Bridging Cyber Security Gaps: SMEs Trained in Uganda

By Edrine Wanyama |
Uganda’s Small and Medium Enterprise (SME) sector is credited with contributing 20% to the country’s Gross Domestic Product (GDP) in 2016. While the level of adoption of technology as a key component of operations within the sector remains unclear, its effective utilisation requires entities to also embrace safety and security measures as a priority.
Identifying security controls to defend against cyber threats and data protection thus formed the basis of discussions at a cyber standards training workshop for SMEs in Uganda. Organised by the National Information Technology Authority (NITA-U) in collaboration with the Commonwealth Telecommunications Organization (CTO), the workshop, held in Kampala, Uganda on August 23-24,2017 targeted SME entrepreneurs, banking industry officials as well as ICT sector representatives from non-government organisations and other ICT stakeholders.
The workshop explored the Information Assurance for Small Information Assurance for Small to Medium Enterprises (IASME) which encourages SME’s to comply with international information security management standards
Possible risks include; theft of data for monetary gain or competition by criminals, hacking, physical insecurity to staff and office equipment, malware attacks, insecure configuration, updating software from unreliable sources, access control and spam.
Discussions on information security are abound in Uganda as the Data Protection and Privacy Bill, 2015 makes slow progress in Parliament while laws like the Computer Misuse Act, 2011, The Electronics Signatures Act, 2011 and the Electronic Transactions Act, 2011 do not fully address the issue of data protection and privacy.
According to a 2016 report based on a global survey of cybersecurity managers and practitioners, cyber security and information security is considered a technical issue rather than a business imperative.  The findings of this study echo sentiments held by civil society organisations which face similar digital security threats including increasingly sophisticated threats and rate of incidents according research conducted by the Collaboration for International ICT Policy in East and Southern Africa (CIPESA). It revealed that various CSOs were concerned about, or had been victims of hacking attempts on their email accounts and internal networks, that they had been targeted by phishing emails, and that they feared their activities were being surveilled by authorities
In order to be better positioned to address cyber threats, civil society and SME need to be equipped with skills encompassing both online and offline responses. These include knowhow on policy and compliance, physical environmental protection, risk assessment, access controls, incident management, monitoring, backup, malware identification and technical intrusions.
Through a cyber essentials course and practical exercises, participants at the workshop were equipped with basic skills for enabling non-technical users to establish five information security controls including malware protection, access control, patch management, secure configuration, boundary firewalls and internet gateways.
As a follow-up to the exercise, selected participants will undergo further training for possible contracting as IASME information security assessors for SME’s. CTO’s international events and seminars are conducted in all countries of the Commonwealth, across the continents of Africa, Europe, the Americas, Asia and the Pacific region. Specifically, in Africa, the events have been held in Botswana, Cameroon, Ghana, Kenya, Liberia, Mozambique, Nigeria, Papua New Guinea, South Africa, Swaziland and Uganda.
 

Supercharging Human Rights Defenders // East Africa

By Small Media |
Building off the success of our 2016 report ‘Supercharging Human Rights Advocates in the Levant’, the Small Media team is excited to announce our latest project in a whole new region. Making use of the practices we’ve developed in our work across the Middle East, Small Media is setting out to survey the cybersecurity landscape in East Africa. Over the course of this project, we aim assess the state of internet controls in the region, and support the development of a regional community of internet freedom researchers, digital security experts, and human rights defenders.
Over recent years, regional civil society organisations and human rights defenders have been confronted with significant security challenges as internet freedom is threatened across East Africa. The Collaboration on International ICT Policy in East and Southern Africa (CIPESA), one of our local partners for this project, have highlighted various issues involving undue prosecution of Internet users in East Africa in their 2016 State of Internet Freedom in Africa report. In Tanzania this has involved users being targeted and arrested for offenses including ‘insulting the president’ and news sites being shut down. Netizens in Uganda faced blocked social media and mobile money services in the build up to the February 2016 elections, alongside crackdowns on ‘offensive communications’, in the form of bans on social media accounts that criticise the government. Burundian social media users have seen platforms including Viber, Twitter, WhatsApp and Facebook shut down during public protests against government figures. In addition to this, Rwandan citizens face among the world’s worst restrictions on freedom of speech and political activity, including stringent online censorship targeted at those discussing ‘sensitive’ topics.
Freedom House’s 2016 Freedom on the Net report highlights the challenges faced in Rwanda and Uganda, but there are a number of gaps in regional knowledge that we aim to fill. With levels of access to the Internet growing steadily in the region, and some concerning indications of a ramping-up of state efforts to crackdown on internet freedom, it is important that the digital security needs of CSOs and netizens are addressed in an urgent manner.
Thus, focusing on Uganda, Rwanda, Burundi and Tanzania, our research seeks to fill the gap that exists by identifying the digital security threats facing CSOs in the East Africa region, recommending a plan of action and then developing the capacity of CSOs to respond to the threats that they face.
Our Project
The first phase of this project involved working with two of our local partners, CIPESA and DefendDefenders, to select high-quality workshop participants and trainers, in order to create and train a secure, strong and enthusiastic community of regional, on-the-ground digital security experts and researchers. The training given at the workshop has equipped local actors to engage in comprehensive and long-term digital security research, thereby supporting the future needs of CSOs across the region.
Building on the successful outcome of the workshop, our local researchers – working alongside our regional partners – are now hard at work carrying out the core components of the research project, including:

  1. Legal and Policy Analysis – to assess the current legislative frameworks that exist within East African states, and to establish what powers governments have to monitor and prohibit online communications.
  2. Network Measurements – to assess the internet infrastructure in each of the target countries. Our researchers are using OONI Probe and ICLab’s Centinel software to establish the level of censorship taking place, and highlight any network vulnerabilities to state-directed internet shutdowns.
  3. CSO Cyber Capacity Assessments – interviews are being undertaken with a number of CSOs to identify the most urgent digital security threats they face, and to measure their defences.

With the training workshop completed, Small Media and our local partners are currently working with an enthusiastic team of local researchers to carry out the on-the-ground research components. We’ll be busily compiling our research findings over the next couple of months, but we look forward to presenting you with our findings and recommendations upon the report’s publication in March 2017. Stay tuned!
This article was sourced from the Small Media website.
 

Announcement: Forum on Internet Freedom in Africa 2016

The Forum on Internet Freedom in Africa is scheduled to take place on September 27–29, 2016 in Kampala, Uganda.
The Forum provides a unique opportunity to deliberate and build a network of supporters of internet freedom in Africa. It brings together a wide range of civic actors such as journalists, bloggers, human rights defenders, and activists, private sector actors such as telecom companies, as well as communication regulators and law enforcement.
In 2015 the Forum assembled panelists from a diversity of backgrounds, which facilitated spirited discussions as captured in this report.

See the 2015 Forum Highlights video

A key highlight at the Forum is the launch of the State of Internet Freedom in Africa report that captures trends on internet freedom in select African countries. The 2016 report will cover the most number of countries so far.
These deliberations come as various African countries witness a slide in online freedom of expression and association, as well as breaches of the rights to privacy and access to information.
Visit the Forum page for more information.
Eventbrite - Forum on Internet Freedom in Africa 2016

CIPESA Promotes Digital Safety Awareness and Skills for Media Practitioners in Kenya

By Marilyn Vernon & Liz Orembo |
Threats to citizens’ access to information, privacy, security and freedom of expression online are increasingly coming under scrutiny in East Africa. According to the World Press Freedom Index, Kenya who was ranked number 71 out of 180 countries in 2013, dropped 29 places to number 100 in 2014. Meanwhile, cybercrime is also on the rise in the country. The Kenya Cyber Security Report 2014 shows a 108% increase in detected cyber threat incidents, from 2.6 million attacks in 2012 to 5.4 million in 2013.
The Cyber Security Report attributes the surge in criminal activity to the increasing value of information and the lower risk of detection and capture. Businesses and individuals are susceptible to threats stemming from spyware, social media, unsecured email, and theft of mobile computing devices.
Kenya’s ranking in the World Press Index reflects the deteriorating relationship between the media and the state. The steady decline is partly attributed to the passing of prohibitive legislation, most notably the Kenya Information and Communications (Amendment) Act and the Media Council Act of 2013, which subjects violators to heavy fines and asserts undue state control over media practice.
A few journalists in Kenya have boldly reported on sensitive topics at the risk of imprisonment or financial penalties. Reported cases of assassination, disappearance, destruction of property, confiscation of equipment, and arrests are among the list of violations committed against journalists and activists.
Notably, controversial blogger Bogonko Bosire, who worked for Agence France Presse (AFP), went missing two years ago. He was known for his criticism of President Uhuru Kenyatta’s administration during the International Criminal Court (ICC) proceedings. It is reported that Bosire had been threatened multiple times, and his website Jackal News suffered at least one digital attack. Various rumors surrounding his fate spread online, but his whereabouts remain unknown.
In a digital safety and security training workshop conducted last month by the Collaboration on International ICT Policy for East and Southern Africa (CIPESA) in partnership with Kenya ICT Action Network (KICTANet), journalists, bloggers and activists admitted to using the Internet for research, communication and reporting but with little or no understanding of the existing digital threats.
“Why do I need security?” and “I’m not that important for anyone to waste time looking for information in my gadgets” were some of the comments participants made.
Other shortcomings identified in the pre-workshop assessment included poor organisation IT mobility policies whereby, just like other business organisations in Kenya, media houses allow their employees to carry their own devices to the workplace. Some of these devices are also used in public places by employees to meet their work targets. This increases the risks of journalists having their data lost or compromised especially since theft of mobile and computing devices is rampant in the country.
Freelance journalists indicated being unable to acquire the necessary digital safety resources as often availed to counterparts fully employed by the media houses. Besides, there was a widespread use of free web-based email services such as Yahoo, Google mail and Hotmail through which practitioners felt “sensitive communication can be intercepted since some of these email service companies have histories of being hacked”.
Accordingly, the CIPESA-KICTANet training workshop set out to equip participants with the necessary tools and knowledge needed to protect their digital information and communication, and to respond to various types of digital threats. The workshop topics ranged from the importance of digital security, secure communication and data storage, to PC and mobile device security, as well as the ethical and legal aspects of digital communication on social media platforms.
The interactive sessions enabled a knowledge-sharing environment in which participants were able to evaluate their security vulnerabilities and to choose security tools they would use to protect themselves and their work. Attendees engaged in group discussions, lab demonstrations, and case studies of ethical blogging. Participatory sessions demonstrated how to encrypt emails, create strong memorable passwords, and identify built-in security features on mobile devices to determine which are important for personal safety – taking into account that security features are only effective when used well.
As a means to protect information and guard against digital threats, the workshop facilitator, Harry Karanja, encouraged participants to use tools such as anonymous internet navigation settings, data encryption, and virtual private networks (VPN). He also recommended use of IP anonymisation and signing up with secure anonymous email services.
Participants were also urged to refrain from sharing personal identifiable information online, perform regular updates to the latest versions of operating systems, and back up their data.
Recommendations from participants for future workshops included partnering with learning institutions to train student journalists on digital security prior to engaging in professional work and the development of online tutorials for ongoing reference.
The workshop, held at Riara University in Nairobi, Kenya on June 17-18 2015, had 24 participants from Kenyan print, broadcast, and online news agencies. It is the fourth in a series of digital safety awareness and capacity building trainings conducted this year by CIPESA under its OpenNet Africa initiative. The others have been held in Tanzania and Uganda.