In today’s fully connected workplace, every device that connects to the network is a potential entry point for criminals.
Recent technologies have attracted rapid digital transformation across various industries with increased connectivity being among the top. This means that today, more than ever, information has never been more valuable and available.
But with increased connectivity comes myriads of security challenges. This was among the topics discussed by the July Africa Frontiers of Innovation.
The forum was hosted by Kenyas broadcast journalist Victoria Rubidari, and among the panelists were Confidence Staveley, award-winning founder of the Cybersafe Foundation, Nigeria; Catherine Muraga, Head of Engineering at Stanbic Kenya, and Quentyn Taylor, Director of Information Security at Canon for Europe, Middle East, and Africa.
The panelists noted with concern how data insecurity has become rampant with increasing digitization. In fact, according to a 2020 report, cybercrime costs the global economy USD 2.9 million every minute.
Banks and financial services are a popular target, but individuals, businesses of all sizes, and governments are also at risk.
Increased connectivity – the Internet-of-Things – creates more entry points for attack. Remote and hybrid working, where people work from home and public spaces, means operating outside usual company structures and controls.
“The consequences of cybercrime and breaches can be devastating. We can’t over-emphasize the importance of data and information security; the connection between our virtual and physical lives is closer than ever,” said Staveley.
Everyone is at risk of getting hacked. With digitization, we are part of a global village. What happens in one region can affect people all over the world.
Types of Attacks
These types of threats range from malware, ransomware, and social engineering. According to an IBM report, 51 percent of attacks are attributed to malicious or criminal actions.
These vary from opportunists looking for an ‘open window’ to giant syndicates like Nigeria-based SilverTerrier, which has implemented more than 2.1 million attacks.
“It’s not one type of person,” said Taylor. “A few are motivated by the challenge. Most are doing it for the money and exploit any opportunity.”
“Criminals generally chose easy targets,” said Staveley. “In Africa, many businesses are not just low-hanging fruit; they are literally on the ground, without the most basic security measures in place.”
Staveley said manipulating people to divulge sensitive information, aka social engineering, is the top attack vector in Nigeria.
“Phishing, using email ‘bait’ to catch people, mobile vishing, and smishing via SMS are all used. COVID-19 brought a wave of attacks around relief efforts and vaccines. Opportunity scams take advantage of this instability and people’s desperation for jobs, scholarships, and new opportunities,” he added.
Being part of the Cloud brings a shared responsibility, and guarding data in the Cloud is up to both the provider and the customers. If SMEs and other businesses are not configuring the Cloud correctly, it can have massive implications for other users.
Regulation is inconsistent across the continent. “I come from a financial services perspective which is strongly regulated, but many industries are not, from a compliance or regulation perspective,” said Muraga.
Staveley agreed regulations and compliance are at different levels of maturity across Africa. An African Union Commission survey found that only 8 of 55 African states surveyed had a national strategy on cybersecurity, and only 14 had personal data protection laws.
“There needs to be more accountability and openness. Most regulations in this part of Africa do not mandate to report a breach. This stops us from learning or making people more responsible. If we don’t step up, our global partners will demand it,” Staveley commented.
Businesses and countries that don’t comply may lose access to participating in the global economy.
“In a global village, you are forced to comply with international regulations or be left behind,” said Muraga.
Information security and risk management can be expensive; spend has been forecast to grow to over $150 billion worldwide in 2021 by Gartner.
There’s also a massive cybersecurity skills gap, estimated at over 100 000 shortage of qualified professionals on the continent.
Even companies with solid cybersecurity in place can be at risk if their third-party service providers are compromised. The often-poorly-resourced small business sector in Africa creates openings for criminal activity.
Muraga believes the debate around whether convenience or security should be a top priority is a complicating factor. “I’m in the business of trust, our systems need to be user-friendly, and our customers need to feel confident. For security personnel, it’s about how to harden and protect the system; security has to come before convenience.”
Countermeasures & Developing Cyber-Resilience
Despite the enormous challenges, there are several countermeasures available to prevent attacks and aid recovery. The message is to focus on the basics and plan accordingly.
“You will never stop 100% of attacks; you can’t be perfect,” said Taylor, “but you can have a plan.”
Asking key questions is crucial to developing an effective strategy. “What are your crown jewels, your prime assets? What could happen to them and what will occur as a result?” said Staveley. “An SMME may not be able to recover if they do not put measures and structures in place to guarantee the heartbeat of their business.”
According to Staveley, there are three pillars to an information security strategy – people, processes, and technology. “People are the strongest strength or weakest link.
You can’t control attacks, but you can control how quickly you recover. Agree with how you’ll handle cyber-attacks. Muraga said practice makes perfect: “Conduct regular simulations, with different scenarios. Go beyond just the tech, look at who gets called, who deals with customers, who deal with the regulator, get the Board to buy into how you will react and what their role is should a breach occur.”
Training doesn’t need to be expensive. “We worked with over 4,000 SMMEs in Nigeria, and 67% of employees did not recognize a phishing link. Most people didn’t know basic two-factor authentication. All your employees need to know about email and password hygiene and basic security. Get the basics right and build from there.”
Taylor agreed: “Protect your email. It’s the gateway to your customers. A single leak can lead to an attack. Set up business processes that prevent money from being stolen if one person’s email is compromised. You may have already paid for security services through your email and internet provider; check what you already have and plan from there.”
Working in partnership can provide security that wouldn’t be available otherwise. “Reach out to banks, regulators, and corporates to see if there is an opportunity for partnership,” said Muraga. “Look at outsourcing to a more experienced company.”
Choose third-party service providers that prioritize security. Assess the risk of all third parties, check whether their security is up to par because, in today’s fully connected workplace, every device that connects to the network is a potential entry point for criminals.