Quantcast

Data

Public Consultations Ignored when coming up with IT Security Policies-Wahome

0
George Wahome,IT risk manager and information security specialist,

 

Technology played a central role in the just concluded general elections in Kenya that have since been nullified. Kenya is also a tech hub in Africa with most of its processes having been automated. With so many important processes revolving around technology, it is only natural that people will be concerned about cybercrime which has been a thorn in the flesh for users in the country.

Techmoran had an interview with IT risk manager and information security specialist George Wahome who helped shed light on the current IT security situation in the country and the part of public participation in coming up with the right policies.

TechMoran: Describe a typical day for an IT risk manager and information security specialist.

George Wahome: Typical days involves an early morning, typically 4:30 a.m. and thereafter preparation to head to the office to catch-up with the happenings in cybersecurity before the usual day activities start. Non-working days are not any different as usual routines apply – this can be perceived as being a workaholic, however these are some of the perks of working as an information risk and security consultant in such a dynamic field. The hour’s that follow are a combination of meetings, reviewing deliverables of on-going projects, drafting proposals, coming up with new approaches to information security challenges that client’s face and conducting proof of concepts for sales pitches.

TM: What approaches do you use to ensure that the organization you are working for is guarding itself against cybercrime

GW: The cybersecurity challenge is becoming an IT Security practitioner’s motivation to deliver change. The three aspects of it; people, process and technology are inherently vulnerable depending on organizations at varying percentages. The greatest task is to create awareness across the organization, as the human aspect is always the weakest link that lowers security maturity on process and technology. Be it, competence to convince on the need for higher budget to address key controls to ensuring compliance to security governance controls is measurable. My approach to cybercrime revolves around building capacity and skill sets required to collaboratively address the challenge through consulting for various companies.

TM: What are the best tools to use ensure an environment free of cyber-crime in an organization?

GW: As eluded, technological tools are just enablers for control enforcement and are therefore as good as the people who use them or configure them. The corporate culture has a lot more to do with exposure an organization has compared to technology deployments in the IT environment; hence the best tools should revolve around maturing the security governance through real-life examples of what could go wrong. I have done consultancy work across 9 countries in Africa and essentially the goodwill to deliver change is pegged on the resilience of the driver of change. Many tools are designed to provide cyber resilience since it is apparent that offensive security will always be steps ahead of defensive security approaches/ tools such as SIEM, DLP, UTM’s, IDS/IPS etc. but I always question the maturity of the deployments and if indeed there is value on investment in as far as achieving proactive detection and mitigation of threats is concerned. Moving from compliance to security focus requires adequate tooling/ enablement through the information of the stakeholders from top down and bottom up.

TM: What are some of the milestones that Kenya has achieved as far as cyber security is concerned to make your work easier

GW: Kenya since the promulgation of the new constitution in 2010 has made commendable progress in creating a favorable environment to drive cybersecurity agendas. The development of a National Cyber security strategy amongst other policy, standards, regulation and legislation initiatives such as National ICT Masterplan (undergoing implementation) and Cyber-crime bill (in draft) is a clear testament that we are in the right path. All through, ensuring public consultations are embedded in the process of drafting these documents. My only disappointment is on the extent public input is put into consideration, from experience I was one of the few Kenyans who provided significant feedback (approximately 15 areas) on the National Cybersecurity Strategy once released for public input and to my disappointment, the final copy did not reflect any of the issues raised as there was no change to the draft. Nevertheless, government agencies, citizenry and corporates can leverage on available/ ongoing development of policy and legislative documents to collaborate on various initiatives or independently develop execution paths and roadmaps.

TM: Would you say that Kenyans are aware of cyber-crime or more needs to be done

GW: Definitely more needs to be done. The citizenry has become a target of cyber-related attacks and cases are increasing at an exponential rate based on information availed in the public domain. A recent global report by PwC indicated there is a 38% increase in detected information security incidents; the numbers have become numbing, year on year, cyber-attacks continue to escalate in frequency, severity and impact.  The awareness challenge has been taken-up by a collective of security practitioners going by the name, AfricaHackOn.

TM: Would you say that Kenyans are aware of cyber-crime or more needs to be done

GW: Definitely more needs to be done. The citizenry has become a target of cyber-related attacks and cases are increasing at an exponential rate based on information availed in the public domain. A recent global report by PwC indicated there is a 38% increase in detected information security incidents; the numbers have become numbing, year on year, cyber-attacks continue to escalate in frequency, severity and impact.  The awareness challenge has been taken-up by a collective of security practitioners going by the name, AfricaHackOn.

TM:What needs to be done as far as sensitization is concerned

GW:There is significant public awareness and collaboration that is required to effectively respond to cyber-attacks. Notably, the national cybersecurity strategy has recognized the need to build national capability and what needs to be increased is the number of initiatives that empower the Kenyan public to be safer and secure online.

TM:When allocating budgets for their functions, most companies do not give the information security departments much money. How can an IT security manager cope in such a situation?

GW:The reality is that the information security department is a cost-center and with that in mind, the manager should create value from the allocations provided and position the objectives of the department such that they speak to the business strategy. Of significant consideration is a demonstration on reputational damage, financial impact, regulatory and loss of intellectual property; this best works through real-life simulated scenarios. The burden of proof is however on the manager to demonstrate impact and to provide a return on security investment. Of importance is internalizing the security principles and looking for smart open-source solutions to achieve the same objectives initially while working on having higher budgets approved based on need.

TM: How can one cope in an environment where there is no compliance to some of the data protection measures a manager may out in place?

GW:Data protection has always been a thorny topic in most organizations as it has become a challenge to comply with set governance measures. The basics of data protection lies in data classification and I therefore think that should be the starting point and thereafter enforcing policies defined with technology tools based on use case. A variety of commercial and open source tools such as Data Loss Prevention (DLP) are available with varied functionality. What is of most importance is to embed data protection to the staff awareness sessions, creation of a responsibility matrix based on risk posed to data as classified and device ways of detecting and/ monitoring adherence to the relevant policy.

TM:How do you choose the security tools to use for your organization? (how do you know the best one to choose)

GW: The choice of security tools to use is largely dependent on the objective to be achieved. I find doing extensive research on available options with a keen eye on online reviews. It is important to note that most times depending on the objective alternative non-tool related solutions come-up especially related to people and process aspects of security; at times prerequisites that facilitate the maturity of the tool upon deployment. Tools are as good as the build in functionality, use and implemented configuration.

TM: When you are asking for a tailored tool for IT surveillance, what do you look for?

GW: The importance of threat intelligence cannot be over emphasized and hence the need for a way to do surveillance/ monitoring. When looking for such a solution, the ideal approach would be to work backwards, by ascertaining the outcomes; what to be reported, what devices and activities are in consideration. Thereafter, assess the available options as mentioned earlier. The decision of whether to go for an enterprise-grade commercial security incident and event management solution (SIEM) or to go open-source is dependent on the end-game, the customizations supported and solutions available.

TM:  What are some of the challenges that apply across the board for IT security managers?

GW: One of the challenges for an IT security manager revolves around getting the right talent, getting buy-in from the board for security budgets, creation of metrics to assess improvements in security programs and enforcement of security controls. It is said that you cannot teach old dogs new tricks, this is one fact that has been a challenge as there is a preference to maintain status quo. Nevertheless, in these times of heightened advancements in the cybersecurity space, we have no choice but to adapt accordingly.

TM:Are more companies investing in IT security consultancy?

GW: In the wake of increase in cybercrime, companies have seen the need to engage consultancy firms in assessing their exposure. The more the incidents hit the headlines the more questions linger into just how secure the deployed information systems are, the ripple effect is creation of awareness, which is very much needed. This however, does not mean the only solution to building the capability is through acts of cybercrime in the

TM: Highlight some of the achievements you have had in the span of your career

GW: There have been a number of key milestones in my 8-year career. Moving into consultancy has been at the pinnacle of my achievements. Working in different client sites in 9 countries leading more than a dozen projects has been a combination of working long hours, satisfaction when the client appreciates the deliverables and dynamism of different cultures and perspectives. However, the most fulfilling as it is where my passion lies is ensuring a five times growth in information security business for my employer and at the same time seeing measurable progress in security maturity of my priority clients (some having a regional footprint) due to my inputs at various stages to their security program.

TM: What have been some of the most stressful moments in your career?

GW: Stress is one of the perks of being an information security consultant, therefore I have numerous moments. I say this because every project has its own dynamics and the nature of the job is such that you are required to work outside your comfort zone.  The memorable one is the execution of a project for a global company whilst managing two members of my team. The job required working a minimum of 12 hours straight due to tight timelines for 2 months while doing plenty of research, planning and executing in 6 countries in Africa.

TM: What is your advice for people who want to take up this career or consultancy in the field?

GW:The advice is simple, have passion for the trade, if that lacks, it is not your ideal career choice for you. You may ask, how do I know if what I reckon is passion is good enough? Well, if you don’t spend long hours in front of your laptop (like a crazy guy) typically doing matters cyber security, then you got your answer.

Finally, a brief background, I work as a Manager with PwC’s Risk Assurance Line of Service, prior to which I worked as an Advisory Manager with EY before moving from Safaricom Limited, IT Department.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

South Africans take on Mobile giants in bid to make them lower data prices

0

The trending hashtag in South Africa today is #DataMustFall, an online campaign to protest high charges for data that enables users enjoy the internet.

The online campaign will complement the offline protesters, who are matching to the doorsteps of internet giants MTN, Telkom South Africa, Cell C and Vodacom demand that the cost of data and airtime is reduced.

Tuesday’s protest match was organized by the Right 2 Know Gauteng

“These are follow-up actions after service providers failed to act on demands that have been continuously presented to them since R2K initiated the campaign against the high cost of communications in 2013. To date none of the demands have been met,” Biko Mutsaurwa, leader of R2K told IOL news.

“Yet far too many South Africans are deprived of the basic right to communicate because of the ruthless profiteering of the big telecoms companies. High data and airtime prices place this right out of reach of the country’s poor.”

Some of the other demands by the protesters include:

  • Communications must be universal. Everyone has a right to communications that are available and affordable.
  • All SMSes should be free as they cost the operators almost nothing to transmit.
  •   Everyone should get a free basic amount of airtime and data, in the same way as free basic water and electricity.
  •   Icasa must regulate the cost of airtime and data to stop profiteering.
  •   Prepaid communication users should not cross-subsidise post-paid users.
  •   Data bundles should not expire if they are unused.
  • Cellphone companies must improve the quality of service, including network outages, dropped calls, calls that don’t connect and data coverage.
  • The range of numbers that are free to call (like police and ambulance) should be increased to include schools and hospitals.

 

 

 

Bringing down East African commercial debt costs with data science

0

By Jim Savage, Data Science Lead at Lendable Inc.

Securing debt financing to grow a medium-sized lending business in East Africa is not easy or cheap. Interest rates are high—often north of 25% a year in local currency terms—deals take a long time, and pre-financing requirements are onerous.

A few factors contribute to these problems. East Africa’s credit bureaus are a recent phenomenon and still underutilised and underdeveloped (though this is improving) and so lenders often don’t have a good idea of how likely a borrower is to repay on its debt. Resolving this uncertainty requires thorough investigation into the firm borrowing (so-called due diligence) by lenders, and these due diligence costs get baked into higher interest rates. Similarly, banks—who have the best information on their customers’ ability to repay on debt—face low deposit rates, necessitating costly external financing.

New technologies are helping to bring these costs down. One such solution, which I have helped build, is the Lendable Risk Engine.

One of the many beautiful aspects of East Africa as a business destination has been the phenomenal uptake of mobile payments. M-Pesa and the like have resulted in high-quality, externally verifiable data on the actual cashflows flowing into mid-sized ‘alternative lender’ businesses (the sorts of non-bank lending businesses we mostly work with). When an end-customer borrows from an alternative lender, they typically repay their loan with mobile payments. To handle these payments, alternative lenders have had to invest in sophisticated management information systems. These systems contain information that can result in swifter, fairer financing—all it takes is the right approach to analyse the information they contain.

The Lendable Risk Engine is a set of systems that can plug into alternative lenders’ databases to help make sense of all the data. The system first converts the alternative lenders’ data into Lendable’s proprietary format. Because all our alternative lenders’ data is then in the same format, it makes it straightforward to deploy our analysis libraries and models, illuminating risks and opportunities in a particular alternative lender’s portfolio.

The first set of analyses answer “how does the business currently work?” sort of questions. These are the questions that we are very commonly asked by clients and investors, and which used to take a long time to answer. Today this analysis is all automated; what once took weeks now takes minutes.

The second set of analyses ask questions like “how do we think the business will perform over the next 2 years?” To answer these questions, we’ve built a prediction platform that makes use of cutting-edge Bayesian machine learning techniques. It generates hundreds of predictions for every loan on our clients’ books for every month into the relevant future. This allows us to gauge the likely future loss rates (and uncertainty about loss rates) in a debt portfolio. Again, this is almost completely automatic. What used to take a month or two now takes a day.

The Lendable Risk Engine helps highlight risks in a deal, and minimizes the information gap between lenders and borrowers—reducing borrowing costs. But we’re not done yet. We want to make it as easy as possible for alternative lenders to make use of our tech. A big part of that is to minimize the amount of data that is required to make high-quality financing decisions, reducing the amount of time it will take to “plug in” the risk engine to alternative lenders’ systems.

In many ways, mobile money (and the information it generates) is allowing finance in East Africa to leapfrog the west. Firms like Lendable, unencumbered by legacy tech, are able to make use of this information. That means fairer, faster debt financing for borrowers, and ultimately a more mature financial system in East Africa.

Jim Savage

Data Science Lead

Lendable Inc.

Jim is a data scientist, econometrician, and empirical finance geek. Most recently, he worked at Australia’s Grattan Institute, where he worked on policy design to help improve efficiency in Australia’s retirement income savings system. Before that, he worked in the Australian Treasury’s Macroeconometric Modelling Unit, working extensively on carbon pricing in Australia. In 2014, he was a fellow at the Eric and Wendy Schmidt Data Science for Social Good summer fellowship, at the University of Chicago.

Safaricom-backed mSurvey launches Consumer Wallet to mine SMS & mobile money data for customer spending habits

0

Getting reliable data on consumer spending is almost impossible in Kenya and other informal markets across Africa, as there is no data collected on how  informal consumers spend, who else is serving that same market and if there are any changes in customer spending  behaviors.

Instead of letting businesses by buy data which might be out of date or conducting their own study which is expensive and time consuming, Safaricom-backed mSurvey, an SMS surveys platform has launched Consumer Wallet to quantify offline consumer spending habits and trends.

The mobile platform was first piloted in March 2017 with potential clients and corporate partners in Kenya and after several months it has been launched to the general public.

The platform works simply.

mSuvey leverages SMS to measure the cash based spending drawn from Safaricom’s mobile subscribers. The data is then fed into the Consumer Wallet database benchmarking preferences and expenditures of various items. With these data clients can tell how consumers in their target segment spend, know what else they are spending on and how or when is their spending behaviour expected to change.

With the data FMCGs among others will know what their target customers are buying, how much they spend on the commodity and how did they pay. With these data clients will know customers monthly average amount, spent per person, method of Payment Purchases made with cash, mPesa or credit card,  the Wallet Share among others. A company can truly understand the dynamic consumer and know how much a client spends on food,  how much goes toward bills, transport, airtime, alcohol, entertainment, appliances among others and what trade off does she make.

Supporting this initiative Sylvia Mulinge, Director – Consumer Business, Safaricom said, “Consumer Wallet addresses a pressing business challenge by providing real time collection, assessment and analysis of data. With the world currently undergoing an information revolution, it is essential that businesses in Kenya have the tools that offer the same advantages as those in Silicon Valley.”

And though Safaricom hasn’t updated its user terms and conditions that customer data will be used and sold to clients, Consumer wallet will empower businesses with the requisite insights to arrive at more strategic decisions, and with deeper understanding of their customer needs. The service will be available on both a subscription and license basis.

Consumer Wallet will open up a majority of the country’s consumer spending happens at informal businesses, which presents an information gap for businesses looking to explore business opportunities in the sector. Consumer Wallet plugs this gap by providing unprecedented insight into the spending habits of such “offline” consumers.

How Cambridge Analytica deployed its toughest data machinery in the 2013 Kenyan presidential election

0

Cambridge Analytica, the controversial data-driven political consultancy firm which helped Trump ascend to power and most recently in the BREXIT referendum vote is boasting of the work it did in the 2013 Kenyan presidential election.

Using data to find, understand, and engage with and persuade voters, CA has boasted how it offered a fully end-to-end campaign package for a presidential candidate (Uhuru Kenyatta in cap on the case study) in the 2013 General Elections even as sources close to the presidential campaign team deny arrogantly.

“Ahead of the 2013 Kenyan presidential election, CA designed and implemented the largest political research project ever conducted in East Africa. Sampling and interviewing 47,000 respondents, CA was able to draft an effective campaign strategy based on the electorate’s real needs (jobs) and fears (tribal violence),” the firm posted in a case study on its website.

According to the firm, the the challenge was that the 2013 general election was the first after the infamous 2008 post-election violence and the country had just had a new constitution among other fears.

The firm said it was contracted by a leading Kenyan political party to help shift things around.

“The aim was to provide the party with a comprehensive plan to shape its election strategy,” the firm announced. “We worked with a local research partner to train a diverse team of enumerators to ensure regional variations in language and social customs were respected during data collection.”

Cambridge Analytica then embarked on a nationwide data collection spree over the space of three months and an overall sample of 47,000 was achieved.

The result, CA profiled the Kenyan electorate, including: key national and local political issues, levels of trust in key politicians, voting behaviours/intentions, and preferred information channels. To connect with this audience, CA’s communications and strategy team devised an online social media campaign to generate a hugely active online following.

Though it’s fine for a firm to engage consultants for their political campaigns, CA is infamous across the world for its unorthodox methods on voters, opposition, and trends and use of voter behavior for finding, understanding, and persuading them to vote a certain way.

The firm uses the data from both public and private sources to segment voters into distinct audiences to deliver highly targeted experiences to prospects and sway regions to convince and influence their voting behavior. The firm even uses  psychographic analysis to engage audiences, profile lookalike prospects among others for targeted advertising across desktop, mobile, tablet and connected TV devices through display, video, Facebook, Twitter, native, audio, interactive and search.

“We use full cross device placement to reach your customers wherever they are. We also match our target audiences to TV set-top box data to optimize linear broadcast media buys.
We ably place digital and TV ads to bring your candidates closer to their electorate. The visuals and language in each piece are crafted to engage voters emotionally and impactfully,” says the in-depth audience targeting firm.