A large majority of Rwandan Small and Medium Enterprises have been found to have major vulnerabilities in cybersecurity according to a recently conducted study ‘National Cyber Security Profile of Rwanda’.

The study by SySec Ltd the UK based Cyber Security and Threat Intelligence firm accessed over 750 firms sampled from SMEs in the country all with .rw domains and active web presence.

About 38,000 non-invasive tests were performed in total generating actionable and informative cybersecurity data.

Of the firms reviewed, none was found to have excellent cybersecurity systems, 26 were rated as good, 147 were found requiring improvement with the rest rated as poor, very poor or critical.

Among the key vulnerabilities found were that emails were vulnerable to fraud and spoofing. This exposes the firms to risks such as email scams, phishing and invoice fraud which were recently found to be increasing sharply in Rwanda.

Statistics from Kaspersky, a global cyber-security firm show that email scams and fraud are becoming increasingly more targeted at Rwandans with several new tricks such as human resource dismissal emails and bank services.

Ian Bland, the Head of Cyber Security Solutions at SySec Ltd said that often a majority of data breaches begin with a phishing email which could also be used to ransomware and other malware.

"The risk of email vulnerability is very high. Invoice and CEO fraud are more targeted email scams that are financially damaging to companies. Email scams are simple and effective for a cybercriminal as they require less technical expertise than other avenues of attack. It’s easier to trick someone to provide their login passwords using a phishing email and cloned website rather than hacking into network security,” he said.

In 56 per cent of the SMEs involved in the survey, the website traffic was not secure due to unencrypted connections which could easily be monitored, modified, impersonated. In these sites, the privacy and data of visitors were not protected.

90 per cent of the firms were not protected from common vulnerabilities. These vulnerabilities not only impact the website owner but can allow sites to be used maliciously as a vector of attack against visitors.

Bland also noted that there was a prevalence of simple server configuration errors, and servers using outdated software and frameworks that have led to the exposure of data that poses a threat if discovered by a malicious third party.

"This includes proprietary data and code, personally identifiable information, files that contained administrative credentials and other such info that can provide the opportunity for further exploitation,” he said.

Remedy

The study’s authors noted that to remedy or correct the vulnerabilities requires the implementation of security controls in server and Domain Name System settings to secure email and web based interactions.

"These are for the most part configuration settings that have no cost associated with them to implement. Make sure that servers remain updated with latest versions of software and frameworks. Most server software is open source and free,” he said.

The experts further advised firms to make sure that only essential ports are open on any public-facing server.

"Any administration console ideally would be behind a firewall. At the very least these should require strong unique passwords and 2-factor authentication to access,” he said.

Generally, there is a low level of understanding of cybersecurity across board, the expert said noting that from the outside it can appear to be quite confusing and expensive and off-putting for many business owners.

"While not all businesses require sophisticated cybersecurity implementations, all businesses should implement minimum security standards. Minimum security standards that cost nothing to implement yet can protect from many common cyber threats,” he said.

Despite the extent of vulnerability established, it’s not much different in other markets including more established ones such as Singapore.

For instance, a similar study in Singapore showed that while the average rating is slightly higher than Rwanda, the Asian nation had a higher percentage of critical rated domains (18 per cent) than Rwanda (12 per cent).

"With Rwanda’s development goals in mind, there is an excellent opportunity for Rwandan businesses as a collective to implement these basic security controls,” Bland said.

Like elsewhere across the world, the rate of cybercrimes escalated during the three months the country was in lockdown according to statistics of the Rwanda Investigation Bureau (RIB).