Why Africa's surge of digitalisation makes it a target for hackers

A new report reveals a lot of work is needed to improve cybersecurity in Africa. We look at the cybersecurity challenges facing business in Africa, and why education and awareness is so vital.

IDGConnect_security_africa_shutterstock_1661895769_1200x800
Shutterstock

Africa has the youngest population in the world, with a median age of just 19.7 years, and this youthful society is driving technology adoption and use across the continent. According to Ericsson, mobile data consumption in sub-Saharan Africa will grow more than four-fold to 2025, and the IMF reports that this region is the only one in the world where nearly 10% of GDP is generated through mobile money.

However, Africa’s surge of digitalisation comes hand-in-hand with new risks and vulnerabilities.

Traditionally Africa hasn’t been a large target for cybercriminals, but this has changed dramatically in recent years says Anna Collard, VP Content Strategy and Evangelist at security and compliance training organisation KnowBe4 Africa.

“Analysts note that between 2010 and 2014 they rarely saw any dark web threat actors mentioning South Africa. However, since 2016 there’s been a much higher focus on South Africa and other African countries among the criminal underground,” she notes.

A growing target for cybercriminals

Today Africa’s cybersecurity issues parallel those of Europe and North America, but the rapid increase in internet connectivity has led to a situation where the populace isn’t as prepared for the typical phishing attacks seen in the West.

“Some phishing scams are deliberately aimed at exploiting the religious aspects of many African nations,” says Vince Warrington, CEO of cybersecurity organisation Protective Intelligence and Dark Intelligence. “However, one of the biggest cybersecurity issues facing the region is African organisations being used by proxy by sophisticated attackers in Russia, China and North Korea to undertake attacks on Western organisations.

“The famous Bank of Bangladesh attack wasn’t aimed at stealing $1bn from Bangladesh itself, but from a bank in the US. These ‘supply chain’ attacks should concern both the African and Western financial sectors,” he says.

A cybersecurity imbalance

Currently there’s a large imbalance between African nations when it comes to cybersecurity. The International Telecommunications Union cites Kenya, Rwanda and Mauritius as leading the way – the last ranked 16th in the world ahead of South Korea, Finland and Germany ­– but over 50% of the bottom 20 ranked nations were African.

To an extent you can follow the money says Jonathan Tullett, Senior Research Manager at analyst firm IDC.

“South Africa and Mauritius both have thriving finance services sectors and security is top of mind,” he explains. “The level of foreign investment is also a factor; Cote d’Ivoire, with its extensive French representation, has the advantage of skills and experience imported from France, but in practice that often doesn’t actually translate into local skills development.” 

There’s also a disjointed approach to cybersecurity across Africa, with a lack of standardised cybercrime and data protection regulations across the continent. For example, only 19 of the 54 countries have ratified or signed the AU Convention on Cybersecurity and Personal Data Protection, also known as the Malebo convention.

“This means many countries either don’t have any law in place to curb cybercrime or they are embarking on their own local data protection and privacy regulation journeys rather than standardising on one common set of guidelines,” highlights Collard. “All this makes Africa an attractive market for cybercriminals, who’re already shifting their attention to the emerging economies.”

Issues to overcome

These aren’t the only challenges Africa faces when it comes to securing the digital realm however. According to Tullett, skills are the number one issue. There’s a lack of skilled professionals available and those who have the skills are expensive to hire.

The risks from cybercriminals have also been exacerbated due to the Covid-19 pandemic and the necessary move to remote working. This has put existing organisational IT systems under pressure as companies must contend with an influx of connections into the corporate back-end says Lehan van den Heever, Enterprise Cybersecurity Advisor for cybersecurity firm Kaspersky in Africa.

“More companies are exposing their systems online while their focus turns to always-on availability. However, few of them have considered how to adapt their cybersecurity controls to this new environment. This results in some databases and systems inevitably being left open to intruders.” He goes on to add that data breaches will only get worse in the coming months as people start experiencing fatigue around the pandemic and let their guard down when it comes to cybersecurity best practice.

How can Africa’s cybersecurity challenges be addressed?

African businesses have many challenges to face, but what are the solutions? With human behaviour responsible for a significant amount of data breaches, van den Heever cites employee education as one of the most effective ways to combat cybercrime.

“Employee training is one of the most important defence mechanisms. They need to learn how to spot social engineering and phishing attacks, understand how weak passwords put them at risk and how multifactor authentication works. They should also learn how to protect their home networks and what to do in the event of a security incident,” says Collard.

But work also needs to be undertaken at a national and international level. A continent-wide collaborative approach to cybersecurity will help African nations spread the burden of cyber defence and share their experience and knowledge says Warrington.

“There needs to be pressure from African governments to force businesses to increase their cyber capabilities, but in the first instance these governments need to understand the current digital threat landscape and cyber preparedness within their boundaries. This applies to their own departments as well as businesses,” he says.

“By understanding what businesses face, governments can better help them to fend off cyberattacks. Developing a national computer emergency response team (CERT) can go a long way to helping businesses that are attacked, but also developing a culture where businesses, government and law enforcement can share knowledge and experience is also required,” he concludes.