An Assessment of the Awareness of Cyber security challenges of Small and Medium Enterprises in Arusha

A Case study of Habari Node Ltd

This research paper is submitted in partial fulfillment of the requirements of the Award of a Masters of Business Administration in Information Technology.

Supervised by Mr. John Pima

September, 2011

In Collaboration with the Institute of Accountancy Arusha

Abstract
This study was prompted by the recent connectivity of Arusha town to the fibre cable in Dar-es-salaam namely the Seacom and Essay fibre cable in May, 2010. This enhanced connectivity significantly improved the downloads and uploads speed of traffic to and from Arusha consequently greatly improving the users experience of Internet related services now traveling at lightening speeds. This opened up the possibility of effectively using internet related business services like online tax processing, banking and educational services that were previously to slow too run on satellite (VSAT) or dial-up links and triggered a need or awareness for businesses in Arusha to start using as well incorporating more Internet related business services in their daily operations to effectively compete. Unfortunately with this improved connectivity and subsequent increase in business opportunities could also have generated additional interest in the region by Cyber (Internet related) crime perpetuators as well as amplified exposure to Cyber threats as connecting to machines in Arusha from anywhere in the world had become faster and easier. The consequences of these threats/attacks are well-known: violation of privacy, theft of information, the potential for a devastating large scale network failure, service interruption, or the total unavailability of service. This change therefore passes a question to small and medium enterprises/businesses (SMEs) in Arusha; as to whether they are adequately prepared to meet this new challenge and if not what could these SMEs do about it? This research therefore set out to assess the efforts of SMEs in Arusha in the realm of cyber security. Attention was directed to SMEs because SMEs the engine of the national economy and account for over 95% of organizations and 60-70% of employment (OECD, 1997). When approaching this problem, the researcher noted that though in the past; traditional definitions of cyber security have been to design strong cryptography into information security systems. Only protecting confidential information as a motivation for cyber security may not be entirely appropriate for SMEs. More so there had been increasing interest in other sectors of security, namely geopolitical, economic and human previously considered by many as non-traditional
2

security issues. Implying the location of such businesses, cost of preventive measures, security policies, appropriateness of the available tools, as well as the recovery or fail-over options in place could also serve as a strong motivator; for many SMEs possess neither full-bodied critical infrastructures that utilize digital control systems nor specifically staff information security specialists. Indicating that thinking about cyber security issues strictly in relation to these systems and staff would not be complete. The research then sought to determine how to best investigate and implement cyber security in SMEs, if it is not an issue solely associated with protection of confidential data. As a result this research was then carried out using a collection of methodologies requiring both the secondary and the primary data to be used for this purpose. The study conducted shows that there was a relationship between the accessibility of internet, incidences of cyber-attacks, awareness of cyber threats and the organization size. So although the online survey revealed that while most Arusha SMEs do access the internet and rely heavily on the Internet many lack the internal resources, formal policies, employee training, and technologies they need to protect this critical information. To further compound matters most own websites that they use to attract customers to their business as well as routinely handle confidential and proprietary data. However the vulnerability scans showed some level of protection; the results from recorded intrusion attempts highlighted an almost aggressive assault on any device reachable via the Internet. Implying it was quite possible that a substantial number of accessible online systems may have already been compromised. The major difficulty in affirming this was due to the absence of records illustrating these breaches as little effort was being made to record these incidences due to the ensuing panic/crisis after a cyberattack/breach.

Keywords Awareness, Challenges, Cyber security, Information Security, Internet, SMEs.

Acknowledgement
The successful completion of any trying and extensive task would be incomplete without mentioning the names of persons who helped to make it possible. I would like to take this opportunity to express my gratitude in few words and respect to all those who helped me in the completion of this dissertation. To begin with, I am extremely grateful to Allah for his generous blessing and abundant mercy for the opportunity to do this course and at all the stages therein culminating in the completion of this dissertation. I convey my heartiest thanks to Mr Erik Rowberg, the managing director of Habari Node Limited, who generously supported and granted me the opportunity to do this study in the most established, respected and highly regarded ICT Company in Arusha. I would also like to express my deep sense of gratitude to my supervisor Mr John Pima, for his support during this research study and guidance to enable me successfully complete this dissertation. Not forgetting my sincere thanks and heartfelt gratitude to my friends, colleagues, fellow students and comrades for giving me timely advice in all the ways and in all aspects that have enabled me to reach this far and for the success of this dissertation. Finally to my family who have may have felt my absence; it is my sincere prayer that this struggle was worth the time away from you.

Declaration
I declare that this dissertation was composed by myself and that the work contained therein is my own except where explicitly stated otherwise in the text, and that this work has not been submitted for any other degree or professional qualification except as specified.

Date: September 2011

Ismail M. Settenda MBA-IT 0027/T.2010

Copyright Acknowledgement I acknowledge that the copyright of this dissertation belongs to Coventry University.

Glossary of Terms
This part of the document is to provide acronyms and definitions of some of the key words used in this dissertation. Application - Software whose primary purpose is to perform a specific function for an end-user, such as Microsoft Word. AICC Arusha International Conference Centre ALMC - Arusha Lutheran Medical Centre AIXP - Arusha Internet Exchange Point ATM - Automated Teller Machine CEO - Chief Executive Officer Cracker (a.k.a hacker) - The correct name for an individual who hacks into a networked computer system with malicious intentions. The term hacker is used interchangeably (although incorrectly) because of media hype of the word hacker. A cracker explores and detects weak points in the security of a computer networked system and then exploits these weaknesses using specialized tools and techniques. CRDB - Centenary Rural Development Bank Cyber - Prefix commonly used to indicate some association with the internet. Cybercrime - A criminal offense that involves the use of a computer network. Cyberspace - Refers to the connections and locations (even virtual) created using computer networks. The term Internet has become synonymous with this word. EISAM - Enterprise Information Security Assessment Method Gateway (Router) - A network node connected to two or more networks. It is used to send data from one network (such as 137.13.45.0) to a second network (such as 43.24.56.0). The networks could both use Ethernet, or one could be Ethernet and the other could be ATM (or some other networking technology). As long as both speak common protocols (such as the TCP/IP protocol suite), they can communicate. GDP - Gross Domestic Product HMS Hospital Management System
6

HNL - Habari Node Ltd Host: Same as a node. This is a computer (or another type of network device) connected to a network. IAA - Institute of Accountancy Arusha ICT - Information and Communications Technology IFMS - Integrated Financial Management System Internet: A global computer network that links minor computer networks, allowing them to share information via standardized communication protocols. Internet Service Provider or ISP: An organization that provides end-users with access to the Internet. Note: It is not necessary to go through an ISP to access the Internet, although this is the common way used by most people. IP - Internet Protocol IS - Information Systems ISP - Internet Service Provider IT - Information Technology IXP - Internet Exchange Point LAN - Local Area Network MCT - Ministry of Communications and Transport MD Managing Director NICTBB - National Information Communication and Technology Broadband Backbone NECTA National Examinations Council of Tanzania NGO - Non-Governmental Organisation NTP - National Telecommunications Policy PCIS - Personnel Controls Information System PoP - Points of Presence
7

PRSP - Poverty Reduction Strategy Paper PSTN - Public Switched Telephone Network R&D - Research and Development Search Engine - An Internet resource that locates data based on keywords or phrases that the user provides. This is currently the main method used on the Internet to find information. Current search engines are Google, Yahoo, Bing, Ask, AOL search, etc. SEDA - Small Enterprise Development Agency SIDA - Swedish International Development Agency SME - Small and Medium Enterprises SWOT - Strengths, Weaknesses, Opportunities and Threats TRA - Tanzania Revenue Authority TCC - Tanzania Communications Regulatory Authority TIC - Tanzania Investment Centre TTCL - Tanzania Telecommunications Company Limited VoIP - Voice over Internet Protocol VPN - Virtual private network VSAT - Very Small Aperture Terminal WWW - World Wide Web; also shortened to Web. Although WWW is used by many as being synonymous to the Internet, the WWW is actually one of numerous services on the Internet. This service allows e-mail, images, sound, and newsgroups.

TOC
Abstract................................................................................................................................. 1 Acknowledgement ................................................................................................................. 4 Declaration............................................................................................................................ 5 Glossary of Terms................................................................................................................. 6 TOC ...................................................................................................................................... 9 List of Tables ...................................................................................................................... 11 List of Figures ..................................................................................................................... 11 List of Appendixes ............................................................................................................... 12 Chapter One; Introduction ................................................................................................... 13 1.1. Background........................................................................................................... 13 Background to the problem ............................................................................ 13 Background on Habari Node Limited ............................................................. 18

1.1.1. 1.1.2. 1.2.

Purpose of the study ............................................................................................. 20

Statement of the problem ............................................................................................. 21 Research Objective ...................................................................................................... 22 1.3. 1.4. 1.5. Significance of the Research ................................................................................ 24 Limitations and De-limitations of the Research ..................................................... 25 Chapter Summary ................................................................................................. 25

Chapter Two: Literature Review .......................................................................................... 26 2.1. Introduction ........................................................................................................... 26

Defining Accessible Information Systems and Cyber security ...................................... 30 2.2. 2.3. 2.4. Relevance of Theories and Principles of the Study ............................................... 33 Empirical Review .................................................................................................. 37 Chapter Summary ................................................................................................. 42

Chapter three: Research Design and Methodology ............................................................. 44 3.1. 3.2. Research Design .................................................................................................. 44 Methodology ......................................................................................................... 51 9

3.3. 4.0 4.1. 4.2.

Chapter Summary ................................................................................................. 55 Chapter Four: Data Analysis and Discussion ............................................................ 56 Introduction ........................................................................................................... 56 Findings, Analysis and Discussion ........................................................................ 56

Findings ....................................................................................................................... 56 Analysis of Findings ..................................................................................................... 65 Discussion ................................................................................................................... 71 4.3. 5.0 5.1. 5.2. 5.3. Chapter summary ................................................................................................. 74 Chapter Five: Conclusion, Recommendations and Further Research ....................... 75 Introduction ........................................................................................................... 75 Recommendations ................................................................................................ 76 Critical review ....................................................................................................... 78

Concluding remarks ............................................................................................................ 79 References ......................................................................................................................... 80 Appendix ............................................................................................................................. 84 Glossary .......................................................................................................................... 84 Questionnaire .................................................................................................................. 86 Research Schedule ......................................................................................................... 94 Research Budget ............................................................................................................. 95 Respondents Comments A Recent Attacks/Threat ....................................................... 96 Respondents Comments B- Improvements ..................................................................... 97

10

List of Tables
Table 1: Tanzania Internet Usage and Population Growth .................................................. 13 Table 2: Categories of SMEs in Tanzania ........................................................................... 27 Table 3: Sample List of SMEs in Arusha ............................................................................ 28 Table 4: Vulnerabilities, Threats, and Attacks Categories Summary ................................... 32 Table 5: Perceived Trend of Cyber Attacks/Threats ............................................................ 61 Table 6: Top 15 Noted Cyber Attacks ................................................................................. 62 Table 7: Random Vulnerability Scan Results ...................................................................... 63

List of Figures
Figure 1: Tanzania Fibre and Microwave Network Coverage:2005 ..................................... 14 Figure 2: The Cyber Attack Process.................................................................................... 17 Figure 3: An Example of EIS score from assessment of two companies ............................. 35 Figure 4: Vulnerability Possibilities ...................................................................................... 41 Figure 5: Model of Security Relationships ........................................................................... 42 Figure 6: Outline of the Case Study .................................................................................... 44 Figure 7: Companies Employee Count ................................................................................ 66 Figure 8: Internet Dependency of SME's ............................................................................. 66 Figure 9: Percentage Use on Internet by Employees .......................................................... 67 Figure 10: Internal Internet Use........................................................................................... 67 Figure 11: Percentage Satisfaction of SME's on Current Measures in place ....................... 68 Figure 12: Frequency of I.T Checks .................................................................................... 69 Figure 13: Current Protection Measures.............................................................................. 69 Figure 14: Sources of I.T Security information .................................................................... 70 Figure 15: Trend of Intrusion Attempts ................................................................................ 71 Figure 16: Compromised networks...................................................................................... 72 Figure 17: Use an Internet Policy ........................................................................................ 72 Figure 18: I.T Check-ups..................................................................................................... 73 11

Figure 19: Ease of Access to information ............................................................................ 74

List of Appendixes

i. ii. iii. iv. v. vi.

Glossary Questionnaire Research Schedule Research Budget Respondents Comments A Recent Attacks/Threat Respondents Comments B- Improvements

12

Chapter One; Introduction

1.1. Background

1.1.1. Background to the problem We now live in an era known as the Information Society or Information Age as for almost half a century the importance of computers for citizens, organisations, governments and society as a whole has been growing. At the same time, the importance of intellectual asset flows, such as information and knowledge, has also been growing at the expense of material asset flows (Sveiby, 1997), thus the frequently used term these days information is power (Rogers, 2010). Consequently in the drive to remain competitive; information systems have to a large extent become integrated in industry operations and business systems fostering the growth of networking technologies that offer tools for making communication and sharing of information more efficient and faster than before i.e. emails, chat, and VoIP etc. This has culminated in the incorporation of the Internet into business operations as the Internet is quickly becoming the major infrastructure for information in almost every level and arena in society, e.g. electronic business and electronic government. Table 1: Tanzania Internet Usage and Population Growth Year 2000 2002 2005 2009 Users Population 50,000 14,712,000 500,000 13,874,610 820,000 12,247,589 520,000 41,048,532 Source: (ITU, (2010)) % Penetration 0.3 % 3.6 % 6.7 % 1.3 %

From the table above Internet usage statistics show 520,000 Internet users as of June, 2009, 1.3% of the population (ITU, (2010)) more recently TCRA reported that as of June 2010 they were 4.8 million Internet users in Tanzania (T.C.R.A, 2010). This huge jump in Internet usage was the main drive for improved connectivity leading to the milestone landing of the submarine cables namely Seacom (Seacom, (2009)) and thereafter Essay fibre cable in Dar-e-salaam in
13

April, 2010,(WIOCC, 2010). Arusha soon followed in May, 2010 as NICTBB completed its first phase (Security, 2010, Mutarubukwa, 2010). Figure 1: Tanzania Fibre and Microwave Network Coverage:2005

Source: (ITU, (2010)) Consequently today in Tanzania many industrial sectors or functions of society namely; the taxation authorities i.e. TRA (Mbonea, (2010)), the banking sectors has banks like CRDB, NBC, healthcare institutions like ALMC uses an HMS called Care2X, educational institutions like NECTA, NGOs like SEDA and SIDA, Tour companies/operators as well as many other national associations are now using or are planning to use the Internet as its major communication infrastructure. However, the networking and interconnection of systems can significantly increase an organisations or an enterprises exposure to information security risks (Weiss 2001) and can
14

result in an Internet leak; which occurs when a party's confidential information is released to the public on the Internet. To best illustrate this In April 2010, WikiLeaks; a non-profit media organization dedicated to bringing important news and information to the public (http://wikileaks.org/) caused an international uproar when they published gunsight footage from the 12 July 2007 Baghdad airstrike in which Iraqi journalists were among those killed by an Apache helicopter, as the Collateral Murder video in addition to other publications like the Afghan War Diary, (a compilation of more than 76,900 documents about the War in Afghanistan), Iraq War Logs, U.S. State department diplomatic cables that were previously not available to the public leading to worldwide criticism and claims by several U.S. government officials that WikiLeaks exposed classified information that harmed national security as well as compromised international diplomacy. So it holds true for Arusha as well that in almost every level and arena in society, information security is becoming an important and crucial issue. It should be noted that in Arusha like the rest of Africa, the Internet penetration is far behind that of the rest of the world. The penetration rates vary across the continent with northern Africa, South Africa and several Islands being at the top, with a maximum penetration of just under 36%. (Kristina Cole et al., 2008). Another report by Internet World Statistic gave even lower figures as seen below:

Source: (Internet-World-Statistics, (2011)) Nevertheless many SMEs in Arusha also gain a competitive edge by using the Internet to do market research, find information on competitors and track down leads for new customers, or provide better customer support so they are likely the dominant force behind the Internet
15

usage in Arusha. If Tanzania had 676,000 Internet users as of Jun/10, 1.6% of the population, of which 319,440 Facebook users on June 30/11, 0.7% penetration rate as per ITU. Then SMEs are likely the major users/drivers of this internet usage. In addition Small and Medium Enterprises (SMEs) are the engine of the national economy and represent over half of all employees in the private sector So it should be noted that SMEs as significantly contribute to the economy and comprise the majority of the businesses and internet users in the country. (OECD, 1997). Then their importance to the development of this nation cannot be understated or ignored nor discussed without consideration of the information systems and measures that are in place to protect these systems. The Cyber Security Challenge Therefore potential network vulnerabilities, threats, and attacks in SMEs must be identified to minimize security concerns. In this study Cyber is most times limited to Internet related technology its broadest meaning includes both aspects of information and telecommunications technology. System vulnerabilities refer to weaknesses in the system that can be attacked, while threats are the potential to cause damage to online networked resources. Attacks are the actual use of system vulnerability to put threats into action. Cyber security broadly refers to the protection measures put in place to prevent system hacking. System hacking is a continuous process where hackers continue to discover system vulnerabilities to develop attacks as depicted in the figure below;

16

Figure 2: The Cyber Attack Process

Source: (Promisec, 2010, Colonel Louis H. Jordan and Saadawi", 2011) As the Arusha SMEs do have such systems it therefore is still vital that accessible information systems in Arusha are adequately protected from unauthorised access to information or Cybercrime perpetuators. As the latest global threat statistics indicate that: Approximately 6,000 new computer viruses are released every month. Hackers create 50,000 new websites each week exploiting approximately 375 highprofile brand names worldwide at any time. More than 140,000 new zombie computers are created per day and used as botnets for sending spam, etc. Today about 25% of malware is designed to be spread via USB storage devices that connect directly to PCs. More than 75% of new malware is designed to infect users through the web Source:(Tabadatze, 2011) To be able to keep up with the above threats will a two pronged approach that on one scale will require coordination and vigilant continuous monitoring of ICT trends and developments by
17

policy makers, ICT service providers, market analysts, SMEs management and other stakeholders; given the potential impact of ICT use on social and economic development it is crucial for SMEs and the country at large to strive towards making the benefits (and not the hazards) of ICTs available to all people. One the other scale for I.T mangers and I.T support staff to have an accurate awareness of what is happening on a network is critical to the success of an information security program as the enemy is not sleeping. For SMEs to be able to collect all this timely information it is then important to do this with automation to allow businesses to return their attention to the core operations of their businesses. Let me end here with a quote We need timely, targeted, and prioritized information to drive security. Without it is to compare to us driving and using the rear-view mirror to guide us (U.S. Department of State, 2011). So we should not be intimidated into not driving at all but should strive to drive correctly. 1.1.2. Background on Habari Node Limited Habari Node Limited (HNL) is a dynamic Tanzanian company based in Arusha providing a range of ICT based business solutions to the Tanzanian market. HNL was formed by AFAM Limited together with Arusha Node Marie in 2010 to take over the Internet Services activities of Arusha Node Marie, a society that has been operational since 1994. Habari Node is now incorporated under the Tanzanias company act 2002 with Certificate of Incorporation number 75466. HNL is a licensed data operator with National Application Services License providing high speed data and internet connectivity with 99.5% service uptime. Last mile connectivity is through DSL and direct fibre connectivity in the Arusha CDB and Broadband Wireless in the surrounding areas. In remote sites and offer backup facilities through iDirect VSAT platform. Their scope of services at HNL include standard ISP services including bandwidth, DNS, domain registration, domain, web, and email hosting services, as well International Voice over IP calling service. Habari Node has a board of directors which oversees the operations of the company. The day to day activities are managed by a team of functional managers supervised by the Managing Director. Currently HNL employs over 50 staff who manage daily technical,
18

business and administrative operations of the ISP. At least half of the employees are technical staff in different areas of IT with over 6 years work experience (Habari, (2011)). As they are expanding (ArushaTimes, 2011) it appears that the application of ICT services is at the threshold of a new era due to the international fibre cable reaching Arusha, and consequently opening up new opportunities. They serve home users, government institutions, businesses, agencies, NGOs and other ISPs in Arusha and their coverage extends all over Tanzania and they have the widest reach in Arusha as well as leading market share of the Internet users in Arusha and are therefore a suitable company to channel our cyber security initiatives. SWOT Analysis of Habari Node Ltd. Strengths;

Known presence in Arusha Broad subscriber ship and large Arusha user base. Renowned for good technical support and service. Have necessary equipment and infrastructure in place Centrally located in the city Host AIXP and encourage inter-cooperation between local ISP's Management advocates for diligence and encourages innovative ideas

Weakness

Too focused on only Internet provision. No cash for expansions and equipment purchases Poor or no marketing strategy Questionable technical competence of staff Only based in one location - Arusha
19

Opportunities

Expansion to other areas as the Companies reputation is marketable. Large and under-utilised ICT market in Tanzania. Provision of alternative ICT services namely;

Web design and Content Management Services Co-locating servers services Data entry and Call Centre services Underground cabling services.

Expansions into areas not necessarily in ICT but complement ICT. i.e. teaching

Threats

Competition from other similar service providers in the region. Complacency or the feeling that we good enough. Damage to equipment by electrical surges, theft etc. Political influence-peddling, interference or sabotage

1.2. Purpose of the study The main purpose of this project is to explore how the Small and Medium Enterprises (SME) in Arusha in light of the recent fibre connectivity were challenged by the new business opportunities via the Internet. As well as if there was indeed a relationship between the accessibility of internet, an increase in the incidences of cyber-attacks, a general awareness of cyber threats and the organization size. This is in appreciation of the theory that as the Internet becomes the major information infrastructure in most sectors; the importance of Information Systems (IS) security steadily increases. As such reaching a certain level of
20

actual IS security is vital for most businesses as businesses have to maintain a certain level of security and be able to assess the level of other actors security. However IS security is abstract and complex and difficult to estimate and measure.(Oscarson, 2007) I therefore then set out to assess the efforts of Habari Node Ltd and their clients in and around Arusha in the realm of cyber security. When approaching this problem, it is also my belief that national security as a motivation for cyber security may not be entirely appropriate for developing nations. As many developing nations possess neither robust critical infrastructures that utilize digital control systems nor highly digitized militaries, and thinking about cyber security issues in relation to these systems therefore may not make sense. I therefore sought like my predecessors to determine how to implement cyber security in Arusha, Tanzania not as an issue solely associated with national security. (Kristina Cole et al., 2008). Statement of the problem Arusha was recently connected to the worldwide fibre network via the fibre cable in Dar-essalaam namely the Seacom and Essay fibre cable in May, 2010. This enhanced connectivity significantly improved the downloads and uploads speed of traffic to and from Arusha consequently greatly improving the users experience of Internet related services now traveling at lightening speeds. This opened up the possibility of effectively using internet related business services like online tax, bank and educational services that were previously to slow to run on satellite (VSAT) or dial-up links and triggered a need or awareness for businesses in Arusha to start using as well incorporating more Internet related business services in their daily operations to effectively compete. Unfortunately with this improved connectivity could also have increased interest in the region and exposure to Cyber threats as now connecting to machines in Arusha from anywhere in the world become faster and easier for Cybercrime perpetuators. This change therefore begged the question; where businesses in Arusha adequately prepared to meet this new challenge and if not what could these SMEs do about it?

Worldwide in just a few decades, the use of IT has formalized information management and streamlined the administration of organizations. On the other hand, this development has
21

entailed a substantial dependence on IT services where few business processes can be handled manually when IT services are out of order. Deficiencies in IS security can cause direct negative consequences for business processes; production, sales, business administration, etc. due to incorrectness, delays and information leakage and in the end, can affect the business as a whole. Frequently nowadays we hear the term Global Village which seems to infer the world is a much smaller place nowadays and what happen in one corner of the globe is known in a matter of seconds at the other end of the globe. So true does this hold for the impact of say; actions that happen in one corner and have far-reaching reactions in other parts of the world. It would then be prudent to say that these days nothing is too small to ignore or too remote to not be considered a significant threat or risk these days. Thus, IS security is a significant and an important issue for SMEs and for society as a whole motivates research and practical developments in this area from a number of perspectives; technological as well as organisational and behavioural. The abstractness of IS security however, seems to indicate that the IS security area calls for conceptual and philosophical approaches when analysing the theoretical fundamentals of IS security. Compared to for example the (general) concept of risk, the concepts of IS security and IS security risk have rarely been problemised in a research question. Research Objective The description of the problem area above posed the question; Are SMEs in Arusha adequately prepared to meet this new challenge and if not what could these SMEs do about it? The researcher therefore set out to establish if there is really an emergence of a threat and if so; how it relates to the business operations of the SMEs in Arusha. As already pointed out above the internet is or will become the major information infrastructure in most business sectors and consequently involvement of Information Systems (IS) security to protect this information structure becomes necessary. This relationship is now then summarised into a comprehensive research question for this paper: Which is to:
22

Determine the information systems security readiness of SMEs located in Arusha and its significance to the success of the businesss operations? This comprehensive research question comprises the understanding of IS security as a whole. The first part is conceptual while the second its significance to the success of the businesss operations is more practical. The question might also be interesting from a philosophical point of view, but as emphasized earlier, it also has practical relevance for society. This would follow by picking a suitable candidate to attempt represent the majority of other SMEs in Arusha namely Habari Node Ltd; the leading ISP in Arusha is an SME itself that is channelling Internet to many other SMEs in the region. The research objective can then be further broken down into 3 sub-objectives; To critically assess the relevant literature on cyber security, small firms, usage/importance of the internet and information security measures that are currently being used. By assessing the current IS/IT security situation at Habari Node Ltd. By assessing the current IS/IT security situation of the clients of Habari Node Ltd To identify the vulnerabilities and potential threats that could exist at Habari Node Ltd and their clients. By running non-intrusive but penetrative security scans and vulnerability tests on already accessible online points for selected SMEs in Arusha. To propose possible measures to meet alleviate or mitigate these threats or vulnerabilities. The comprehensive research question can then be divided into three sub-questions: 1. Is access to the Internet important for business operations? a. How dependent a business operation on the internet. b. Are there I.T usage policies in place for employees using the computers and by extension the Internet in the SMEs.
23

2. Is there awareness of cyber threats; a. Are there any measures being taken to deal with these threats? b. If not how could the awareness of cyber threats get generated? 3. What implications or significance do breaches of cyber security have and how do they impact on business operations? a. What are the common vulnerabilities faced by SMEs in Arusha and how can these threats be mitigated?

These questions are mainly sequential; the investigation of cyber security measures takes place after evident and valid cyber security threats have been defined. 1.3. Significance of the Research On top of being a requirement for the fulfillment of the masters in business degree; this study aimed to create awareness and to contribute to the general pool of knowledge out there on information systems security. Though more specifically targeted the the Arusha based Internet users, I.T technicians and IT managers, in both public and private institutions where ICT is a strategic tool in enabling core business operations. These categories of actors could be interested, and thus have an understanding of cyber security and that being online introduces vulnerability. Since the significance of proper IS security for an organisation is proportional to the organisations dependence on information. An organizations IS security affects not only the organisation itself, but also its external parties (Von Solms, 1999). Not only do shared information systems and infrastructures require an accepted level of security, but also the organizations themselves must be considered secure enough to act in these e-arenas. An analogy is traffic safety; it is not enough to build safe roads, we must also have shared traffic rules and safe cars (von Solms, 1999). As well as point out to the policy makers the gaps in our legal ICT infrastructure and highlight areas that would be addressed to improve the nations ICT framework for the betterment of ICT service provisioning and usage. It should be noted the ICT is already being used as a criteria to determine countries capabilities. For example; Tanzania is ranked 120 on the networked readiness index in 20092010 in a global information technology report on ICT for sustainability out of 133 economies (Dutta and Mia, 2010).
24

Lastly it is hoped that this research will assist future researchers in the quest to carry further research. 1.4. Limitations and De-limitations of the Research The assessment was limited to Arusha town and the surrounding environ, though cyber threats by their nature where not geographically limited. Accessibility to data and the poor collection and storage capabilities of Tanzania in general were limited and therefore correct and relevant data was difficult to find. Improvising was made as assumptions were then based on fairly old data or related data. Also it did not aim to quantify the challenges or awareness in terms of figures; instead the relative values were assessed. Quantifying the scale of awareness to cyber challenges in terms of figures would have required a different approach and it would not have been possible to visualize the result in the same way. 1.5. Chapter Summary Chapter one has given a brief introduction on the dissertation, this has also given a brief on the internet growth in Arusha, Tanzania, Habari Node as a company, its activities and clientele. It has also gone in depth to elaborate the aims and objectives of this dissertation.

25

Chapter Two: Literature Review

2.1. Introduction Arusha region is found in northern Tanzania. Arusha shares its northern border with the Republic of Kenya. To the west Shinyanga region is found and to the northwest Mara region, to the northeast Arusha region borders to Kilimanjaro region, further east is Tanga region, to the south Dodoma region; where the capital city of Tanzania is situated. Arusha region combines both highland which include Mount Meru (4,566 mm. asl.) and low land. Temperatures average 21 C and lowlands temperatures average 26 C; rainfall ranges from 250 mm to 1200 mm per annum. Arusha region covers total of 86,999 sq. km. of which 3,571 sq. km (4.1%) is water. It is the largest region in Tanzania occupying 9.2% of the mainland. The last census in 1988 recorded a population of 1,351,675 individuals and the current projections for 1998 indicate 1,963,200 individuals. In comparison Tanzania total population is at 42,746,620 as of 2011 and a country area of 945,087 sq. km. The existing economic activities and industries are mining, tourism, forestry, diary, milling, brewery and other agricultural sectors. Though the activity most associated with this study seems to be tourism as the Arusha region is endowed with rich tourism potentials due to the presence of the National parks attracts a lot of visitors for outside Arusha. Although it is claimed that the tourism industry is yet to be developed properly to meet the high quality of standards required by tourists; opportunities exist in all areas of safari tours to cover game viewing, professional hunting, photographic expeditions, trekking and mountain climbing, camping safaris. As well as hotel facilities of high quality are still in demand from small private lodges, luxury tented camps, hotels. The Arusha Municipality is also a host to a number of International organisations including the International Crime Tribunal for Rwanda (ICTR), the regional secretarial of the World Health Organisation (WHO), Pan African Postal Union, the Secretariat of the East African Cooperation (EAC) and the Eastern and Southern African Management Institute (ESAMI) to mention but a few. Recent developments i.e. sprouting growth of small scale industries, local tour operators opening new offices or international tour operators setting up local branches
26

and related business activities in the area can be said to be SMEs. These developments show that the Arusha municipality is gradually becoming an economic hub and it is destined for growing businesses and is thus becoming a fast expanding city. Furthermore due to the increase in the economic and development activities the demand for office space, residential accommodation and Internet demand will definitely grow in near future.(SIDO, (2011)). According to the SME policy 2003; the SMEs nomenclature is used to mean micro, small and medium enterprises. It is sometimes referred to as micro, small and medium enterprises (MSMEs). The SMEs cover non-farm economic activities mainly manufacturing, mining, commerce and services. There is no universally accepted definition of SME. Small enterprises are mostly formalized undertakings engaging between 5 and 49 employees or with capital investment from Tshs.5 million to Tshs.200 million. Medium enterprises employ between 50 and 99 people or use capital investment from Tshs.200 million to Tshs.800 million. This is illustrated in the table below: Table 2: Categories of SMEs in Tanzania Category Micro enterprise Small enterprise Medium enterprise Large enterprise Employees Capital Investment in Machinery (Tshs.) headcount 14 5 49 50 99 100 + Up to 5 million Above 5 million to 200 million Above 200millionto 800 million Above 800 million

N.B In the event of an enterprise falling under more than one category, then the level of investment will be the deciding factor, (M.O.T&I, 2002). According to Barakat (2001), he reported that with evidence Small Medium Enterprises play a vital role in encouraging the national economic development of any country. SME produce much of the creativity and innovation that fuels economic progress and also create a lot of new jobs. 90 % of the total number of companies is comprised of Small medium enterprises in most countries, which provides an average 70% of job opportunities (OECD, 1997).

27

Furthermore SMEs account for over 95% of organizations and 60-70% of employment and generate a large share of new jobs in OECD economies (OECD, 2000). Table 3: Sample List of SMEs in Arusha
Sample List of SME's in Arusha Sector Company Name Knitwear and Garments AGAPE Women Group Plastic And Rubber Alfa Plast Mould Antique Makonde Carving Co-op Knitwear and Garments Society Ltd Antique Makonde Carving CoHANDCRAFT Operative ENGINEERING Approtec ENGINEERING Arusha Galvanising Co. (AGACO) Food Processing Boogaloo Ltd Food Processing Darsh Industries KANFRAN ENGINEERING WORKS Food Processing LTD Kilimanjaro Metal shapers ENGINEERING (KEMESHA) Mixed Products Lucha Herbalist Group ENGINEERING Mdomewo Food Processing NYIREFAMI LTD. Food Processing Pestige Industries Ltd Presidents Food and Beverages Food Processing Company Food Processing Rest Products Food Processing Roselyn Products Food Processing Rowen Natural Products ENGINEERING SIDO TDC Arusha ENGINEERING SUDERETA (ELCT) Other TEMDO

Opportunities and Threats faced by SMEs There are major incentives or opportunities for new entrepreneurs and small-to- mediumsized businesses to use the Internet because it helps reduce transaction costs and level the playing field [Evans and Wurster, 1997]. Among these opportunities for SMEs, are the wider and richer communications, expanding scope of marketing, partnering with suppliers and
28

reducing cost of operations [Drew, 2003]. With the report produced by Prerost (1998), there are many various opportunities added to SMEs, including productivity and efficiency for business process and development of new market opportunities (B2C and B2B) likewise access to global market. However, how to use the Internet as an opportunity to SMEs usually depends on the firm and business factors [Drew 2003]. These influenced factors may include; Internet knowledge; smaller firm's technical and the pace of innovation and change in the industry; the rate at which the market is growing; the structure of the industry in which the firm competes; the sources of competitive advantage for the smaller business; the strategic intent of the larger competitors; and the technical and Internet strengths of the larger competitors. Creating awareness of the new opportunities generated by ICT is still necessary in some developing countries, as well as in many of their enterprises. In particular, small- and medium-sized enterprises (SMEs) are not yet familiar with these opportunities. Nevertheless, several developing countries have already started to benefit from ICT opportunities. Outsourcing using new technologies such as IT outsourcing and BPO is a business-driven phenomenon. The rapid growth of the internet, albeit limited penetration ratio in the least developing countries including Tanzania, offers opportunities to SMEs in LDCs to compete in the global job market for outsourced products and services that combine the retail use of the telephone and computers. Description of Internet Users A survey conducted between April and June 2010 showed that there has been a significant growth in Internet usage as compared to other traditional means of communication such as the post office. The results of the survey showed that by June 2010 they were close to 5 million Internet users in Tanzania translating to about 11% of all Tanzanians. Those using Cyber cafes were only 5%, 55% were from organisations/institutions and 40% from SOHO and households (T.C.R.A, 2010). It should be noted that Arusha is one of the highest per region count on Internet use. Though on-line experiences and effective use of the Internet capabilities range greatly among SMEs and are closely linked to the educational background of users. University-educated users are more likely to use the Internet to obtain information on production technologies,
29

examine market trends and opportunities, assess the activities of domestic and international competitors, and locate potential suppliers. The survey shows that while a significant number of SMEs use the Internet for their business operations like email, research, the degree and depth of research capability is limited. However, for the few companies which do use the research function extensively, there is a clear impact on sales. Defining Accessible Information Systems and Cyber security IT refers specically to technology, essentially hardware, software and telecommunications networks. It is thus both tangible (e.g. with servers, PCs, routers and network cables) and intangible (e.g. with software of all types). IT facilitates the acquisition, processing, storing, delivery and sharing of information and other digital content. In the European Union, the term Information and Communication Technologies or ICT is generally used instead of IT to recognize the convergence of traditional information technology and telecommunications, which were once seen as distinct areas. The UK Academy of Information Systems (UKAIS) denes information systems as the means by which people and organizations, utilizing technology, gather, process, store, use and disseminate information. It is thus concerned with the purposeful utilization of information technology. The domain of study of IS, as dened by the UKAIS, involves the study of theories and practices related to the social and technological phenomena, which determine the development, use and eects of information systems in organizations and society. Mingers notes that, although technology is the immediate enabler of IS, IS actually is part of the much wider domain of human language and communication, that IS will remain in a state of continual development and change in response both to technological innovation and to its mutual interaction with human society as a whole.(Ward and Peppard, 2002) Prior to the 1990s businesses mainly used private networks to communicate to other parties but during the 1990s, something happened that made us redefine our society or economy; the spread of Internet usage. The main reason for this was the invention and spreading of the World Wide Web (WWW), which made the Internet more accessible to people who were not technically-minded or experts. This made the Internet interesting as a professional channel and information flows began to dislocate to the Internet, and so terms like the digital economy (Tapscott, 1996), electronic commerce (e-commerce) and electronic government (e30

government) were soon coined (Turban et al., 2002). Other user friendly communication functions like electronic learning (e-learning), electronic booking/reservations (e-ticketing), digital calling (VoIP) and improved data transmission etc. begun to emerge. So while Information systems are moving out of the backroom low-level support position(s), to emerge as the nerve centres of organizations and competitive weapons at the front end of businesses (Galliers and Leidner, 2003). Their use of the Internet presents a challenge to most businesses due to the amplified accessibility to sensitive or confidential information. The paradox is that the main reason for the Internet growth is that it is a public network that originally was designed for openness and flexibility, and not for security making. Information security is one of the most crucial issues in the information age. WikiLeaks showed that securing sensitive data online can be more difficult than initially realized, between the evergrowing sophistication of hackers and human errors. Cyber security is a relatively new field, as its study is directly related to the rise of digital technologies. This also means that cyber security has evolved apart from most other conceptions of security. Despite cyber securitys unique development, there is a continuing struggle to define it clearly and in such a way as to allow the definition to evolve along with digital technology.(Kristina Cole et al., 2008). The International Telecommunications Union developed a paper offering a common definition of cyber security for the World Summit on the Information Society in 2005. This paper offered three elements that cyber security often refers to: 1. Actions and measures, both technical and non-technical, with the express purpose of protecting computers, networks, software, data and other related digital technologies from all threats 2. The degree of protection resulting from the adoption of these activities and measures 3. Professional activity of implementing the above mentioned actions and measures, including research, analysis and policy development.

31

This notion of security includes protection from disruptions in confidentiality, integrity, availability, and often non-repudiation of the above mentioned digital technologies and information. There are generally two types of security, passive and active. Passive security relates to processes such as system hardening where the system defence is bolstered in such a way as to resist attack or minimize damage. Active security involves actually tracking attackers and retaliating in an effort to stop an existing attack or to prevent another. However, active security relies on the ability to verifiably identify the attacker, which is extremely difficult given the anonymous nature of communication technologies, and therefore cyber security in this context refers primarily to passive defence techniques. Such techniques do include more active measures such as early warning systems and legislation criminalizing cybercrime, as long as such measures stop short of active retaliation. Like all basic security measures, cyber security is bound by the principle that one only protects something with effort proportional to its value. Poulsen's (an international renowed hacker) Law touches on this when he said Information is secure only when it costs more to get than its worth. That is to say, a small businesss inventory database should not be secured with a multi-million dollar security program. Cyber security necessarily requires the presence of digital technology, or it does not apply. While one may create cyber security policy without actually possessing the associated technologies, there is little point, and unless acquisition of said technologies is imminent, such policy is a waste of time and effort.(Kristina Cole et al., 2008). Below is a summary of the Vulnerabilities, threats and Attacks categories. Table 4: Vulnerabilities, Threats, and Attacks Categories Summary Vulnerabilities Poor Design Technologies Applications Database Networks Threats Spam Worm Virus Malware Attacks Un-authorised Access Information Tampering Cross-site Scripting IP Spoofing

Intrusion Denial of Service (DoS) and Distributed DoS (DDoS)

Monitoring tools Spyware Insider Malicious Activities Source: (Colonel Louis H. Jordan and Saadawi", 2011)

32

2.2. Relevance of Theories and Principles of the Study Conceptual framework The studys conceptual framework attempts to shows that a relationship exists between communication infrastructural modifications and business operations and Cyber activity and highlights the importance of their vulnerability to future scenarios of changed conditions. It also shows how awareness, policy and/or technical adaptations cope with the added stresses of cyber-attacks/threats leads to adapted Information systems; and that adaptation options will, in turn, feedback to business environmental conditions. The researcher started out assuming that; there is a relationship between the improved accessibility of internet to Arusha with the increase in the incidences of cyber-attacks.

Source: Author, 2011 Finally it highlights the importance of awareness, coordination, policy and decision support in assisting with credible assessment of adaptation options, and especially in analyzing their trade-offs between business operational goals (e.g. generation of profit, minimizing damaging effects to business operational budgets, the loss of service and other components of the cyber-attacks) and developmental costs (e.g. maximizing traffic transmission, incorporating cyber security capability, increasing response capability, infrastructure modifications and
33

other related modifications). Improved decision support systems are needed to help in designing and interpreting more quantitative analyses of trade-offs between access to information and developmental costs. Model for Assessing Cyber Security Challenges in Arusha The main idea of the research was to find out the effect of the recently connected fibre to their daily operations. Controls and tools to determine if this effect was significant or not and point out the vulnerabilities and remedies to allay the effect were identified. The researcher then gathered information primarily through a literature review and extensive research over the internet. The proposed assessment method will be to use the Enterprise Information Security Assessment Method (EISAM), a comprehensive method for assessing the current state of the enterprise information security. The method is useful in helping guide top managements decision-making because of the following reasons: 1) it is easy to understand, 2) it is prescriptive, 3) it is credible, and 4) It is efficient.

The single value from an assessment is presented in the form of an EIS score. For instance, the fulfilment of information security at an enterprise according to EISAM can be presented as a percentage, see figure below;

34

Figure 3: An Example of EIS score from assessment of two companies

Source: (Soderbom, 2007) EISAM is based on four standards on information security. Together, the requirements and questions from these standards form a database on enterprise information security, herein referred to as the EIS database. Brief descriptions of the four standards included in the database are as follows. ISO/IEC 17799, Information technology Code of practice for information security management is an international standard published by ISO/IEC. EISAM uses the first version of ISO/IEC, which consists of ten high-level groups. NIST The US National Institute of Standards and Technology (NIST) has published the SP 800-26 Security Self-Assessment Guide for Information Technology Systems. This special publication (SP) is, as the name states, a self-assessment guide consisting of an extensive questionnaire. ISF The Standard of Good Practice for Information Security (SOGP) is produced by the Information Security Forum (ISF), an international association of over 260 organizations. The Standard is based on a wealth of material, in-depth research and the extensive knowledge and practical experience of ISF members, and is updated at least every two years. ISF SOGP is grouped into five high level aspects.
35

OCTAVE The Operationally Critical Threat, Asset, and Vulnerability Evaluation method is released by CMU/SEI. OCTAVE uses three catalogues of information to maintain modularity and keep the method separate from specific technologies. One of these catalogues is the Catalogue of Practices version 2.0 which is used in EISAM. It provides the means to measure an organizations current security practices and to build a strategy for improving its practices to protect its critical assets. The EIS database contains a total of 1365 entries, i.e. all questions and criteria from the four standards. Three independent dimensions of information security were identified from the theory in the EIS database. These three dimensions, which constitute EISAM, are Scope, Purpose and Time. With a foundation consisting of four well established standards on information security, EISAM makes information security comprehensible, and thus renders straightforward assessments that give easily comprehensible results(Soderbom, 2007). However, to be able to perform an assessment the EIS categories have to be expressed in assessable terms. As research methods are limited by practical challenges on gathering information in Arusha and Tanzania in general. So primarily independent tests were run then secondarily an anonymous survey was carried out in Arusha targeting small and medium enterprises (SME) (M.O.T&I, 2002) and visit a number of government entities and NGOs in and around Arusha and ask if and how they were affected by network and computer crime in the prior year and what steps theyve taken to secure their organizations. Based on the previous models of cyber security assessment the researcher developed a list of initiatives that were expected to be assessed from comprehensive cyber security assessment programs. The initiatives had to be high level enough so as to avoid technical specifics, as the technology is constantly evolving. With that in mind, the initiatives were expect to span all three security fields. By drawing specific initiatives from international conventions on cyber security that applied to my framework. i.e.; Standards and Policies for System Security Measures Cybercrime Legislation Computer Emergency Response Team (CERT/CSIRTs) Higher Education Programs
36

End-User Education Identity Theft Legislation System Certification and Accreditation Law Enforcement for Cybercrime.

Once the policies are fully approved, they should be made available to all users who are affected. Finally, all policies should be updated annually to reflect changes in organization or culture. Basic Policy Requirements Policies must: Be implementable and enforceable Be concise and easy to understand Balance protection with productivity

Policies should: State reasons why policy is needed Describe what is covered by the policies Define contacts and responsibilities Discuss how violations will be handled Source: (ECA, 2009)

2.3. Empirical Review ICT Infrastructure According to Robert Ulangas 2005 country report on Cyber security in Tanzania he hinted that ICT health was important for the economy as he pointed out that the ICT sector had seen a significant growth and matched this growth to the similar growth in the economy in that same period. Below are some statistics of the reports on the status of the ICT Infrastructure in 2005. By then only two operators were licensed to provide basic telecommunication services, namely Tanzania Telecommunications Company Limited (TTCL) the incumbent national operator and Zanzibar Telecom Limited (ZANTEL). TTCL had a national wide licence
37

(including Zanzibar) as opposed to ZANTEL, which has the right to operate in Zanzibar only until February 2005; and the licence of Zantel was then extended to cover whole United Republic of Tanzania. The total number of subscribers was about 150,000 (network capacity is about 250,000 connections). The market structure then was dominated by four (4) mobile operators namely Vodacom (T) Limited (1,100,000 customers), Celtel (now Airtel) (T) Ltd (550,000 customers), Mobitel (now Tigo) (320,000 customers) and Zantel (85,000 customers) then operating in Zanzibar. The total subscriber base was just over 2 million as of April 2005. Regarding data communication services, there were eleven (11) public data communications network operators with the right to install their own international gateway for routing the international traffic. The provision of data communication services was fully competitive. The Internet service provision was under full competition mode of licensing. There were 23 Internet service providers operating mainly in Dar es Salaam and few in major cities and towns countrywide like Arusha. To improve service provision the National Internet Exchange Point (NIXP) was installed and another in Arusha (AIXP) by 2006 but these two operated and still operate independently and are not connected. Then they were only four ISPs connected to their respective IXP. In Arusha the four ISPs were Benson Online Ltd (BOL), Cybernet, Arusha Node Marie and Nexus Digital. (AIXP, (2006)) Regarding the legal regulatory framework the new licensing framework had been in effect since February 2005, when the board of the TCRA at its 9th special meeting held in Dar-essalaam approved the implementation of the converged licensing framework. The board also directed that consultations with existing operators and other stakeholders should continue to ensure its smooth implementation. The approval was granted to facilitate the implementation of the governments full liberalization policy following end of the exclusivity policy and to effectively respond to the challenges raised by convergence in the Information Communication Technology (ICT) Sector. The New Converged Licensing framework was technological and service neutral where a licensee had freedom to choose technology which is most efficient and cost effective was free to take signals from the market as to which services are most in demand. A licensee was also authorized to provide different services under a single license. The possibilities brought about by the convergence phenomena include provision of various communication services
38

like text, data, image, voice and video over an existing infrastructure; the use of a single transmission technology to offer various services, the provision of the same or substitutable service by a variety of different types of providers (e.g. data over cable TV, telephone, or even electrical power networks), substitution of mobile service for fixed service, and integration of customer terminal equipment or access devices such as the telephone, television and personal computers. In essence this meant that the formerly mobile telephony providers would offer Internet services i.e. mobile internet and vice versa the Internet Service providers could provide telephony services i.e. VoIP. Internet access at high bandwidth was envisaged that would create new possibilities to develop multimedia content for information, entertainment, and data processing. It was important to note that in several countries broadband growth had by this time already outpaced mobile telephony. The boom was mainly fuelled by software downloads, online gaming, and e-commerce. In Tanzanian context, affordable high-speed networks could facilitate deployment of Information and Communications Technology for development. The converged licensing framework was meant to facilitate the above possibilities. It is important to note that the above development of the licensing framework focused on the deployment of more ICT infrastructure and had no focus on the correct use and/or protecting users from illegal activities. This could be attributed to the fact that there was a very limited deployment of ICT services with less that 150,000 people using computers and related services at the time(Ulanga, 2005). So efforts toward cyber security and related Issues by the government of Tanzania were done through the Law Reform Commission that circulated a discussion paper on the introduction of legal framework for electronic commerce in Tanzania. The discussion paper came as a result of a study that highlighted lack of relevant legislations for electronic transactions. Two areas have been highlighted in the discussion paper namely contracts and consumer protection. Generally the legal system in Tanzania was mainly based on Common law. Regulatory steps to secure electronic transactions such as digital signatures, electronic evidence, reforms to contract law, dispute settlement and others have not yet been promulgated. In terms of contracts, the Tanzanian laws did not even recognize electronic contracts.
39

Laws on consumer protection, sales and supply of goods in Tanzania were designed to protect consumers on off-line business only which hardly applied to the online business when it came to the matter of distance contracts. The laws did not protect consumers against any risks involved in distance selling and buying business because when these laws were passed the online or distance contracts were not in practice in Tanzania. It was further noted that Tanzanian laws neither covered on-line contracts nor did they recognize cyber space; the laws in place then provided that, the contract must be in writing and duly signed or authenticated before a witness a requirement that was hardly applicable in cyber space. Cyber Crimes The discussion paper also noted that while cyber-crimes posed a significant threat to the development of electronic transactions Tanzanian Laws did not recognize criminal activities on the internet. For example illegal intrusion into a computer system could not be prosecuted with the current legislations at the time which required the perpetuators physical presence. So also went for computer fraud which in the most simplistic form can be described as stealing something of value by means of computers and could be extended to as far as fraudulently giving instructions to a computer to transfer funds into a bank account or using a forged bank card to obtain money from a cash dispenser. Another was data protection, where a threat was defined as the use of data processing techniques that could pose a danger to the rights and freedoms of those individuals whose personal data is subjected to some form of automated processing. There was no law in Tanzania which protected data or databases in Tanzania. The main concern here was the right to privacy, data protection and danger of information misuse. Spam in its most simplistic form is the act of sending large number of unsolicited mails with an intention to market a product or to deceive the users. This aspect has not been covered in the discussion paper, however currently spam is one of the most visible unwanted activities by the computer users in Tanzania. Cyber-attacks: as Tanzania was embarking on deployment of e-government and more and more organizations were adopting the internet as a medium of transmission for their core business functions. The e-mail was replacing the fax as the main medium of transmission.
40

The organizations that heavily depend of the internet and computer network were now at risk from cyber-attacks which could be deliberate attempts to disrupt services (Denial of Service Attacks) or even more sophisticated attacks. The information document did not address these aspects of cyber security while there was no legislation which covered these aspects. (Ulanga, 2005). Enumerating all possible Internet vulnerabilities, threats, and attacks in an exact list is not feasible, yet they can be categorized as the table below shows.
Figure 4: Vulnerability Possibilities

Vulenerabilty scan of randomly selected SME's using Nessus/OpenVAS SME.1 High Severity problem(s) found SME.16 Medium Severity problem(s) found SME.17 High Severity problem(s) found SME.18 Medium Severity problem(s) found SME.19 Medium Severity problem(s) found SME.2 High Severity problem(s) found SME.20 Medium Severity problem(s) found SME.21 Medium Severity problem(s) found SME.22 Medium Severity problem(s) found SME.24 Medium Severity problem(s) found SME.25 Medium Severity problem(s) found SME.26 Medium Severity problem(s) found SME.27 Medium Severity problem(s) found SME.28 Medium Severity problem(s) found SME.29 Medium Severity problem(s) found SME.30 Medium Severity problem(s) found SME.31 Medium Severity problem(s) found
Source: Author

Another study was carried out in 2008 by Kristina Cole et al to assess the efforts of African nations in the realm of cyber security. They approached cyber security as a national security concern due to an increase in the use of digital technology for critical infrastructure, for military operations, and for intelligence gathering/management, mandating the creation of comprehensive national cyber security plans. Although in their case it was not entirely appropriate for developing nations as many African countries are developing nations and they
41

possess neither robust critical infrastructures that utilize digital control systems nor highly digitized militaries, and so thinking about cyber security issues in relation to these systems therefore may not make sense. They therefore sought to determine how to implement cyber security in less developed countries, as an issue not solely associated with national security and instead assessed cyber security by focusing on initiatives that were motivated by more than just traditional national security. In order to develop these assessment criteria, the definitions of national, economic, and human security needed to be clarified in context of their common usage and traditional meanings. To see where cyber security fits into the equation they introduced the concept and model of security relationships. Figure 5: Model of Security Relationships

In this way, cyber security is a function of the various institutions to implement the various security measures and thus floats between the branches of security. 2.4. Chapter Summary This chapter has attempted to give a brief description of Arusha and the businesses activities therein. Then went ahead to show the extent to which SMEs are important to the economies of the countries and spell out all the potentials of the small-medium enterprises, this was followed by the classifying the cyber security challenges which are faced by SMEs.

42

Then re-examined and combined all the existing relevant literature on the two subjects smallmedium enterprises (SME) and information security namely cyber security. Finally the chapter highlighted the opportunities and the threats which mainly affect the SMEs as well as the benefits of securing information to the SMEs.

43

Chapter three: Research Design and Methodology

3.1. Research Design Outline of the case study The study started off with formulating and deciding on the hypothesis for the study, i.e. the purpose, the goals and the question at issue. Next followed literature studies for collection of information on the background to the project and the framework. The creation of the framework was a major part of the project, and was performed in two steps; creation of the category definitions and a validation of the definitions, see Figure 3 for an overview. The next step was the data collection, followed by the analysis of the collected data. Figure 6: Outline of the Case Study

Source: (Soderbom, 2007) A good design is when it has a general plan for the researchers; detailing how they will go about answering the research questions and how they will consider and determine the sources for data collection. In addition it will also consider the constraints they may face i.e. location, financial resources, time, ethical issues, access to data etc. The methodology should then ponder the fact that the researcher has idealized carefully about why a particular strategy has been applied. Case Studies Saunders (2009) defines a case study a strategy for doing research which involves empirical investigation of a particular phenomenon within its real life context using multiple sources of
44

evidence. Yin (2003) also highlights the importance of context adding that, within a case study the boundaries between the phenomenon being studied and the context within which it is being studied are not clearly evident. Mortis and Wood (1991) also point out that the case study will be necessary if we wish to gain a rich understanding of the context of our research and the process being enacted. The motives for adopting a case study were due to the following merits as outlined by Kothari (2001). 1) It is fairly exhaustive method which enabled the researcher to study deeply and thoroughly different aspects of the phenomenon. 2) Its flexibility in respect to data collection; this study was carried out using a collection of methodologies and both secondary and the primary data. 3) It saves both time and cost. The rationale of choosing Habari Node Ltd as a case is that it is a leading ISP serving the majority of the Arusha Internet users. HNL was identified as vantage point to investigate Cyber security awareness as well as a focal point for the carrying out the vulnerability tests as most of the other SMEs to be sampled got their internet from HNL. Additionally HNL was justified on the grounds that they keep some records of the traffic statistic and as the ISP handles the majority of the Internet traffic collection of data was simplified. Furthermore the independent test and vulnerability scans were best run form the ISP as in was a gateway to ease consolidation and matching of data. So HNL was chosen to enable the research identify vulnerabilities, facilitate arriving at solutions for dealing with these risks and possibly disseminating these findings widely. Primary research is an original research which gives first-hand information on a topic. This research (such as a journal, a person, or an event) informs you directly about the topic, rather than through another persons explanation or interpretation. The most common forms of primary research are observations, interviews, surveys, experiments, and analyses of original documents and artefacts. The primary research is conducted by the researcher herself/himself and its not based on other peoples work. There are a few approaches to the primary research and there are; Interviews, focus groups, experiments, structured penetration
45

tests and scans, surveys etc. This research is normally more costly as compared to the secondary research. Secondary research is the second-hand information on your topic, information at least once removed from the original. This information has been complied, summarized, analysed, synthesized, interpreted, and evaluated by someone studying primary research. Journal articles, libraries, web, publications, magazines, newspapers, encyclopaedia entries, documentaries, and non-fiction books are typical examples of such secondary sources. Secondary research is cheaper than the primary research; its not as useful, accurate, as specific, primary research. (Saunders, 2009) Area of the study The research was done at the HNL offices located at the Arusha International Conference Centre (AICC) in Arusha. The selection of the study area was based on various reasons. First, almost data concerning Internet traffic were available. Secondly continuous availability of power and Internet connectivity was guaranteed. Also AICC was the ideal area for the research due to financial, work and time constraints. The first phase of the research constituted of collecting secondary data from the literature review, According to Saunders et al (1996), there are two main reasons for looking back into the literature, first the preliminary search assists in generating and refining the research ideas. And secondly, a critical review is an integral part of the research process. Likewise to most research projects, literature review is the early activity in their researches; the same applies to this, after the first literature search, the researcher was able to redefine the parameters more exactly and undertook further searches, keeping in mind research goals and objectives. The literature review helping in coming up with a good insight and an understanding into the previous research done on to the trends and this topic which have emerged. Sample and sampling procedures The next phase of the research constituted of determining the population for the study which was SMEs based in Arusha city and determining the sample size by short listing of the
46

potential SMEs where the sampling could be carried out. Companies which fit the criteria were those that matched the description in Tanzanias SME policy as well as determining what would be the best tools to use to carry out the various vulnerability tests. It was convenient to pick out a sample out the entire population and in this study just one SME (HNL) and its clientele was chosen for the purpose of generating the required information. The respondents were information system professionals, managers, directors, support IT staff and HNLs vast cross-section of clients. The purposive or judgemental sampling technique was used select representative from the directors and managers. Stratified sampling where respondents were grouped into their respective skills sets was used to increase the level of representativeness i.e. I.T trained staff were not considered in the same category as an accountant using the Internet to check emails. The simple random sampling technique helped the researcher to select members from each subgroup. The next phase of the research was primary data collection using these data collection instruments. Which started with the interviewing of the small groups or units of inquiry (unstructured interviews) is that of the two stage triangulation research method, this was followed by a detailed questionnaire, testing quantitatively a much larger sample of employees and consumers. This method of quantitative method, was recommended by Grove and burns (1997), its a relatively a new approach and is often called the triangulation method. Interviews will be used to gather reliable and valid data relevant to the research objectives and may be categorized in to three categories [Saunders et al, 2003]. i) Structured interviews - It involves the use of the questionnaires which are based on a predetermined and identical set of questions. ii) Semi structured interviews - Here the researcher has a list of themes and topics to cover, though these may vary from interview to interview depending upon the organizational context. The order of questions may also be varied depending upon the flow of the conversation. Some new questions may also be raised basing on the discussions. It also involves tailoring to specific research protocols and also used to assess and rate the abilities of potential
47

research participants in four areas that represent part of the standard of competence to consent in many jurisdictions iii) Unstructured interviews - Here there are no predetermined list of questions hence being an informal interview, with this form of interview the interviewee is free to talk about the Behaviour, events and beliefs in relation to the research subject. Being that this type interview is mainly based on the interviewee perceptual experience, its the reason as to why its known as informant interview and also known as in depth interview because its used to explore the deepness of the general area in which the researcher is interested. In this research both the semi- structured and unstructured interviews were integrated, which assisted in ensuring a friendly and smooth atmosphere while taking the interviews. After the analysis the interviews were then coded and again analysed to produce a questionnaire with reduction of categories. This questionnaire can then be used for the larger sample population size. In triangulation the main emphasis is on the combination of methods, for instance survey questionnaire with in depth interviews. The main idea of taking two kinds of data collection methods is that if it differs in the kinds of data support, and yet are the same in conclusion, then confidence in the conclusions is increased. The overriding advantage of the interview is its adaptability. An adept interviewer can follow up probe responses, up ideas and investigate motives and feelings which the questionnaire can never do. The way in which a reply is made can reveal valuable information. There are a few disadvantages as well. Interviews are expensive, small number of the people can be interviewed with in arrange of time and they are also time consuming (Hussey, 1997). Questionnaires, Survey and case studies Questionnaires on the other hand are the less expensive, most popular methods of collecting data and less time consuming than conducting interviews and very large samples can be obtained. Hussey and Hussey (1997) identified some important factors to be considered while using questionnaire and these are; types of questions, sample size, wordings, including

48

instruction, design, method of distribution and return, wording of any accompanying letter, method of collecting and analysing, actions to be taken if questionnaire is not returned. Other advantages of using questionnaires are; 1) Respondents feel free to explain their opinions especially if anonymity is an option. 2) They avoid interviewer bias as the interviewer is not in a position to induce the respondent. 3) Uniformity of responses is achieved particularly when a closed ended question is employed. 4) Respondents can answer the questions in their own time. 5) Compared to interviews it may be a better store of information. 6) Confidentiality may draw out even more answers. 7) Distant respondents can be used. 8) Can be accomplished with minimum staff and facilities. Disadvantages include; 1) It is only for literate people 2) Questionnaires have a low rate of return 3) Does not allow or give the respondent to seek clarification. 4) With mailed questionnaires one does not have the opportunity to supplement the information in the responses. 5) Closed questionnaire limits alternatives. Source: (Adam, 2007) Different distribution techniques were also described by Hussey and Hussey (1997). For some techniques the questionnaires were circulated to the employees and consumers
49

through telephone, post, group and individual email distribution. All the above factors were considered during the choice of method of distribution and the preparation of the final set of questionnaire to be used in the survey. Bell (1993) says that surveys can provide answers to questions like What, Where, When, And How. It tries to elaborate the problems of representativeness from other approaches like case studies or most of the qualitative approaches. This approach can be termed as fact finding mission and may contribute little towards the development of a shaping theory or hypotheses. The effects from the survey can then be used to test a theory or hypotheses. The data here is primarily quantitative but may also be qualitative in nature as it represents peoples views about an issue. The Web Based Survey Tool Taking into the consideration the above points the survey was then completely web based when carried out and a set of questionnaire was also designed to collect the primary data. By making it web based it both reached the respondents easier, facilitated adjustments and gathering the data was greatly facilitated. Reliability The reliability of a study is how well it will produce the same results on separate occasions under the same circumstances. For instance, if a study is well controlled and documented, the reliability will be high, and another researcher who follows the same procedure should get the same, or similar, results Validity Validity deals with how well the study measures what is supposed to be measured. High validity means that the results accurately reflect the concept being measured. Both the research method and the way the study is performed are covered.

50

3.2. Methodology Process of conducting the case study The research method used for conducting the assessment in this Master of Business degree project is based on Yins Case Study Research: Design and Methods (Yin, 2003). The process for conducting the case study research followed the same general process as followed for other researches: plan, collect data, analyse data, and disseminate findings. More detailed steps are given below(Neale et al., 2006). 1. Plan Identified the stakeholders who will be involved. Brainstormed the case study topic, considering types of SMEs and why Habari was in a unique position to address my need. Identified what information was needed and from whom. Identified any documents needed for review. Listed stakeholders to be interviewed or surveyed (national, facility, and beneficiary levels) and determine sample if necessary. Ensured research would follow international and national ethical research standards, including review by ethical research committees.(Trochim, (2006))

2. Developed Instruments Developed interview/survey protocols the rules that guided the administration and implementation of the interview/survey to ensure consistency across interviews/surveys, and thus increase the reliability of the findings. The following were standardised and written out by the researcher be included in the protocol: o What to say to interviewees when setting up the interview/survey; o What to say to interviewees when beginning the interview/survey, including ensuring informed consent of the respondent o What to say to respondent in concluding the interview; o What to do during the interview (Example: Take notes? Audiotape? Both?); and o What to do following the interview (Example: Fill in notes? Check audiotape for clarity? Summarize key information for each? Submit written findings?).
51

Develop an interview guide/survey that lists the questions or issues to be explored and includes an informed consent form. Where necessary, translate guides into local languages and test translation.

3. Collected Data Yin (2003) states it is desirable to have multiple sources for the data collection if possible as by doing so; the validity of the study could improve. He further describes what is important when collecting the evidence, and points out the following sources six sources of evidence when conducting research as follows. Documentation This source includes different kinds of documentary information that can be relevant to the case study, such as letters, agendas, and written reports of events, administrative documents and newspaper articles. Archival records Archival records consist of information often found in computer files and records, such as service records, organizational records (e.g. organizational charts and budgets), and lists of names, survey data and personal records. Interviews This is one of the most important and sometimes even essential sources of evidence. Yin mentions two types of interviews; the open-ended interview and the focused interview. Yin also treats the survey as a type of interview, particularly suited for quantitative studies. Direct observations These observations can be either formal or casual, and incorporates field visits with e.g. observations of meetings and behaviours at work places Participant-observation In this type of observation the observer plays an active role in the field study, e.g. participating as an employee. Physical artefacts This last source of evidence includes physical artefacts that can be collected and might be of interest, such as tools or technological devices.
52

Of course, all these six sources of evidence both have their advantages and their disadvantages, and they are most powerful when being used in conjunction with each other.

Choice of sources When gathering the information this researcher faced practical challenges and so impacted on the choice of sources; the two main challenges were; The frequent and erratic power outages in Arusha and Tanzania as a whole. As well as the skillset of the current Internet users as many were users are just starting to use the Internet and consequently many resource points did not have any records or if any are not available online and if they are online then these resources are sparse and rarely updated. Which may explain why often I encountered online resources i.e. I.P or website that functioned properly when initially discovered but which, when visited later, was no longer available.

The final difficulty lay in simply obtaining information from companies and organizations without cyber security initiatives like having regular competent I.T staff or actual cyber security efforts besides use of passwords on desktops. For example, one fact that became clear during one interview is the difficulty many I.T staff faced when gathering information about their own companies cyber security strategy/efforts. This problem is only compounded when an external researcher attempts to seek information on companies with no or little strategys or information sources on cyber security and cybercrime. Thus, even field work in the specific companies provides little additional information for many companies.

The main source for data collection was the survey. As the purpose of the study was to assess the awareness of these security challenges, probing but informative questions were asked to not only check that the challenges were known but to educate the respondents on the risks of using the Internet. Short focused interviews were also conducted in combination with the survey.
53

Documentation was an important source for information on the background to the project. For instance, it was through documentation that information on earlier research on the assessment of Africas cyber-security was found.

Generated reports from real-time vulnerability scanners were also used to highlight gaps in publically accessible gateway and networked hosts as well as generate reliability. The use of penetration tests was avoided as they differ from vulnerability scans in that it involves attempted exploitation of the vulnerabilities. Which it was thought may be seen as a violation of privacy or actual attempts to gain unauthorised access to private online systems.

The other sources of evidence mentioned above (archival records, direct observations, participant-observations and physical artefacts) were not considered to be of any use for this study.

Data Collection Principles By following three principles for data collection, the benefits from using the six sources of evidence can increase (Yin, 2003). If used correctly, these principles will improve both the validity and the reliability of the study. The three principles are 1) Using multiple sources of evidence, 2) Creating a case study database and 3) Maintaining a chain of evidence. All of these principles were followed throughout this study. As mentioned in above multiple sources of evidence were used; primarily surveys documentation and vulnerability reports. All data which were found important and useful for the project were collected and stored, primarily electronically but also as hard copies when electronic versions were not available. As a result, a case study database was created this data includes information and documentation used in the project, such as articles, papers, notes, reports, documents and results. Maintaining a chain of evidence is important for the reliability of a study. This means that the traceability of all sources, e.g. in the case study database and in the report, must be good. This was done by carefully citing sources in the report and by making sure that all items in the case study database were marked with date, source or other essential information. The
54

chain of evidence makes sure that external observers can follow the derivation of any evidence. 3.3. Chapter Summary This chapter gives elaborative detailed information about the research design and methodologies which were employed in order to achieve the objectives of the study. When conducting research like this case study, it is of great importance that research principles and procedures are understood and decided upon in the beginning of the project before coming up with the research strategy. Furthermore a thoroughly and extensively studied theory is important since it is the foundation for correct assumptions, identifying the various step by step methodologies, coming up with the questionnaire that culminated with the survey and many other conclusions. With the right approaches throughout the study, factors like reliability and validity greatly improve.

55

4.0
4.1. Introduction

Chapter Four: Data Analysis and Discussion

The data which will be collected from any research, it will need to be analysed for the researcher to come up with a sound conclusion. As the aims/objectives and the process of the research methodology for this study have been talked about in the previous chapters. The aim of this chapter is then to analyse and present the data gathered with the assessment and survey tools. The consummate work will be presented in a good structured report format using the visual aids such as tables and pictures. The author of this report has made all possible attempts to keep this report without too many technical jargons. 4.2. Findings, Analysis and Discussion Findings Awareness Survey Analysis Questionnaires were sent electronically to IT managers, IT support staff and general Internet users in Arusha and was accompanied with an introductory email in both English and Swahili describing the purpose of the survey, the language options and how these questionnaires should be answered. Further an emphasis was made for confidentiality and respect of collected data to ensure accuracy and truthfulness when answering. The survey was available online a period of three weeks with reminder emails sent to those who had not completed at the start of the week. Amongst the 400 or more emails sent out a total 74 responses were received back of which 62 participants filled out the entire survey. The questionnaire had five different sections and these were; Company profiling information, Internet dependence for business operations, internal data handling and storage, Cyber threat awareness and possible security measures, Cyber threat impact and trends and future plans. Company profiling information This section addressed the type and nature of companies the participants were working in and was intended to assist in categorising the relevant information given in the later stages. To classify or justify if most business in Arusha using Internet services are SMEs.
56

When asked about the company size using the number of employees; a) 37.1% answered more than 100 employees b) 14.52% answered between 51-100 employees. c) 9.68% answered between 25-50 employees. d) 12.9% answered between 10-25 employees. e) 25.81% answered less than 9 employees. When asked the annual revenue in Tshs generated in the company; a) 36.21% answered above 800 million. b) 17.24% answered above 5 million to 200 million. c) 12.07% answered up to 5 million. d) 6.9% answered above 200 million to 800 million. e) 27.59% answered that they were not sure. Internet dependence for business operations This section addressed the use of the Internet in the office and the extent of usage in executing normal business operations. Findings on the dependence on the Internet for successful business operations based on the 62 answers given to the question: How dependent on the Internet is your business for its day-to-day operations? f) 77.42% answered very dependent g) 11.29% answered somewhat dependent h) 8.06% answered not very dependent i) 3.23% answered not at all dependent When asked the question what percentages of your employees use the Internet every day? Out of 62 answers to the question: a) 33.87% answered 76%-100% b) 14.52% answered 51%-75% c) 17.74% answered 26%-50%
57

d) 27.42% answered 1%-25% e) 3.23% answered none and 3.23% were not sure. Then when further asked what the employees current online activities or were using the internet for: a) 18.43% answered for internal communication i.e. fellow staff, inter-branch sites b) 23.96% answered for communications with customers/vendors/business partners c) 15.21% answered for research/E-learning purposes d) 8.76% answered for managing financial and accounting e) 9.68% answered for managing a database. f) 6.46% answered for procurement and 0.92% was not sure. g) Last but not least 13.36% for staffs personal/recreation activities i.e. Facebook, chat programs, utube, games .etc. Internal data handling and storage This section addressed the type and nature of data handled and stored in the SMEs and how assessable it was to those who had an interest in accessing this data. Finding on the use of data based on the 62 responses to the question on whether the business handled/stored sensitive information and if so of what nature? a) 26.35% answered financial records and reports. b) 25.68% answered customer details. c) 20.95% answered employee details. d) 14.19% answered other types like patient details, etc. e) 5.41% answered intellectual property. f) 3.38% 20.95% answered simply yes. g) 2.7% were not sure. Having answered this they were asked the sub research question as to whether all of the employees had access to this same information on their network. a) 75.18% answered no.
58

b) 20.97% answered yes. Cyber threat awareness and possible security measures This section addressed the level of awareness of cyber threats and the extent of effort put in to deal with these threats. The main research question was you have an internal IT manager whose job is solely focused on IT? (i.e. backing up information, managing email accounts, website, updating their software, troubleshooting technology-related issues, etc.) h) 48.39% answered yes. i) 14.52% answered yes and they were the I.T managers j) 17.74% answered no. k) 11.29% answered no but had an I.T savvy employee to handle these tasks. l) 4.84% said they outsourced. m) 1.61% answered they used their I.T technology suppliers Findings on the awareness of cyber security threats based on 62 answers given to the question; whether the company had a formal Internet security policy? c) 48.39% answered yes. d) 45.16% answered no e) 6.45% answered yes but not formal. When asked if they had experienced any cyber threats or attacks on their networks and if so what was the nature of the threat/risk? 40 of the total respondents answered yes Out of 62 answers to the question: which of the following best describes your thoughts on cyber security? a) 39.34% answered it was a nice thing to have b) 37.7% answered it was a necessary cost of business c) 6.56% answered it was an effective tool for gain competitive advantage. Finding on the sub research question as to whether any action or measures were being taken to deal with cyber threats? Out of 62 answers to the question; does your company have a formal Internet security policy?
59

a) 48.39% answered yes b) 45.16% answered no. c) 6% answered yes but not specifically a policy. When asked about what I.T security measures were in place; 62 answers were given to the question: how often do you have the person or people responsible for IT check your companys computers to ensure that anti-virus, anti-spyware, firewalls and operating systems are up-to-date? a) 25.81% answered they check daily b) 22.58% answered they check weekly c) 27.42% answered they check monthly d) 9.68% answered they check annually e) 6.45% answered they never check and 8.06% were not sure. When asked how satisfied were they with the amount of security you provide to protect your business information; i.e. customer or employee data? a) 4.84% answered very satisfied b) 30.65% answered satisfied c) 45.16% answered somewhat satisfied d) 6.45% answered somewhat dissatisfied e) 4.84% answered dissatisfied. f) 8.06% answered they were not sure. When asked to describe the steps they took to protect customer and employee data? Of the 62 given answers; a) 51.61% answered they have multiple layers of computer security. b) 29.03% answered they had a minimal threshold of security. c) 8.06% answered they did not take any steps to protect customer or employee data. d) 11.29% were not sure.

60

The sub research question on whether they would if the computer network was compromised (i.e. infected with a virus, private information stolen, etc.)? a) 54.84% answered yes b) 35.48% answered no. c) 9.68% answered other Cyber threat trends, possible security measures and future plans This section addressed the respondents awareness or exposure to cyber threats and attacks and the impact of cyber threats on their business operations. It also attempted to collect information on the methods used by the respondents to deal with cyber threats and/or attacks and what were participants views were regarding the volume of cyber threats they had dealt with in the past year. When asked what they thought/felt about the trend of cyberattacks/threats in the past year? Table 5: Perceived Trend of Cyber Attacks/Threats Significantly Significantly Reduced Reduced Neither Increased Increased No 1 2 3 4 5 answer 5x 6x 21x 15x 14x 6x 7x 13x 11x 12x 15x 15x 10x 13x 7x 10x 10x 2x 7x 3x 1x 3x 3x 2x 6x 10x 9x

Value matrix Virus infections Suspicious emails

2.67 58% 3.00 56% 2.65 44% 2.89 46% 3.03 47%

Malware attacks 7x Cyber attacks 5x

Cyber 4x threats/Incidence

= respective average per line in points G = respective weighting of the importance of each line in % (0% unimportant to respondent/ 100% very important to respondent). Source: Research findings, 2011

61

Independent Studies Assessment of the Cyber-security threats using random independent scans and reports. A selected SME gateway was used as an independent test to record intrusion attempts. Additionally a network reconnaissance was conducted to determine what types of computers are present, along with additional information about those computers i.e. the type, version of the operating system, the services running on it, etc. Table 6: Top 15 Noted Cyber Attacks Top 15 Attacks on a selected SME form 1st July 2011 to 1st Sept 2011 Unit 1 SNMP request udp 2 SNMP public access udp 3 ICMP Destination Unreachable Port Unreachable 4 POST Form Data more than 200 Bytes 5 ICMP PING 6 WEB-MISC handler access 7 ICMP Destination Unreachable Host Unreachable 8 ICMP Time-To-Live Exceeded in Transit ICMP Destination Unreachable Communication 9 Administratively Prohibited 10 ICMP Echo Reply 11 ICMP PING Windows 12 ATTACK-RESPONSES 403 Forbidden 13 ICMP PING CyberKit 2.2 Windows 14 ICMP L3retriever Ping 15 WEB-MISC PCT Client Hello overflow attempt Source: Research findings, 2011
62

Attack

Hits 1814808 1814400 459379 232672 218589 102252 99275 64643 50558 41387 39633 37780 35943 24908 6811

Below are the results of the randomly run a computer program that was designed to assess computers, computer systems, networks or applications for weaknesses also known as a vulnerability scanner. Where the intention was to estimate or itemize the vulnerabilities present in one or more targets on the Habari network. Table 7: Random Vulnerability Scan Results Vulnerability scan of randomly selected SME's using Nessus/OpenVAS SME.1 SME.16 SME.17 SME.18 SME.19 SME.2 SME.20 SME.21 SME.22 SME.24 SME.25 SME.26 SME.27 SME.28 SME.29 SME.30 High Severity problem(s) found Medium Severity problem(s) found High Severity problem(s) found Medium Severity problem(s) found Medium Severity problem(s) found High Severity problem(s) found Medium Severity problem(s) found Medium Severity problem(s) found Medium Severity problem(s) found Medium Severity problem(s) found Medium Severity problem(s) found Medium Severity problem(s) found Medium Severity problem(s) found Medium Severity problem(s) found Medium Severity problem(s) found Medium Severity problem(s) found

Medium Severity problem(s) found SME.31 Source: Research findings, 2011

63

Recorded Intrusion Attempts on a sample gateway SME from 10 July 2011 to 18th Aug 2011 Date 12-Jul-11 13-Jul-11 14-Jul-11 15-Jul-11 16-Jul-11 17-Jul-11 18-Jul-11 19-Jul-11 20-Jul-11 21-Jul-11 22-Jul-11 23-Jul-11 24-Jul-11 25-Jul-11 26-Jul-11 27-Jul-11 28-Jul-11 29-Jul-11 30-Jul-11 31-Jul-11 1-Aug-11 2-Aug-11 3-Aug-11 4-Aug-11 Number of Intrusion Attempts 267085 19166 9062 2562 49852 266375 297 245536 175036 108978 136209 239450 233658 529298 401976 139964 125485 353777 557473 287156 440360 131797 157064 413508 Source: Research findings, 2011

64

Impact of Cyber-attack-A

Impact of Cyber-attack-B

Source: Research findings, 2011 Analysis of Findings The bulk of the surveyed businesses (77%) were SMEs as the chart below highlights

65

Figure 7: Companies Employee Count

Almost all (80%) of the surveyed businesses are dependent on the Internet for their business operations as illustrated by figure 4 below; Figure 8: Internet Dependency of SME's

As well as most of the employees in the business were using the Internet to carry out their daily activities as illustrated by figure 5.

66

Figure 9: Percentage Use on Internet by Employees

Although it was not clear what activities actually were significant to successful business operations. The results of this study show that large number of the respondents used internet for running their core business operations or gathering information. Figure 10: Internal Internet Use

67

Almost all (80%) of the surveyed businesses are satisfied with their security measures, and 52% believe their company is safe from hackers, viruses, malware, and other cyber security breaches.

Figure 11: Percentage Satisfaction of SME's on Current Measures in place

Almost two-thirds of the respondents believe that they would know if their networks had been compromised, and roughly the same number would be able to adequately deal with the threat if they networks were breeched.

68

Figure 12: Frequency of I.T Checks

Most (60%), however, do not communicate their security measures as part of the value proposition they present to customers. And almost three times as many participants are primarily concerned about external threats like viruses, spyware, and malware than internal threats, including loss of customer information. Figure 13: Current Protection Measures

Also the information on which these businesses are basing their security plans and policies is primarily from their internal IT personnel and updates from software or hardware websites.

69

Figure 14: Sources of I.T Security information

More significantly, companies do train their staff on the dangers of the Internet and responsible usage but do not effectively communicate security policy information to their employees: 44% provide no employee Internet security training for employeesand yet more than 70% of the respondents believe the employee is responsible for protecting sensitive company data and should have an accountable understanding of their Internet security policy and practices.

70

Figure 15: Trend of Intrusion Attempts

Source: Research findings, 2011

Discussion Considering the many different interpretations and definitions of cyber security (refer to chapter 2) this study showed that it is possible to assess the level of awareness of cyber security threats and present an easily comprehensible result. The online survey revealed that most Arusha SMEs are actually aware that the Internet does present a threat and in some cases could relate to some recent past experiences (refer to Appendix 5);

71

Figure 16: Compromised networks

Dealing with the cyber security challenges was another issue altogether as almost half (48.39%) the companies did already have some security measures in place like an Internet policy. Figure 17: Use an Internet Policy

72

As well as also did regular check-ups, updates on the network for viruses and software; some companies more regularly than others but at least over 60% were within monthly check-ups which were acceptable. Figure 18: I.T Check-ups

From the comments of the respondents refer to Appendix 5: it was evident though many companies were aware about these threats; were most heavily relying on the Internet and routinely handle confidential and proprietary data, many did lack the internal resources, formal policies, employee training, and technologies they need to protect their critical information.

73

Figure 19: Ease of Access to information

More so although almost all business owners believe that they are protected against online threats and that their employees understand how to defend against them, some still offer employees no Internet security training at alland a substantial minority lack even elementary protection for wireless and remote network access. From the comments of the respondents refer to Appendix 5; it doesnt take much time or money for a small business to reduce security risks substantially. Security awareness is the first essential step, based on clear policies and followed by implementation of automated technologies to protect critical business information against a growing array of internal and external threats. 4.3. Chapter summary This chapter has presented, carried out analyses and discussion on the findings from the research. The research worker was able to derive to how the respondents acknowledged and identified the Cyber security risks and challenges faced by the small-medium sized enterprises in Arusha. As well as identified benefits with regards to the awareness and prompt responsiveness of securing important information. The next chapter, which is the concluding and recommendations section of the study, will therefore relate these findings to both the objectives and the research questions of this research with a view to extending appropriate recommendations for the Arusha SMEs.

74

5.0

Chapter Five: Conclusion, Recommendations and Further Research

5.1. Introduction This research has been conducted to investigate the awareness of the possible threats and attacks that could originate from accessing the internet for Arusha SMEs. Bby doing so it was hoped to generate awareness and identify vulnerabilities by gathering responses from ordinary Internet users, I.T technicians and IT managers, in both public and private institutions where ICT is a strategic tool in enabling core business operations. With this in mind it is hoped the awareness of these security challenges, was brought about by the probing but informative questions that were asked in the survey and not only checked that the challenges were known but also did educate the respondents on the potential risks of using the Internet. Conclusions During the implementation stage, it was found that almost all senior executives and managers were supportive and committed to the IT security. However, it was interesting to see that it appeared that most the management executives of the Arusha SMEs interviewed were not aware that there was a need to manage users. The survey also showed that while a significant number of SMEs use the Internet for their business operations like email, research, the degree and depth of research capability is limited. As on-line experiences and effective use of the Internet capabilities ranged greatly among SMEs and seemed closely linked to the educational background of users. University educated users are more likely to use the Internet to obtain information on production technologies, examine market trends and opportunities, assess the activities of domestic and international competitors, and locate potential suppliers. Implying that for the few companies which did use the research function extensively there followed a clear impact on sales as successful SME Internet users tend to be further advanced in production management, production capacity, capital

accumulation, accounting, marketing and English communication than the average company.

75

On the management side, the owners often have post-high school degrees, or they have acquired management and marketing skills through long-term experience in their industries. While this is not the case for all SME users, there is an undeniable link between the education and experience of business owners and managers and the effectiveness of their Internet usage. However, there are also numerous cases of business owners who hired outsiders who were skilled in accounting, English and computers to support Internet activities. Additionally, there are quite a number of SMEs that do not use the Internet effectively, and this is often due to weaknesses in their businesses as a whole. Furthermore these businesses are likely without a foundation of network and security awareness. By becoming aware we merely initiating the first steps toward adequate protection the next challenge is then how to be responsive to threats common to their small businesses. Intentional steps towards implementing these controls will enhance the continuous monitoring capability of any organisation. With intentional planning and continual drive towards these controls, one can start to develop a passion for implementing these controls in unique cost effective ways. 5.2. Recommendations As online threats multiply and SMEs IT budgets shrink the most suitable start to achieve a good first line of defence against Cyber threats i.e. exploitation, attack, information theft, and fraud etc. would be to first manage users could be by enforcing security policies as they are invaluable and necessary for any organization. The policies provide the virtual glue to hold the preventive approach all together and can bring order to chaos and structure to makeshift and often inadequate stop-gap measures. In line with the policy framework for Cyber security posted by the ITCA in 2009 (ECA, 2009). A security policy provides the required backdrop and should help: Define appropriate behaviour; Set the stage in terms of what tools and procedures are needed; Communicate a consensus;
76

Provide a foundation for action in response to inappropriate behaviour; and

Possibly help prosecute cases.

Secondly the use of security-aware employees guided by the above clear policies and backed by appropriate technologies could then complement each other in achieving an SMEs best defence. In line with recommendations of renowned security experts below would therefore be a simplified attempt at the few typical approaches SMEs should take to achieve a good first line of defence against Cyber threats (Symantec, 2009); 1. Educate employeesmake security awareness a top priority by training and requiring employees to use passwords that mix letters and numbers. Also changing these passwords often and avoid file-sharing programs and downloads from unknown sources. 2. Set up acceptable and usable policies that reflect across the board as everyone is affected by them to some extent meaning everyone should be concerned with security policies. After ensuring all stakeholders

involvement there should be a formal policy design process that is consistently followed for all security policies to enable them be implementable and enforceable. These policies should then be should be updated annually to reflect changes in organization or culture. 3. Support policies with technologiesprotection against todays threats requires multiple layers of defence. Easy-to-maintain commercial suites combine antivirus, intrusion-prevention, and privacy protection for gap-free coverage across servers, desktops, and laptops. 4. Protect your mobile workforceperimeter defences arent enough. Employees take devices and data out, contractors bring them in, and walls dont stop wireless networks. Monitor network computers and traffic for malicious activity, block unauthorized applications, and insist on secure practices by remote workers.

77

5. Back up valuable datayour information is your business. Guard against accidents and disasters with regular backups, and keep copies off site. Train employees to back up data themselves, or use automated solutions that run in the background. Test recovery processes at least once a year. 6. Stay informed and up to datesecurity requires vigilance. Monitor reports and newsletters to keep up with new threats and technologies, and be sure that the automatic update features of your operating systems and antivirus, intrusion-prevention, firewall, and other security software are all turned on and working properly.

5.3.

Critical review

The purpose of the study was to assess the awareness of these security challenges, probing but informative questions were asked to not only check that the challenges were known but to educate the respondents on the risks of using the Internet. Nevertheless when gathering the information this researcher faced practical challenges and so impacted on the choice of sources; the two main challenges were; The frequent and erratic power outages in Arusha and Tanzania as a whole. As well as the skillset of the current Internet users as many were users are just starting to use the Internet and consequently many resource points did not have any records or if any are not available online and if they are online then these resources are sparse and rarely updated. Which may explain why often I encountered online resources i.e. I.P or website that functioned properly when initially discovered but which, when visited later, was no longer available. The final difficulty lay in simply obtaining information from companies and organizations whoere there is more than one person responsible for information security at the company or in the reverse situation where they were operating without cyber security initiatives like having regular competent I.T staff or actual cyber security efforts besides use of passwords on desktops. For example, one fact that became clear during one interview is the difficulty many I.T staff faced when
78

gathering information about their own companies cyber security strategy/efforts. This problem is only compounded when an external researcher attempts to seek information on companies with no or little strategys or information sources on cyber security and cybercrime. Thus, even field work in the specific companies provides little additional information for many companies. Nevertheless it was generally the impression of the researcher that there was a substantial level of awareness of Cyber threats and while the level of awareness was uncertain it was not within the scope of this research to determine this. With more time available, more respondents could have been contacted which would have given the chance to achieve results for further analysis. However, as described in chapter 3.1 it was important that the respondents qualified or met some criteria for the study, and thus only a handful of participating respondents were approached. Another uncertain factor during the assessment was whether the respondents would actually respond or could not understand the questions.

Concluding remarks
As a result of this research Habari Node Ltd set up a technical team composed of their staff and selected members from among their clients like I.T managers, Internet cafe owners and technical personnel of some of the SMEs at the forefront of the Cyber threat prevention process to handle technical issues arising from the present network. In this way, it is supposed the sharing of knowledge will bring a two-fold benefit; 1) Arrive at sustainable Cyber security solutions for the SMEs and 2) Enhance capacity building in I.T security threat/attacks resolution within HNL and their client base. HNL also set up a website; http://www.habari.co.tz/security and a mailing list; aptly named salaam subscribing interested parties i.e. SMEs I.T staff in the hopes of disseminating its findings widely to mainly create awareness though also expecting to contribute to the body of knowledge in this field. I will end with a famous hackers law called the Paulsens Law which says: Information is secure only when it costs more to get than its worth.
79

References
Adam, J. 2007. Business Research Methodolgy, Dar-es-salaam, Directorate of Graduate School, IFM. AIXP. (2006). Arusha Internet Exchange Point [Online]. Arusha: AIXP. Available from: <http://www.aixp.or.tz> [Accessed 3rd Aug 2011]. Arusha Times. 2011. Habari Extends Internet Coverage to Kilimanjaro. All Africa. Colonel Louis H. Jordan, J. & Saadawi", D. T. N. 2011. Cyber Infrastructure Protection, Carlisle, Strategic Studies Institute. Dutta, S. & Mia, I. 2010. Global Information Technology Report 20092010 - ICT for Sustainability. Geneva: World Economic Forum. ECA. 2009. Cyber Security Policies Ensuring confidence in the use of ICTs. Galliers, R. D. & Leidner, D. E. 2003. Strategic Information Management Challenges and Strategies in Managing Information Systems, Oxford, Butterworth-Heinemann. HABARI. (2011). Company Profile [Online]. Arusha: Habari. Available from: <http://www.habari.co.tz> [Accessed 8th Aug 2011]. Hussey, J. A. H., R. 1997. Business Research: A Practical Guide for Undergraduate and Postgraduate Students, London, Macmillan Press. Internet-World-Statistics. (2011). Internet Usage Statistics for Africa [Online]. Bogota, Colombia: Miniwatts Marketing Group. Available from:

<http://www.internetworldstats.com/stats1.htm> [Accessed 2nd Aug 2011]. ITU. (2010). Tanzania's Internet Usage Statistics [Online]. Geneva: International Telecommunication Union. Available from: <http://www.itu.int/ITU-

D/cyb/newslog/Eeducation+In+The+Pipeline+In+Tanzania.aspx> <http://www.itu.int/ITU-D/treg/Case_Studies/Licensing/TANZANIA_CS.pdf>
80

<http://www.internetworldstats.com/af/tz.htm> [Accessed 1st Aug 2011]. Kristina Cole, Marshini Chetty, Christopher Larosa, Rietta, F., Schmitt, D. K. & Goodman, S. E. 2008. An Assessment of Cybersecurity in Africa. Georgia Institute of Technology. M.O.T&I 2002. Small and Medium Enterprise Development Policy. In: M.O.T&I (ed.). Dar-es-salaam: United Republic of Tanzania. Mbonea, I. (2010). Tanzania Revenue Authority Introduces Online Clearing [Online]. Dar-es-salaam: East Africa Community. Available from:

<http://www.eac.int/customs/index.php?option=com_content&view=article&id =119:tanzania-revenue-authority-introduces-online-clearing&catid=1:latestnews&Itemid=163> [Accessed 28th Aug 2011]. Mutarubukwa, A.-A. 2010. First phase of ICT broadband backbone is activated Nationwide. The Citizen, 27th May. Neale, P., Thapa, S. & Boyce, C. 2006. Preparing a Case Study: A Guide for Designing and Conducting a Case Study for Evaluation Input, Pathfinder International. OECD 1997. Globalisation and Small and Medium Enterprises (SMEs). In: Development, O. F. E. C. A. (ed.). Paris. Oscarson, P. 2007. Actual and Perceived Information Systems Security. Doctoral studies, Linkping University. PROMISEC 2010. Endpoint Risk Assessment Internal Vulnerabilities. Rogers, S. 2010. Information is Power. The Guardian. Saunders, M., Lewis, P., Thornbill, A. 2009. Research Methods for Business Students, Harlow Pearson Education.

81

SEACOM. (2009). Seacom lands in Dar-es-salaam [Online]. Available from: <http://www.seacomblog.com/gallery-image/seacom-team-cable-stationlanding-event-dar-es-salaam> [Accessed 4th Sept 2011]. Security, I. 2010. Information Security. Information Security. Grove Street, Newton, MA 02466 U.S.A: InfoSecurityMag.Com. SIDO. (2011). Arusha: Investment Opportunities [Online]. Arusha. Available from: <http://www.sido.go.tz/UI/Arusha_Region.aspx> [Accessed 3rd Sep 2011]. Soderbom, J. 2007. The Costs of Enterprise Information Security. Master of Science, Royal Institute of Technology. Sveiby, K. E. 1997. New Organisational Wealth Managing and Measuring Intangible Assets, San Francisco, CA, USA, Berret-Koehler. SYMANTEC 2009. Cybersecurity Report on Small Business-Study Shows Gap between Needs and Actions. T.C.R.A 2010. Digital Tanzania. The Regulator. 16 ed. Dar-es-salaam: Tanzania Communications Regualatory Authority. Tabadatze, D. 2011. Internet Security Awareness Project. Georgia: ISOC. Tapscott, D. 1996. Digital Economy Promise and Peril in the Age of Networked Intelligence, New York, NY, USA., McGraw-Hill. Trochim, W. M. K. (2006). Ethics in Research [Online]. New York: Social Research Methods Web Center. Available from:

<http://www.socialresearchmethods.net/kb/ethics.php> [Accessed 3rd Aug 2011]. Turban, E., King, D., Lee, J., Warkentin, M. & Chung, H. M. 2002. Electronic Commerce A Managerial Perspective, Upper Saddle River, NJ, USA., Prentice-Hall.
82

Ulanga, P. R. 2005. Cyber Security in Tanzania Country Report. In: C5, W. (ed.). Geneva. Ward, J. & Peppard, J. 2002. Strategic Planning for Information Systems, Chichester, West Sussex, England, John Wiley and Sons, Ltd. WIOCC. 2010. EASSy-Tanzania_Final_Press_Release. 3/9/2011. Yin, R. K. 2003. Case Study Research: Design and Methods, London, Sage Publications.

83

Appendix
Glossary Application: Software whose primary purpose is to perform a specific function for an end-user, such as Microsoft Word. Cracker (a.k.a hacker): The correct name for an individual who hacks into a networked computer system with malicious intentions. The term hacker is used interchangeably (although incorrectly) because of media hype of the word hacker. A cracker explores and detects weak points in the security of a computer networked system and then exploits these weaknesses using specialized tools and techniques. Cybercrime: A criminal offense that involves the use of a computer network. Cyberspace: Refers to the connections and locations (even virtual) created using computer networks. The term Internet has become synonymous with this word. Gateway (Router): A network node connected to two or more networks. It is used to send data from one network (such as 137.13.45.0) to a second network (such as 43.24.56.0). The networks could both use Ethernet, or one could be Ethernet and the other could be ATM (or some other networking technology). As long as both speak common protocols (such as the TCP/IP protocol suite), they can communicate. Internet Service Provider or ISP: An organization that provides end-users with access to the Internet. Note: It is not necessary to go through an ISP to access the Internet, although this is the common way used by most people. Host: Same as a node. This is a computer (or another type of network device) connected to a network. Internet: A global computer network that links minor computer networks, allowing them to share information via standardized communication protocols. Although it is commonly stated that the Internet is not controlled or owned by a single entity, this is really misleading, giving many users the perception that no one is really in control (no one owns) the Internet. In practical reality, the only way the Internet can function is to have the major telecom switches, routers, satellite, and fibre optic links in place at strategic locations. These devices at strategic locations are owned by a few major corporations. At any time, these corporations could choose to shut down these devices (which would shut down the Internet), alter these devices so only

84

specific countries or regions could be on the Internet, or modify these devices to allow/disallow/monitor any communications occurring on the Internet. Search Engine: An Internet resource that locates data based on keywords or phrases that the user provides. This is currently the main method used on the Internet to find information. Current search engines are Google, Yahoo, Bing, Ask, AOL search, etc. WWW: World Wide Web; also shortened to Web. Although WWW is used by many as being synonymous to the Internet, the WWW is actually one of numerous services on the Internet. This service allows e-mail, images, sound, and newsgroups.

85

A. Questionnaire
1. What type of business activity is your company involved? (Tick the most appropriate) * Several answers are possible. - (0.00%) Accommodation and Food service - (0.00%) Agriculture/Mining - (0.00%) Arts/Entertainment/Recreation - (0.00%) Construction - (0.00%) Education services - (0.00%) Finance/Insurance - (0.00%) Healthcare services 2 (66.67%) Information services - (0.00%) Legal Services - (0.00%) Management/Consulting - (0.00%) Manufacturing - (0.00%) Non-Government/International Organisation - (0.00%) Professional/Scientific/Technical services - (0.00%) Public administration - (0.00%) Real Estate - (0.00%) Retail/Distribution - (0.00%) Tourism - (0.00%) Transportation - (0.00%) Utilities - (0.00%) Not Sure 1 answer(s) from the additional field: - UN 2. What is the size of your company in number of employees? * Only one selection possible. - (0.00%) 1-9 - (0.00%) 10-25 - (50.00%) 25-50 - (0.00%) 51-100 - (50.00%) More than 100 3. What is the size of your company in annual revenue?* Only one selection possible.

86

- (0.00%) Up to 5 million - (0.00%) Above 5 million to 200 million - (0.00%) Above 200 million to 800 million - (100.00%) Above 800 million - (0.00%) Not Sure 4. How many computers does your company have/use in its daily operations? * Only one selection possible. - (0.00%) 1-5 - (0.00%) 6-20 - (33.33%) 21-50 - (66.67%) More than 50 5. Do you have a website for your business and what can customers/potential customers do on your site? * Several answers are possible. - (28.57%) Find company/organisation/product information - (14.29%) Access an online service such as a proprietary database or manage an account - (14.29%) Download a product (software or other product) - (0.00%) Make an appointment for a service call - (0.00%) Request customer service - (14.29%) Provide feedback on products and services - (0.00%) Make a purchase - (0.00%) Make a payment for service - (14.29%) Research - (0.00%) Non applicable/No website - (0.00%) Not Sure 1 answer(s) from the additional field: - To learn the activities of the organisation 6. What do your employees use the Internet for? (Choose all that apply) * - (27.27%) Internal communication i.e. fellow staff. inter-branch sites - (27.27%) Communications with customers/vendors/business partners - (0.00%) Managing financial and accounting - (9.09%) Managing a database - (9.09%) Procurement - (9.09%) Research/E-learning

87

- (0.00%) Personal/Recreation i.e. Facebook. Chat, utube, games - (0.00%) Not Sure 2 answer(s) from the additional field: - Also emails with fellow staff and clients - Personal use 7. What percentages of your employees use the Internet every day? * Only one selection possible. - (0.00%) None - (0.00%) 1%-25% - (0.00%) 26%-50% - (66.67%) 51%-75% - (33.33%) 76%-100% - (0.00%) Not Sure 8. How dependent on the Internet is your business for its day-to-day operations? * Only one selection possible. - (100.00%) Very dependent - (0.00%) Somewhat dependent - (0.00%) Not very dependent - (0.00%) Not at all dependent - (0.00%) Not sure 9. Do you have an internal IT manager whose job is solely focused on IT? (i.e. backing up information, managing email accounts and website, updating their software, troubleshooting technology-related issues, etc.) * Only one selection possible. - (100.00%) Yes - (0.00%) Yes, I am the IT manager - (0.00%) No - (0.00%) No, IT-savvy employee - (0.00%) No, we outsource an IT consultant - (0.00%) No, We use the technology reseller or IT resale partner - (0.00%) Not, sure 10. Does your company have a formal Internet security policy? * Only one selection possible. - (66.67%) Yes - (0.00%) No - Answer from the additional field:

88

- Yes, but it is not formal 11. Do you have a privacy policy that your employees must comply with when they handle customer information? * Only one selection possible. - (66.67%) Yes - (0.00%) No 1 answer(s) from the additional field: - N/A 12. Do your business handle/store sensitive information and if so of what nature would you class this information? (Choose all that apply) Several answers are possible. - (20.00%) Customer data - (0.00%) Financial record and reports - (20.00%) Privacy information (patient data, personal information) - (40.00%) Employee personal data - (0.00%) Intellectual property (patent, design document) - (0.00%) None/Not sure - (20.00%) Yes 13. Do all of your employees have access to the same information on your network? *Only one selection possible. - (33.33%) Yes - (66.67%) No 14. What percentage of your employees takes a laptop, PDA or phone that has company info home/off site? * Only one selection possible. - (33.33%) 1-25% - (33.33%) 26-50% - (33.33%) 51-75% - (0.00%) 76%-90% - (0.00%) More than 90% - (0.00%) None - (0.00%) Not sure 15. Can your employees work from their home computers or access company information from their personal mobile devices (access network, applications, email etc.)? *Only one selection possible. - (33.33%) Yes - (33.33%) No 1 answer(s) from the additional field:

89

- Yes, only for VIPS 16. Have you experienced any cyber threats or attacks on your network and if so what was the nature of the threat/risk? You can enter your answer here. Answers: - yes at least once 17. What do you think/feel about the trend of cyber attacks/threats in the past year? Please select one evaluation field and one weighting field per line. Value matrix 1 2 3 4 5 answer 1 2 significantly reduced

Reduced Increased Neither Significantly Increased no 3 G 4 1x 1x 5 1x 1x 1x 4.00 3.00 2.00 -

Virus infections 1.00 Suspicious emails Malware attacks Cyber attacks -

Cyber threats/Incidence 4.00 -

= respective average per line in points G = respective weighting of the importance of each line in % (0% unimportant / 100% very important) 18. How often do you have the person or people responsible for IT check your companys computers to ensure that anti-virus, anti-spyware, firewalls and operating systems are up-todate? * Only one selection possible. - (66.67%) Weekly - (0.00%) Monthly - (0.00%) Annually - (0.00%) Never - (0.00%) Not sure 1 answer(s) from the additional field: - Daily, as we also automate most features 19. What is more important when attempting to access information on your network?

90

Please select one evaluation field and one weighting field per line. Value matrix 1 2 3 4 5 Answer 1 2 3 Not important

Would like to have Good to have Important Very Important no 4 G 5

Speedy access to the information 3x 4.00 67%

Access is limited by passwords and user privileges 3x 5.00 100%

Access to information is restricted and encrypted 3x 5.00 67%

Information is backed up on a remote site 3x 5.00 67%

= respective average per line in points G = respective weighting of the importance of each line in % (0% unimportant / 100% very important) 20. Would you know if your computer network was compromised (i.e. infected with a virus, private information stolen, etc.)? * Only one selection possible. - (33.33%) Yes - (33.33%) No - answer(s) from the additional field: - Yes, for most virus infections 21. Are you more concerned about an internal threat to your company such as an employee, ex-employee, or contractor/consultant stealing data, or an external threat such as a hacker or cybercriminal stealing data? * - (33.33%) External threat - (66.67%) Internal threat - (0.00%) Both - (0.00%) Neither - (0.00%) Not sure

91

22. Which of the following Internet network usage policies does your business have in place? (Choose all that apply). * (14.29%) The employee is responsible for protecting customer data (28.57%) The employee is responsible for protecting company data (28.57%) The employee is responsible for protecting personal data (14.29%) The employer can clarify of what websites and web services employees can use - (14.29%) All of these - (0.00%) None on these - (0.00%) Not Sure 23. How satisfied are you with the amount of security you provide to protect your business information; i.e. customer or employee data? * Only one selection possible. - (33.33%) Very satisfied - (0.00%) Satisfied - (66.67%) Somewhat satisfied - (0.00%) Somewhat dissatisfied - (0.00%) Dissatisfied - (0.00%) Very dissatisfied - (0.00%) Not Sure 24. Which of the following best describes your thoughts on cyber security? Only one selection possible. - (0.00%) Cost of doing business - (33.33%) A nice thing to have - (33.33%) Overhead - (33.33%) Competitive differentiator - (0.00%) None/Not sure 25. What are your companys primary sources for information regarding online safety and security? (Choose all that apply) * Several answers are possible. Number of answers: 3 - (22.22%) Web site of software or hardware vendor - (22.22%) Peer (other business owner or trusted professional) - (33.33%) Internal IT professional - (0.00%) Other companies that provide services to small business - (11.11%) Technology publication website

92

- (0.00%) Internet Service Provider newsletter - (11.11%) Internet Service Provider website - (0.00%) Social Media (Small business forums) - (0.00%) Website of a non-profit group - (0.00%) Local business association - (0.00%) Government website - (0.00%) Not sure 26. Do you provide training to your employees on how to use the Internet safely and securely? * Only one selection possible. - (0.00%) Yes - (66.67%) No - (0.00%) Not Sure 1 answer(s) from the additional field: - Yes, but not formally 27. Which of the following best describes the steps you take to protect customer and employee data? Only one selection possible. 3 (100.00%) We have multiple layers of computer security - (0.00%) We have a minimal threshold of security - (0.00%) We dont take any steps to protect customer or employee data - (0.00%) We rely on someone outside the company take care of it for us - (0.00%) Not Sure 28. What is your suggestion for improvement on Cyber security in the office? Number of answers: 1 - policies and enforcement Answers:

Also one can click link below to visit the online posted survey questionnaire and results. http://www.esurveycreator.com/?url=results&c=d016105-4eb4231

93

Research Schedule

94

Research Budget

95

5.4. Respondents Comments A Recent Attacks/Threat

Yes at least once; Yes - virus that destroy user files; Hacking, minimum damage; mostly virus issues; Suspected once the mail server was attacked but was never really proved. Nevertheless we have put in place firewalls and secure OS's on the mail server; The company mainly experiences public email Cyber-attacks - these are Exchange Public emails ID's shared by Employees of the same lever e.g. Africa Ops, Europe Ops etc. Hacked and our hacked server stop working; Yes. We have been hacked in one of our server and all login information was changed and some data deleted too; Yes, I have experience some remote login by ssh made by automatic script from other network and others; Little bit on virus but we have manage to secure our systems; Yes- the nature of the risk was spammers; Once Our Mail Server Have Been Black Listed Due To Virus And Spam Attack; Viruses and Malware; Yes, System Intrusion; Yes, virus attack which made our network to be very slow; We have experienced such attacks in isolated in LAN, virus attach. Risks which were associated with such attacks included loss of organizational data in particular branches that are using disparate databases.; We have experienced such attacks in isolated in LAN, virus attach. Risks which were associated with such attacks included loss of organizational data in particular branches that are using disparate databases. We experience cyber-attacks daily and hourly. We have had 5 break-ins in the past 12 months and another 15 years ago. Someone got access to a user password and then somehow got root password eventually. Virus infections, suspicious emails; Denial of service attack; We face problem through corrupt files coming through internet; Receiving emails from people we dont know who claim to have a lot of money they want to share/donate. These people want our/my bank detail and other personal details. I have to get serious threat of virus and lost some of the records office, the nature of the threat was a result of impaired ant virus is appointed ant virus for example Kaspersky you are told it is also a 2011 and a year-round but the most surprising thing was that it did not work for a year if you are told at the beginning other virus that have initially overwhelmed the computer receives virus attacks. Worms, Trojans, virus malware and other internet security threats; Yes spam mail attack; Trojan horses, periodically; - Virus and spyware; -

96

Website hack. Site was restored from backup; - We have rarely experienced virus attacks. ;Yes! sometimes Mozilla Fire Fox failed to open Yahoo, Gmail and Facebook; - yes, spam and brute force attack

5.5. Respondents Comments B- Improvements

Policies and enforcement Make people aware of it and learn to prevent it Avoid virus problems by using desktops running Mac or Ubuntu. Have a firewall. Have multiple backup points. Training and sharing of info. More needs to be done to be more secured. Improved vigilance on teaching staff and making sure our work stations are up to date with latest protection software/patches i.e. anti-virus or O.S updates The company should consider encryption for working from home employees! Insure access level, create computer accounts for all users and use username and password for login To have multiple layers of computer security in all servers Putting more backup and improve authentication Institute should have more modern UTM devices and smart switches to supports those UTM To have licensed products. Training on cyber security to technical staff, managers and end-users is very important Have simple applicable cyber security policy that can easily be adopted by all concerned, and sustainably enforced. Evaluate the cost of compromised cyber security and use that as a basis for planning and budgeting for cyber security. instilling discipline and integrity in the company`s employees in regard to company information and data usage Create awareness on the cyber security through training and publications. To educate cross section of the employee, management and policy maker the benefit of Cyber security to put in place in our organization. Have more user friendly antivirus which will enable normal uses to set required setups in their offices. Routine audits of servers and PC. Firm up the policy. Cyber intrusion software. Check security information frequently to be up to date is paramount (learning security should be permanent) Provide knowledge about it

97

Educating users on the cyber-crimes, users are the main vulnerabilities to the company data security. To provide good anti-virus program Too ignorant to suggest. that every employee received training to become more informed about the importance of cyber security Have a full-time IT security professional My advice is that anything you can protect well is safe and it is even feeling the damage will not be very big so everyone has to protect its facilities, especially computers which currently are working within our office. Develop an Internet security specific policy Maintain an always up to date anti-virus program. Provide training of employees on how Internet security threats and how they can protect themselves I see about improving safety within the office security you put in place security measures in a way that you enforce users limits i.e. to only read rights and not write and privileges. It is also within your own expense. Periodic checks by service provider (if possible) and prompt notifications, by the same. People to be aware of cyber threats and not to reply or open attached files from unknown sender Get some online training on cyber security. Cyber security implementation cost they must decrease so that we can reduce cost?

98