The July edition of the Africa Frontiers of Innovation panel, hosted by Kenyan broadcast journalist Victoria Rubidari, included Confidence Staveley, the founder of the Cybersafe Foundation, Nigeria; Catherine Muraga, Head of Engineering at Stanbic, Kenya; and Quentyn Taylor, Director of Information Security at Canon for Europe, Middle East and Africa.
Rapid digital transformation means information has never been more valuable and available. With this growing value comes increasing threats – according to a 2020 report, cybercrime costs the global economy $2.9 million every minute. Banks and financial services are a popular target, but individuals, businesses of all sizes and governments are also at risk.
Increased connectivity – the Internet-of-Things (or IoT) – creates more entry points for attack. Remote and hybrid working, where people work from home and public spaces, means operating outside usual company structures and controls.
Staveley said the consequences of cybercrime and breaches can be devastating. “We can’t overemphasise the importance of data and information security; the connection between our virtual and physical lives is closer than ever.”
“There are now three guarantees in life – death, taxes and the risk of getting hacked,” said Taylor. “Everyone is at risk. We are part of a global village. What happens in one region can affect people all over the world.”
Types of Threats
Cybercrime takes many forms on the continent – malware, ransomware and social engineering are commonplace. According to an IBM report, 51% of attacks are attributed to malicious or criminal actions. These vary from opportunists looking for an ‘open window’ to giant syndicates like Nigeria-based SilverTerrier, which has implemented more than 2.1 million attacks.
“It’s not one type of person,” said Taylor. “A few are motivated by the challenge. Most are doing it for the money and exploit any opportunity.”
“Criminals generally chose easy targets,” said Stavely. “In Africa, many businesses are not just low-hanging fruit, they are literally on the ground, without the most basic security measures in place.”
Stavely said manipulating people to divulge sensitive information, aka social engineering, is the top attack vector in Nigeria. “Phishing, using email ‘bait’ to catch people, mobile vishing and smishing via SMS are all used. COVID-19 brought a wave of attacks around relief efforts and vaccines. Opportunity scams take advantage of this instability and people’s desperation for jobs, scholarships and new opportunities.”
Taylor explained that being part of the Cloud brings a shared responsibility. “Guarding data in the Cloud is up to both the provider and the customers. If SMEs are not configuring the Cloud correctly, it can have massive implications for other users.”
Regulation is inconsistent across the continent. “I come from a financial services perspective which is strongly regulated, but many industries are not, from a compliance or regulation perspective,” said Muraga.
Stavely agreed regulations and compliance are at different levels of maturity across Africa. An African Union Commission survey found that only 8 of 55 African states surveyed had a national strategy on cybersecurity and only 14 had personal data protection laws. “There needs to be more accountability and openness. Most regulations in this part of Africa do not mandate to report a breach. This stops us from learning or making people more responsible. If we don’t step up, our global partners will demand it.”
Businesses and countries that don’t comply may lose access to participating in the global economy. “In a global village you are forced to comply with international regulations or be left behind,” said Muraga.
Information security and risk management can be expensive; spend has been forecast to grow to over $150 billion worldwide in 2021 by Gartner. There’s also a massive cybersecurity skills gap, estimated at over 100, 000 shortage of qualified professionals on the continent.
Even companies with solid cybersecurity in place can be at risk if their third party service providers are compromised. The often-poorly resourced small business sector in Africa creates openings for criminal activity. “At Canon, we have a team and a large budget, but most SMMEs do not. If they get attacked, you can be at risk too.”
Muraga believes the debate around whether convenience or security should be a top priority is a complicating factor. “I’m in the business of trust, our systems need to be user-friendly and our customers need to feel confident. For security personnel it’s about how to harden and protect the system; security has to come before convenience.”
Countermeasures & Developing Cyber-Resilience
Despite the enormous challenges, there are several countermeasures available to prevent attacks and aid recovery. The message is to focus on the basics and plan accordingly. “You will never stop 100% of attacks, you can’t be perfect,” said Taylor, “but you can have a plan.”
Asking key questions is crucial to developing an effective strategy. “What are your crown jewels, your prime assets? What could happen to them and what will occur as a result?” said Stavely. “An SMME may not be able to recover if they do not put measures and structures in place to guarantee the heartbeat of their business.”
According to Stavely, there are three pillars to an information security strategy – people, processes and technology. “People are the strongest strength or weakest link.
You can’t control attacks but you can control how quickly you recover. Agree with how you’ll handle cyber-attacks. Muraga said practice makes perfect: “Conduct regular simulations, with different scenarios. Go beyond just the tech, look at who gets called, who deals with customers, who deals with the regulator, get the Board to buy into how you will react and what their role is should a breach occur.”
Training doesn’t need to be expensive. “We worked with over 4,000 SMMEs in Nigeria and 67% of employees did not recognise a phishing link. Most people didn’t know basic two-factor authentication. All your employees need to know about email and password hygiene and basic security. Get the basics right and build from there.”
Taylor agreed: “Protect your email. It’s the gateway to your customers. A single leak can lead to an attack. Set up business processes that prevent money from being stolen if one person’s email is compromised. You may have already paid for security services through your email and internet provider; check what you already have and plan from there.”
Working in partnership can provide security that wouldn’t be available otherwise. “Reach out to banks, regulators and corporates to see if there is an opportunity for partnership,” said Muraga. “Look at outsourcing to a more experienced company.”
Choose third party service providers that prioritise security like Canon, whose partners benefit from their global expertise and experience in developing secure document and information management systems. “Assess the risk of all third parties, check their security is up to par,” said Taylor. “In today’s fully connected workplace every device that connects to the network is a potential entry point for criminals.”
“Security is one of four key pillars of Canon’s approach,” said Mai Youssef, Corporate Communications and Marketing Services Director, Canon CNA. “We are proud to have been recognised as the IDCT Marketscape leader in worldwide security solutions and services because our products, services and solutions are developed with security in mind. We are committed to helping keep businesses and their customers safe and were delighted to host this enlightening session.”