Individuals, businesses and governments have become more dependent on the internet and other digital technologies for their daily activities and functionalities, be it; social interactions, transactions, data storing or operating systems.

This increases the vulnerability to cyber-crimes such as; hackers accessing personal information, stealing business or government secrets or data and intellectual property or simply people harassing or bullying one another on social media.

 Cyber criminals do this for financial, political or any other gain. Those malicious crimes come in different arrangements essentially as cyber-attacks (ransomware, political hacktivism, …) or just online abuse.

Cyber-attacks as we know them involve unauthorised access to private servers and computers. Ransomware is a recent example of cyber-attack that has been dominating news in the west even deepening political tensions among the superpowers of the world.

 Often targeting government entities, businesses or any person with important files, ransomware is a form of software that is specifically designed to disrupt, damage, or gain unauthorised access to files on a device and rendering those files and the systems that rely on them inoperative.  

Malicious actors then demand payoff in exchange for conversion of affected data into its original form. If the victim does not pay the money asked, the perpetrators threaten to sell or leak the data or authentic information.

Whilst online abuse covers a wide range of bad behaviors on social media and other social networks. Abuse happens when someone acts in a way that causes harm and distress to others.

Although, cyber-crimes are punishable under Rwandan penal laws, and law enforcement body, Rwanda Investigation Bureau (RIB) always warn people who engage in them, these are more complex and expensive crimes to prosecute prominently due to the nature of the internet.

However, there are internationally recognised best practices for victim response and reporting of cyber incidents so as to mitigate the damage and maximise the ability of law enforcement to locate and apprehend perpetrators.

On the one hand, if your organisation suffers a cyber-attack or any similar intrusion, first step you should take is to make an initial assessment of the event to understand the nature and scope of the incident.

This will help you identify if it is a malicious act or a normal technological hiccup.

Second step is to implement measures to minimise continuing damage, thus, your technical team may take action including rerouting network traffic, filtering or blocking a distributed denial-of-service attack or isolating all or parts of the affected network.

Next step your organisation should take is recording and collecting information of the incident; this may include taking images of the affected device(s), keeping relevant logs, notes, records and data of the affected networks and devices and steps taken by the team responding to the attack.

This step is even critical from a legal point of view since it may help in collection of relevant evidence. Another vital step to take, is to notify appropriate management and personnel within your organisation, and other possible victims of the same attack if any.

 Besides, you should inform RIB, and alert National Rwanda Cyber Security Authority (NCSA) which has the expertise and preparedness to deal with such kinds of events.

If these steps are taken in a timely and efficient manner the chances are the loss to your corporation as result of a cyber-attack, may be significantly sustained.

Defensively, before your organisation experiences a cyber-attack or intrusion, in your usual course of business, there are some recommended best practices to adopt that might be useful in preventing and responding fiercely to cyber-attacks.

 Those consist of preparing security measures to protect critical data and assets of the organisation, put measures in place that will allow and facilitate lawful network monitoring, implementing principles enshrined in the Rwanda National Cyber Security Policies.

Other international manuals available and recommendations given by specialised public institutions such as Rwanda Information Society Authority (RISA) , create an attack response plan and procedure to employ in the event of attack. It is also ideal to have a legal team that is familiar with legal issues associated with cyber events, develop active relationships with relevant law enforcement agencies, outside legal counsels, public relations and cybersecurity firms that might help in case of the attack.

 All these practices, if implemented in hand with other internal policies, will minimise or ensure a swift response to the cyber-attacks on your organisation.

On the other hand, if you are distressed with online abuse such as cyber-bullying, blackmailing, stalking, harassment or similar incidents on social networks, which allegedly target celebrities and women in higher numbers, the first step, is to cut all communications with the perpetrator, promptly report the incident to the social network (Instagram, Twitter…) and RIB for their action.

It is also prudent to not pay any of the requested money by the perpetrators or do whatever they ask you to do, and lastly record the evidence; where possible take screenshots, record the perpetrator’s email, username, voice notes, …. This will help you back up your claim.

Albeit, the Government of Rwanda has put much effort in safeguarding its cyber-space through institutional and regulatory frameworks, due to the nature of the internet, jurisdictional and applicable law issues (victim and perpetrator maybe in different countries) and political paradigms; it is still a challenge to enforce relevant laws and regulations to punish cyber-crimes. To this effect, businesses, government institutions and individuals are urged to be more vigilant and take pertinent precautions to close all the loopholes that malicious actors may exploit. In case the attack takes place you should respond quickly and liaise with relevant institutions to mitigate the damage and increase chances of holding the perpetrators accountable. 

The views expressed in this article are of the writer and do not constitute legal advice. Please seek professional advice in relation to any particular matter you may have.

The writer is a corporate and commercial lawyer and Trainee Associate at K-Solutions & Partners

Email; felix@ksolutions-law.com