By Edrine Wanyama |

Uganda’s Small and Medium Enterprise (SME) sector is credited with contributing 20% to the country’s Gross Domestic Product (GDP) in 2016. While the level of adoption of technology as a key component of operations within the sector remains unclear, its effective utilisation requires entities to also embrace safety and security measures as a priority.

Identifying security controls to defend against cyber threats and data protection thus formed the basis of discussions at a cyber standards training workshop for SMEs in Uganda. Organised by the National Information Technology Authority (NITA-U) in collaboration with the Commonwealth Telecommunications Organization (CTO), the workshop, held in Kampala, Uganda on August 23-24,2017 targeted SME entrepreneurs, banking industry officials as well as ICT sector representatives from non-government organisations and other ICT stakeholders.

The workshop explored the Information Assurance for Small Information Assurance for Small to Medium Enterprises (IASME) which encourages SME’s to comply with international information security management standards.

Currently, possible cyber risks include; theft of data for monetary gain or competition by criminals, hacking, physical insecurity to staff and office equipment, malware attacks, insecure configuration, updating software from unreliable sources, access control and spam.

Discussions on information security are abound in Uganda as the Data Protection and Privacy Bill, 2015 makes slow progress in Parliament while laws like the Computer Misuse Act, 2011, the Electronics Signatures Act, 2011 and the Electronic Transactions Act, 2011 do not fully address the issue of data protection and privacy.

According to a 2016 report based on a global survey of cybersecurity managers and practitioners, cyber security and information security is considered a technical issue rather than a business imperative.  The findings of this study echo sentiment held by civil society orgnaisations which face similar digital security threats including increasingly sophisticated threats and rate of incidents.

In order to be better positioned to address cyber threats, civil society and SME need to be equipped with skills encompassing both online and offline responses. These include know how on policy and compliance, physical environmental protection, risk assessment, access controls, incident management, monitoring, backup, malware identification and technical intrusions.

Through a cyber essentials course and practical exercises, participants at the workshop were equipped with basic skills for enabling non-technical users to establish five information security controls including malware protection, access control, patch management, secure configuration, boundary firewalls and internet gateways.

As a follow-up to the exercise, selected participants will undergo further training for possible contracting as IASME information security assessors for SME’s.

CTO’s international events and seminars are conducted in all countries of the Commonwealth, across the continents of Africa, Europe, the Americas, Asia and the Pacific region. Specifically, in Africa, the events have been held in Botswana, Cameroon, Ghana, Kenya, Liberia, Mozambique, Nigeria, Papua New Guinea, South Africa, Swaziland and Uganda.

In the meantime, the Ministry of ICT & National Guidance on August 20, 2017 held an Awareness Workshop on Cyber Laws such as the Constitution of the Republic of Uganda 1995, National Information Technology Authority, Uganda Communications Act 2013, Electronic Signatures Act, Computer Misuse Act, Registration of Persons Act, Electronic Transactions Act, Electronic Transaction Regulations 2013, Electronic Signatures Regulations 2013, Open Data Policy, 2017, ICT for Disability Policy Draft and the Data Protection and Privacy Bill, 2015, to sensitize member of the public, private sector, academia, government officials and other stakeholders on information security threats and how to best combat them. The work shop put emphasis on the need to know, learn and understand existing and upcoming laws, policies and guidelines that regulate cyber security and how they can be best applied.