by PwC, she argues, a combination of good policies, sophisticated tools, skills and continuous awareness and training of people is what is needed to address and manage cyber security.
Information System Audit and Security expert Peter Kisa Baziwe says cyber security is a global problem that has had local implications in the country.
He says that the presence of the national fibre optic backbone infrastructure that is connecting more multinational companies especially banks, oil and gas firms and telecom operators creates opportunities for hackers to attack these organisations from here and pivot to their parent companies or headquarters.