$3.5 billion is the amount African countries have spent over the past years to counter cyber-attacks, as per the World Bank. With constant digitalisation, Cyber security has become one of the most essential aspects which determines safety of companies, government and individuals. Cybersecurity issues have gained traction on a global scale, Mauritius is not spared either. How far are we vulnerable to attacks? Where do we stand? What are our best practices?
Globally, October is known as the Cybersecurity Awareness Month whereby it is time for countries, governments and companies to reevaluate their approach to data protection and cyber security. Until now Mauritius has been a good student when it comes to cyber security. According to the International Telecommunication Union (ITU) Cybersecurity Global Index 2017, Mauritius is ranked first in Africa and sixth in the world.
There is no doubt that the ICT sector is a key sector in Mauritius and the government’s vision 2030 is to transform Mauritius into a SMART island.
But, are we aware that Cybersecurity can affect our critical information and communication infrastructure as well as our relations with other countries?
Mauritius has already a cybersecurity strategy that runs from 2014 to 2020. In its Cybercrime Strategy 2017-2019, the Government recognises the serious threats posed by cybercriminals and the necessity to bring them to trial to answer for their criminal acts. “In this perspective, a National Cyber Security Strategy was developed and approved by the Cabinet in 2014. The strategy provides an overview of what it takes to effectively protect information systems and networks and gives an insight into the Government’s approach and strategy for protection of cyberspace in the country.”
Where do we stand?
Sylvain Martinez, Founder and Principal Security Consultant ElysiumSecurity explains that as Mauritian homes and businesses are becoming increasingly reliant on technology and increasingly connected to the internet, Mauritius is as vulnerable to cyber-attacks as any other developed country in the world. “As the modern world is becoming more and more digitalized, it will also increasingly rely on IT systems, which means the cyber-attack surface is growing. In parallel, there are more and more money for cyber criminals to gain from cyber-attacks as well as an increasingly high potential geopolitical impact, which means the hackers are becoming more and more sophisticated professionals and with more resources.”
However, he underlines that Mauritian’s companies are becoming more aware of the cyber security risks and are increasingly improving their cyber defences. “It is an ongoing work and the main challenges are to identify the main cyber security gaps, prioritise their remediation and find the right local cyber security resources to help make Mauritius a safer cyber space.”
Moreover, according to Loganaden Velvindron, the common types of cybercrimes Mauritius is vulnerable to include: phishing, malware and infrastructure. “Phishing is common in mails that claim to be someone different. Many people are unable to identify phishing attacks against them. Malware is common on smartphones, tablets and also PCs that have been infected. Lastly, vulnerable infrastructure which is exploited is quite common: servers are often left running for years without provision for security updates. Many websites have been defaced due to lack of security audits to identify vulnerable code running.”
He believes that with digitalisation, Mauritius is definitely at more risk. “We are more at risk as digital attacks are harder to spot. For example, a phishing attack in an email that looks genuine will take a long time to be discovered, often after the attack is successful.”
Subheer Ramnoruth, director of Whitefield Business School, states that the risk of attacks or security breaches increases with digitalisation. “People are vaguely aware of the IT security risk, which makes them even more prone to online threats. For instance, when one downloads a mobile phone App, have we ever questioned ourselves why does the App ask us for permission to view our pictures or call logs? Or do we venture to see if these are genuine Apps or fraudulent ones? Why would a company invest hundreds of thousands of rupees in developing an app and then give it online for free to everyone? Surely there is another motive behind simply providing you with entertainment only.”
Risk prone sectors
Attackers would be obviously more interested in areas where there are financial gains, says Subheer Ramnoruth. “But some would also be interested in unlawfully intercepting information of users which are of value to them. Customer databases and personal data are also a lucrative business. That is most probably why recently Facebook was attacked and in the past Linkedin was a victim, too. It was for the purpose of ‘data theft’. So, companies handling big data would always be a target. However, such attacks require months or efforts and high technical abilities which are not very common.” Nevertheless, he believes that there are another category of cyber criminals and this is more common, especially in African countries that look for quick wins and they would usually target youngsters, for example though ‘sextorsions’, or people of medium or high net worth and would try to divert their funds by intercepting their communication with their respective banks.
Impact on businesses
Pravesh Gaonjur reveals that the impact of Cybercrime on businesses in Mauritius is quite considerable, based on the amount of Digital Forensics cases they have been handling for corporates. He states that the issues that Mauritian businesses face where they lose huge amounts of money are mainly in the following two categories: Ransomware where data gets encrypted by ransomware and they have to pay in CryptoCurrencies, mainly BitCoins, to recover their data. In this case, hackers request at least 1 BitCoin to release the client’s data. As of today, a BitCoin is worth approximately $6,568. The second category is hackers sending spoofed email requests containing seemingly legitimate money transfer demands. “Most clients coming to Tylers for this type of incident have lost at least Rs 1 M to hackers. Tylers has handled more than 10 such cases in 2018. If I extrapolate cases that we have not handled and cases that have not been reported, we can easily come to a large number where Mauritian business have suffered financial losses.”
He indicates that many corporates do not budget for Information Security in their businesses. “Security is always an after-thought. However, business executives need to understand that since the internet has no borders, everyone is at risk. Board executives need to understand that they, not IT managers, are accountable for Cyber Security incidents on their businesses.”
Banking Sector: How safe are we?
José Li Yun Fong, Head of the Information Technology Division at the Bank of Mauritius maintains as in the case with the use of online systems or web-based platform, the risks and vulnerabilities are the same as regards internet banking. “This being said, internet banking systems boast a much higher level of built-in security as banks want to ensure that the online systems they put at the disposal of their customers are safe and secure. This often means that banks are continuously looking at the improvement of online banking platforms in order not to jeopardise their reputation, especially by having recourse to the best and latest security solutions available on the market.”
He argues that in Mauritius, the widespread use of two-factor authentication provides a good layer of protection against hacking. “Through this method, a One-Time Password (OTP) is required over and above the log-in credentials. The OTP is a unique code that is sent to the user’s mobile phone and which must be inserted to have access to the internet banking platform. This method constitutes one of the best security options as the OTP is generated on a dynamic basis. This means that the same code is never generated twice and that it expires if not inserted for log-in within a given time frame. In addition, the fact that physical access to the user’s mobile phone is required makes it virtually impossible for fraudsters to avail themselves of the OTP.”
On the other hand, Sylvain Martinez highlights that the security of the banks’ infrastructure is usually very good and it is one of the sectors that is the most regulated and invest the most in cyber security defenses. As per his say, the most common cyberattack in the banking sector is phishing attack. “The most common phishing attack will ask the victim to click on a link or open a document, and in the process, attempt to steal the victims’ user name and password.
This attack can then be used to gain unauthorised access to the victim’s email or company’s network. Another very common phishing attack will often be an urgent request for a bank transfer to be done with a few changes, for example, pretending to be a client with a new bank account. They are much more focused attacks and are what we call spear phishing attacks. It is very hard for a company to completely be protected against phishing attacks and it is why user awareness on this type of attack is very important.”
Additionally, he affirms that most banks nowadays enforce a dual factor authentication when it comes to authorize transfers. “This usually takes the form of a traditional password and the use of an additional small physical device that looks like a calculator to generate PIN codes to answer the banks security questions/challenges.”
In this digital area, it is high time for Mauritius from individuals to corporates to adopt some best practices. Pravesh Gaonjur avers that if the best practices are implemented, executives will have the means to protect their businesses. “An SME can go bankrupt with a single cyber security incident. Even big companies are at risk despite their existing security controls as the threat landscape is always evolving. These controls therefore need to be constantly updated and audited on a yearly basis as recommended by International best practices and standards.” Experts recommend the following:
Good IT hygiene
The best practices to be safe from cyber-attacks start by having a good IT hygiene which means the IT infrastructure and computers should be kept up to date, with minimal access rights given and only running essential services and applications, says Sylvain Martinez. “Some basic security controls should be implemented such has having an up to date anti-virus, a firewall, a strong and application/system specific password.” He further adds: “Think before you click. Indeed, user awareness is key to both your personal and corporate cyber protection.”
Information Security Awareness Training and Information Security Audit
Pravesh Gaonjur utters that it is crucial for business executives to understand the different types of Cyber threats and crimes. “This can be done through an Information Security Awareness Training, which is one of the best practices recommended by International Standards such as ISO 27001.” He adds that once they understand those threats, they need to conduct an Information Security Audit to identify the risks to their business in case those threats materialize. ISO 27001 recommends audits to be conducted at least once in a year.
He advises companies to conduct a PenTest to identify the level of security of their IT Infrastructure. “A PenTest (short for Penetration Testing) is a technique whereby a CyberSecurity firm such as Tylers will impersonate a hacker (BlackHat) to infiltrate a business’s IT Infrastructure. The idea behind is to identify loopholes, vulnerabilities and flaws that hackers can exploit to gain access to critical data. This is done in agreement with businesses under a specific and defined scope of work whereby all their data’s safety is ensured.”
Be safe start from home
It’s true that we can no longer think of life without technology, argues Subheer Ramnoruth. “We should take the right steps to protect us. Let’s start with the kids. They are innocent and can be easy victims for online predators. Thus, it is not advisable at all to provide them with tablets or phones without supervision. There are also filtering software that may be used to keep harmful content away from kids. For the teenagers, education and communication with parents is the best approach.”