By Edrine Wanyama |
Uganda’s Small and Medium Enterprise (SME) sector is credited with contributing 20% to the country’s Gross Domestic Product (GDP) in 2016. While the level of adoption of technology as a key component of operations within the sector remains unclear, its effective utilisation requires entities to also embrace safety and security measures as a priority.
Identifying security controls to defend against cyber threats and data protection thus formed the basis of discussions at a cyber standards training workshop for SMEs in Uganda. Organised by the National Information Technology Authority (NITA-U) in collaboration with the Commonwealth Telecommunications Organization (CTO), the workshop, held in Kampala, Uganda on August 23-24,2017 targeted SME entrepreneurs, banking industry officials as well as ICT sector representatives from non-government organisations and other ICT stakeholders.
The workshop explored the Information Assurance for Small Information Assurance for Small to Medium Enterprises (IASME) which encourages SME’s to comply with international information security management standards
Possible risks include; theft of data for monetary gain or competition by criminals, hacking, physical insecurity to staff and office equipment, malware attacks, insecure configuration, updating software from unreliable sources, access control and spam.
Discussions on information security are abound in Uganda as the Data Protection and Privacy Bill, 2015 makes slow progress in Parliament while laws like the Computer Misuse Act, 2011, The Electronics Signatures Act, 2011 and the Electronic Transactions Act, 2011 do not fully address the issue of data protection and privacy.
According to a 2016 report based on a global survey of cybersecurity managers and practitioners, cyber security and information security is considered a technical issue rather than a business imperative. The findings of this study echo sentiments held by civil society organisations which face similar digital security threats including increasingly sophisticated threats and rate of incidents according research conducted by the Collaboration for International ICT Policy in East and Southern Africa (CIPESA). It revealed that various CSOs were concerned about, or had been victims of hacking attempts on their email accounts and internal networks, that they had been targeted by phishing emails, and that they feared their activities were being surveilled by authorities
In order to be better positioned to address cyber threats, civil society and SME need to be equipped with skills encompassing both online and offline responses. These include knowhow on policy and compliance, physical environmental protection, risk assessment, access controls, incident management, monitoring, backup, malware identification and technical intrusions.
Through a cyber essentials course and practical exercises, participants at the workshop were equipped with basic skills for enabling non-technical users to establish five information security controls including malware protection, access control, patch management, secure configuration, boundary firewalls and internet gateways.
As a follow-up to the exercise, selected participants will undergo further training for possible contracting as IASME information security assessors for SME’s. CTO’s international events and seminars are conducted in all countries of the Commonwealth, across the continents of Africa, Europe, the Americas, Asia and the Pacific region. Specifically, in Africa, the events have been held in Botswana, Cameroon, Ghana, Kenya, Liberia, Mozambique, Nigeria, Papua New Guinea, South Africa, Swaziland and Uganda.