Cyberlag: African security is as lax as its weakest link

More regulation is needed to tighten African cybersecurity.

Computer Facilities is a small direct marketing agency, based north of Johannesburg in Randburg, which lists just 27 employees on LinkedIn. Mid last month it was responsible for a 1.7 million customer data breach for Nedbank, one of South Africa's largest banks.

Safe to say, Nedbank is a sizable operation. It employs 31,277 people and operates through subsidiaries and external outlets across eight African countries, including Kenya and Angola, as well as neighbouring regions. Its hacked customer data included names, ID numbers, telephone numbers and even email and physical addresses.

As Nedbank CEO, Mike Brown, explained in a television interview for CNBC Africa, he understood the "responsibility" for the breach lay with Nedbank although "nothing at Nedbank was comprised in any way". It simply had a weak data link through a principle supplier.

An anonymous security researcher interviewed by MyBroadband stated that Computer Facilities' security was lax. "Email addresses belonging to Computer Facilities staff come up in data leaks of usernames and passwords, and the passwords are extremely weak," read the editorial. "Some are simple dictionary words and others are words followed by a short series of digits."

MyBroadband added this shows that staff "are poorly educated in proper security practices - not unlike many other corporate users in South Africa".

Big banks and other large corporate operations may have best-in-class security measures in their own organisations but they're still only as strong as their weakest supplier. And evidence suggests that across Africa - even within the better developed, more prosperous markets, like South Africa - cybersecurity is lagging behind other parts of the world.

Africa is over targeted and under regulated

October research from Check Point [PDF] showed that although the cost of data breaches across the continent is less than in developed markets, companies there get attacked nearly three times as much as their global counterparts (1502 times per week, compared to 596 attacks per organisation). It listed the most attacked countries as Namibia, Zambia, South Africa and Nigeria.

The number of high-profile cyberattacks is also on the rise. In South Africa, for example, June 2018 saw the country's largest data breach to date, exposing around 30m client records from insurance firm Liber. While October 2019 saw the cyber network of the Johannesburg City Council shut down for nearly two weeks by a ransomware attack, which was not dissimilar to one carried out on City Power, only three months earlier. 

Like elsewhere in the world, the cost of breaches is also rising with a year-on-year increase of 12.6% in South Africa through 2019, according to the annual breach report conducted by the Ponemon Institute for IBM Security. The mean time to identify a data breach also increased by 25 days while the mean time to contain the breach rose by 16 days.

Many of these same trends can be seen elsewhere, hardly making Africa unique. However, Knowbe4, which provides security training, produced a report last December covering eight key African markets that suggested several factors makes cybersecurity more of a problem across the continent.

Firstly, Africa's reputation: many criminals consider it a safe haven for their illegal operations, suggested the report. Secondly, worse funding: it claims cyber security budgets are reported to be less than 1% or are non-existent in "many organisations". Thirdly, a lack of awareness from ordinary users - especially with the sharp uptick of consumers getting online. And finally - and perhaps most significantly - a lack of legislation and law enforcement.

"According to a report by the African Union only about 20% of African states have basic legal frameworks to deal with cybercrime," Knowbe4 wrote. "Kenya, South Africa and Mauritius are probably the most advanced in this regard and Nigeria is coming up fast."

Pan-African security measures are limited

New measures are coming into place, but these are largely incremental, and still don't go far enough. More conferences and gatherings, for example, are emerging - such as The Africahackon, a forum where cybersecurity experts can join forces to work together to solve the issue of hacker attacks. 

Then there are the profile cash handouts. Earlier this month, CREST, an international not-for-profit accreditation and certification body, received a $1.4M grant to help build cyber security capacity in Africa and Asia from the Bill & Melinda Gates Foundation. The press release stated that this will aim to help increase cyber security capacity in Nigeria, Uganda, Tanzania, Kenya, Ethiopia, Pakistan, Bangladesh and Indonesia.

We've seen initiatives like this before, of course. They provide outstanding PR for the benefactors but rarely go far enough in practical terms. The "Digital Villages" program, which was launched with great fanfare by Gates himself in 1997 was a good example of this - as IDG Connect investigated [PDF], despite the hype, the program ultimately collapsed due to lack of consistent follow through.

Perhaps one of the most significant recent cybersecurity developments for the continent was that in October 2018, The African Union Commission (AUC) put out a call for experts to join its African Union Cyber Security Expert Group (AUCSEG). This suggested a move from the top to change things, albeit a rather slow one, as it took till last December for the group to hold its first meeting.

Now they're asking African experts to submit their views of the current state of cybersecurity across the continent - especially what it's done right and what can be done better. Earlier this month Tomslin Samme-Nlar, a researcher from Cameroon, shared his view on CircleID.

In the ‘done right' category he listed the adoption of the African Union Convention on Cyber Security and Personal Data Protection in 2014 [PDF]  "even though most countries are yet to ratify the convention".  And highlighted the launch of the Privacy and Personal Data Protection Guidelines by the African Union Commission in partnership with Internet Society (ISOC). "That was also an important milestone towards secure cyberspace in Africa."

For the ‘can be done better' category he stressed his disappointment that continent-wide and regional initiatives like the Continental Free Trade Area (CFTA) "do not embed cybersecurity considerations and concepts at their conception phases:

"Digital trade generally requires a great deal of free movement and flow of personal data, as data is the lifeblood of the digital economy. A continent-wide digital trade involving consumers cannot occur without the collection and movement of personal data like names, email addresses, and billing information across borders.

"In order for such a market to be efficiently regulated, the region will need to look into unifying implementations of cybersecurity and data protection regulations across the continent."