Cyber report reveals threats to Ugandan businesses

Lists what Uganda top business executives fear more than theft, fraud, corruption

COVER STORY | RONALD MUSOKE | A cyber-attack event is the top-most business risk for Ugandan business executives this year, according to a new survey published on Jan.23 by Allianz Group’s corporate insurer affiliate, Allianz Commercial.

Cyber-attacks which include incidents such as ransomware attacks, data breaches and IT disruptions are also the biggest worry for companies around the world but, in Uganda, the threat ranks higher than theft, fraud, corruption, natural disasters and fire, noted the Allianz Risk Barometer.

The Allianz Risk Barometer is an annual business risk ranking compiled by the Germany-based Allianz Group. This year, the survey which is the 13th edition, incorporated the insights of 3,069 risk management experts including CEOs, risk managers, brokers and insurance experts from 92 countries and territories.

Globally, according to the Allianz Risk Barometer, cyber incidents (36% of overall responses) were ranked as the most important risk for the third year in a row – for the first time by a clear margin (5% points). It is the top peril in 17 countries, including Uganda, Kenya, Mauritius, Germany, India, Japan, the UK, and the USA.

According to the survey, risk perception differs regionally; from climate change, political risks and violence, to shortage of skilled workforce. But, in Uganda, cyber incidents emerged as the top risk, with a staggering 48% of respondents expressing concern. Market developments, theft, fraud, and corruption were identified as joint second risks, with 35% of respondents highlighting their significance.

Paul Kavuma, the CEO of Jubilee Allianz General Insurance Uganda, emphasised the gravity of the situation, saying the increasing reliance on digital technologies and the interconnectedness of the world have made organisations vulnerable to cyber threats.

“It is crucial for businesses to prioritise cybersecurity measures to safeguard their operations and protect sensitive information,” he said.

Local cyber security experts The Independent has talked to for this story say the business executives are right to worry about the country’s growing cyber insecurity. The experts point to increased internet coverage around the country that has led to an increase in the number of internet users and also more cyber threats to users who are unaware of cyber security protocols while online.

Joshua Twinamasiko, a local researcher on cyber security says as the cyber security landscape continues to witness sophisticated threats, organisations should focus on adopting a holistic security approach that transcends conventional boundaries.

“As we become more reliant on digital technology, taking advantage of all the great advancements, the threats that we face online have also grown, and personally I believe cyber security is close to the top of the list, if not at the very top,” Twinamasiko told The Independent

Arnold Mangeni, the Director for Information Security at National Information Technology Authority-Uganda (NITA-U), a government agency that coordinates, promotes and monitors information technology developments in the country, said there should be vigilance at government, institutional, business and individual level.

“There are individuals who want to cause disruption (of systems) but also embarrass,” Mangeni told The Independent on Jan.25, “There is need for institutions, business entities and even individual users of information technology to constantly assess the risks they face and put controls that will protect them from cyber threats.”

Unfortunately, as Twinamasiko points out, “in an age where cyber threats keep increasing in sophistication and reach, the scarcity of proficient cyber security experts presents a substantial risk.”

According to the Uganda Police Force’s Annual Crime Report for 2022, there were 286 cases of cyber crimes reported that year. These cases led to loss of Shs19.2 billion. Interestingly, Police noted in its report, only 45 cases were taken to Court, nine cases “were not proceeded with” while 232 cases were still under inquiry.

Of the total cases taken to Court, five cases secured convictions, one case was dismissed while 39 cases remained pending in Court. And of the Shs 19.2 billion lost to cyber crime, only Shs 16.7 million was recovered.

A previous assessment of Uganda’s cyber security status done by the Global Cyber Security Capacity Centre found that although there is recognition of cyber risks and threats in the country, and there are efforts towards cyber-crime awareness campaigns, “there is generally an absence or at best minimal recognition of a cyber-security mind-set within most of the government agencies.”

The assessment, for instance, noted that whereas most government agencies do recognise the need for raising awareness on cyber security, it is not the norm yet. “The IT experts within government departments are aware of cyber security, but most employees are not aware,” noted the report.

“Many businesses and industry have minimal recognition of the need for creating a cyber-security mind-set in the work or business environment.” The report noted further that although the private sector is increasingly becoming more aware of the need for cyber security, usually it’s only a handful of people in the organisation who might be focusing on or driving cyber security issues.

“The majority of employees in business and industry understand the risks and threats. Financial institutions such as banks have prioritized creating a cyber-security mind-set at work places. They are aware of cyber security threats and risks, and developing capacity respectively.” the report noted, adding that, “A number of SMEs are also aware of cyber security risks and threats but lack expertise to know the right mechanisms to address the risks identified.”

“Society at large has adopted a cyber-security mind-set but inconsistently. There are privacy settings online and people might know how to create a password, but that does not mean that they have a cyber-security mind-set. A national awareness programme has not yet been developed.”

“The need for awareness and outreach of cyber security threats and vulnerabilities across public and private sector is at the initial stage of discussion. Trust in online services is still a concern for many Ugandans and this is why Ugandans tend to prefer face-to-face interactions.”

Mangeni told The Independent that Ugandans should understand that cyber security is a shared responsibility. He said besides the government putting in place both laws and policies to guide Ugandans on how to operate in the cyber space, the government has also deliberately started an awareness campaign dubbed “Be Safe Online” which runs every October. But, he acknowledges, all these initiatives need Ugandans to play their part.

“For instance, when was the last time you changed your Mobile Money PIN? We always encourage people to change their Mobile Money PINs because it is part of your cyber hygiene practice.” He particularly calls upon parents to be mindful of their children’s online activities because children are particularly vulnerable to cyber breaches since they are less discerning. “It’s not enough to buy Smartphones, tablets and load internet data on the gadgets, the children’s activities must be monitored constantly to ensure their safety.”

Mangeni told The Independent that institutions and business entities must constantly re-assess their cyber security risks they face and put in place controls that guarantee the safety of their operations. Twinamasiko agrees. He says, organisations will have to invest more resources in rigorous vendor assessments, ensuring that third party entities adhere to stringent cyber security standards.

“Collaborative efforts between organisations and their partners will also likely evolve, emphasising shared threat intelligence and collective strategies to fortify the entire supply chain against cyber threats,” he adds.

“The goal will be to establish a resilient ecosystem where the security of one entity contributes to the overall strength of the interconnected network. We shall also see some vendors who fail to make the mark be dropped by major players.”

Twinamasiko told The Independent that the need for security will have the telecoms, banks and other institutions suspend or even cut ties completely with third party partners whom they deem high-risk either from historical events or audits of their current set-ups.

Trends driving cyber activity in 2024

For most business executives, a data breach is seen as the most concerning cyber threat for Allianz Risk Barometer respondents (59%) followed by attacks on critical infrastructure and physical assets (53%). The recent increase in ransomware attacks – 2023 saw a worrying resurgence in activity, with insurance claims activity up by more than 50% compared with 2022 – ranks third (53%).

“Cyber criminals are exploring ways to use new technologies such as generative artificial intelligence (AI) to automate and accelerate attacks, creating more effective malware and phishing,” said Scott Sayce, Global Head of Cyber, Allianz Commercial.

“The growing number of incidents caused by poor cyber security, in mobile devices in particular, a shortage of millions of cyber security professionals, and the threat facing smaller companies because of their reliance on IT outsourcing are also expected to drive cyber activity in 2024.”

Large corporates, mid-size, and smaller businesses are united by the same risk concerns – they are all mostly worried about cyber security, business interruption and natural catastrophes. However, the resilience gap between large and smaller companies is widening, as risk awareness among larger organizations has grown since the pandemic with a notable drive to upgrade resilience, the report notes.

On the other hand, smaller businesses often lack the time and resources to identify and effectively prepare for a wider range of risk scenarios and, as a result, take longer to get the business back up and running after an unexpected incident.

According to Petros Papanikolaou, the CEO of Allianz Commercial, the top risks and major risers in this year’s Allianz Risk Barometer reflect the big issues facing companies around the world right now – digitalization, climate change and an uncertain geopolitical environment.

“Many of these risks are already hitting home, with extreme weather, ransomware attacks and regional conflicts expected to test the resilience of supply chains and business models further in 2024. Brokers and customers of insurance companies should be aware and adjust their insurance covers accordingly.”

Business interruption and natural catastrophes

Despite an easing of post-pandemic supply chain disruption in 2023, business interruption (31%) retains its position as the second biggest threat in the 2024 survey. Business interruption is ranked fifth in Uganda. According to the report, this result reflects the interconnectedness in an increasingly volatile global business environment, as well as a strong reliance on supply chains for critical products or services.

Going forward, improving business continuity management, identifying supply chain bottlenecks, and developing alternative suppliers continue to be key risk management priorities for companies in 2024.

Meanwhile, at position 3, the risk of natural catastrophes (26%) is one of the biggest movers. It moved up three positions globally and features as new risk in Africa and the Middle East at position 6. Last year (2023) was a record-breaking year on several fronts.

It was the hottest year since records began, while insured losses exceeded US$100bn for the fourth consecutive year, driven by the highest ever damage bill of US$60bn from severe thunderstorms. Notably, Morocco witnessed a significant rise in this risk, climbing from seventh to first place. Cameroon and South Africa also experienced a surge in natural catastrophe risks, ranking among the top five risks in these countries.

Regional differences in risk perception

Climate change (18%) may be a non-mover year-on-year at position 7 but is among the top three business risks in countries such as Brazil, Greece, Italy, Turkey, and Mexico. The risk ranks ninth in Uganda. Physical damage to corporate assets from more frequent and severe extreme weather events are a key threat.

The utility, energy and industrial sectors are among the most exposed. In addition, net zero transition risks and liability risks are expected to increase in future as companies invest in new, largely untested low-carbon technologies to transform their business models.

Unsurprisingly, given ongoing conflicts in the Middle East and Ukraine, and tensions between China and the U.S., Political risks and violence (14%) is up to #8 from #10. Interestingly, this risk has moved down one place to seventh in Africa and the Middle East, while ranking as one of top five risks in Cameroon and Ivory Coast.

2024 is also a super-election year, where as much as 50% of the world’s population could go to the polls, including in Ghana, Mauritius, Senegal, South Africa, India, Russia, the US, and UK. Dissatisfaction with the potential outcomes, coupled with general economic uncertainty, the high cost of living, and growing disinformation fueled by social media, means societal polarization is expected to increase, triggering more social unrest in many countries.

However, there is some hope among Allianz Risk Barometer respondents that 2024 could see the wild economic ups and down experienced since the Covid-19 shock settle down, resulting in Macroeconomic developments (19%), falling to fifth from third globally and at a similar position in Uganda. Yet economic growth outlooks remain weak – just over 2% globally in 2024, according to the Allianz research.