The digital realm is stunning and horrifying at the same time. Beyond the trailblazing AI and 5G, autonomous cars and blockchains, there are cybercrimes. Just to mention, Rwanda Investigation Bureau last year recorded at least 113 cybercrimes, costing the economy a staggering Rwf6 billion. National Bank of Rwanda data shows Rwf289.5 million was stolen through cybercrimes in 2018, a figure which also demonstrates that public and private institutions are the primary prey for cybercriminals. Even though every computer device or system can be a victim of these borderless crimes, large-scale institutions are always in the range of the criminals’ radar. The New Times’ Come Emmanuel Mugisha interviewed Andrew Bukangwa, Associate Consultant at MND Consulting Africa, on a wide range of issues related to cybersecurity. Associate Consultant at MND Consulting Africa is an international infotech company with headquarters in Zimbabwe. Excepts: What’s at stake in Rwanda’s cyberspace? One might literary think that all cybercriminals are after money, but the attacks go far beyond that. Stories of data thieves and whistleblowers breaching into servers headline media every day. Andrew Bukangwa. Firstly, there is personal information such as addresses, usernames, passwords, and IP addresses. Secondly, sensitive documents such as business contracts, payrolls and mailing lists are also a big target. Then the computer systems jeopardized by malware. What are the most common threats/attacks? There are various tactics for attacking an institution’s cyberspace. Phishing comes among the most common threats. It is an attempt to gain sensitive information while posing as a trustworthy contact. For example, in what’s called spear-phishing or whaling, a fake, yet legitimate-looking email impersonating a CEO is sent to a CFO applying pressure to make an urgent payment. But also hacking, ransomware, insider threats, social engineering, cyber-squatting and spamming are notorious enough for compromising companies’ cybersecurity. Who is likely to fall prey? Everyone and everything. Literary everyone now that the digital era has taken over; from big data servers to a tiny cellphone in your pocket or a motion detector in your building. But on a large scale, financial institutions like banks are the most vulnerable. Then for data thieves, the best targets are ministries and government boards that keep people’s information. Imagine all the data maintained by the National Identification Agency (NIDA) or Rwanda Immigration. Those are data goldmines. Do small-and-medium institutions have to worry? Absolutely yes. SMEs, schools, and universities must not only worry but also invest in mitigating cyber threats. For example, Denial-of-Service (Dos) attacks are designed to render a certain service unavailable to its consumers. That is very common, for example, during student registration processes. How can institutions mitigate cyber threats? The CIA triad. Not the Western agency, but Confidentiality, Integrity, and Availability. That is a paradigm that guides policies for information security within an institution. To say, every institution needs a policy in the first place. Confidentiality can be roughly compared to privacy. In a blunt sense, it is a set of measures to make sure data is accessed by an authorized subject. Integrity is the maintenance of data accuracy and trustworthiness. It assures data is not modified in transit. Lastly, availability is a guarantee that an authorized subject can access data in due course. Those policies are then enforced by best practices. Have a Firewall and anti-virus protection, always updated; Keep your operating system and applications up-to-date; Change your passwords regularly; Never leave devices unattended; Back up your data regularly; Continuously train your employees on cyber hygiene; Stay suspicious of spams and malicious links; That might be expensive… It might be, but it is worth it. If companies or government bodies want to protect their repute and resources, people’s money, information or trust, investing in cybersecurity is crystal clear decision. After all, it is wiser and less expensive than countermeasures and reactions responding to a hit by a cyberattack. editor@newtimesrwanda.com