Sections

Commentary

Cybersecurity in Africa: Securing businesses with a local approach with global standards

A Zimbabwe Stock Exchange official works on a computer after the close of trade in Harare June 6, 2014. Zimbabwe's stock market has fallen so far from last year's peak that some investors are stepping back in to scoop up consumer-oriented African growth plays. To match Africa investment ZIMBABWE-STOCKS/  REUTERS/Philimon Bulawayo (ZIMBABWE - Tags: BUSINESS) - GM1EA661KIC01
Editor's note:

This piece is the second in a two-part series examining the heightened and largely overlooked threat of cyberattacks on African businesses. The first part, which examines potential threat and consequences of cyberattacks on the continent, can be found here.

Cyberattacks on businesses around the world are on the rise, and Africa is not spared. These attacks cost businesses productivity, revenue, and client trust—not to mention the personal security of its patrons. For example, the 2017 Equifax data breach may have impacted 147.9 million consumers. The Wannacry ransomware attack of May 2017 has hit 150 countries, including many African ones. As this trend is on the rise, companies must develop a comprehensive approach to protect their informational assets and strengthen cybersecurity in order to be prepared to deal with these cyber risks. In order secure their digital transformation, companies doing business in Africa should prioritize these four key initiatives: implementing their cyber resilience strategies, developing cybersecurity skills, protecting data integrity, and integrating cyber risk protection in their decisionmaking process throughout all levels of management.

Figure 1. Key cybersecurity initiatives for African businesses

Global_CybersecurityInitiatives_AfricanBusinesses

Design and deploy cyber resilience

Companies must prepare for cyberattacks and get cyber resilient because the threat is ever-present and ever growing. Cyber resilience should begin at the board or executive level of the company by prioritizing and enacting procedures that will protect valuable assets and by integrating them as requirements into all business processes. Security should contribute to the enterprise’s growth embodied in its long-term strategy. Moreover, the company should build its cyber capabilities by raising awareness of and building employees’ skills in information security, securing the configurations and regularly updating its infrastructure and systems, using technologies for active surveillance, implementing proactive detection and rapid response to security breaches and incidents, and performing regular security audits and penetration testing.

Creating resilience goes beyond constructing walls to attackers; it also involves setting up dedicated processes for the management of cyber crises within the company, and collaboration at sectoral, national, and international level for an exchange of information and experience on cyber threats. Certification processes, like ISO/IEC 27001, released by the International Standard Organization (ISO), are useful resources for businesses seeking a baseline to address cybersecurity from a management system perspective.

Some African organizations are taking cyber threats seriously; ISO has reported an increase of 73 percent of Information Security Management System certified companies within a year, from 129 in 2015 to 224 in 2016, with the majority in South Africa, Nigeria, and Morocco. Despite this significant growth, the number of companies exposed remains abundant: For example, only 15 percent of Kenyan businesses have a system ready to “detect intruders.”

Develop cybersecurity skills

Experienced and qualified profiles in terms of cybersecurity and risk management are essential to support cybersecurity, but are rare on the continent. Companies must now develop skills-building and retention strategies to attract and maintain talented professionals to help implement their cyber resilience. This will be a particular challenge for businesses over Africa, as the need for information security and cybersecurity specialists is on the rise around the globe. In fact, by 2020, security skill management programs that include experimental recruitment and talent retention practices will rise to 20 percent, up from less than 1 percent in 2017.  African organizations must adopt effective strategies to face the brain drain of their most talented cybersecurity profiles. Indeed, as they gain the necessarily skills, those specialists become increasingly mobile and may choose to relocate, especially to Europe and North America.

Protect data integrity

The criterion of data integrity could supplant confidentiality as the primary goal of cybersecurity. The resurgence of attacks, like the many cases of ransomware in 2017 aimed at manipulating or destroying data, has highlighted the importance of data integrity, and the impact of breached data on organizations and citizens. Companies must strengthen their measures to prevent and recover from an incident of massive data corruption. For this purpose, conventional means such as backups and regular restoration of critical systems are important steps. In addition, innovative technologies such as blockchain could be useful to protect data integrity, if companies can mitigate the averse risks, as the technology is not mature yet. However, some African companies—especially in North Africa—are already investing in new technologies to address security threats. In fact, Middle East and North Africa information security spending grew 11 percent to reach $1.8 billion in 2017.

Integrate cyber risks awareness into the decision process

The best way to involve top management in the fight against cybercrime is to relay the risks to all the levels of the decisionmaking system. This process involves aligning cybersecurity objectives with the company’s strategic ambitions and defining the essential systems and assets that should constitute the priority scope to protect. The objectives thus defined can be appropriately budgeted and broken down at the tactical and operational levels in order to popularize cyber risk-aware culture (increase awareness on the importance of preventing and solving cyber risks) at all levels of the company.

Figure 2. Integrating cybersecurity into the wider decisionmaking process

Global_CyberSecurity_Figure2

To achieve this, the board and executive management should be more aware of their accountability in case of a cyberattack and recognize the need for skilled managers to identify and act against potential cyber threats. Unfortunately, the ISACA State of cybersecurity 2017 [1] reports that globally, just 21 percent of chief information security officers (CISO) report to the chief executive officer (CEO) or the board, while 63 percent report through the chief information officer (CIO). This latter reporting structure, which is even more common in Africa, positions security as a technical issue rather than a business concern, reducing the scope of action and effectiveness of any cybersecurity initiatives.

Conclusion

How prepared are businesses for a cyberattack? Each company must ask the question and prioritize the protection of their most valuable informational assets by adopting the best cybersecurity practices with a cyber risks-based approach. According to the current cyber-threat landscape, the priority actions suggested above are a starting line that companies, especially those doing business in Africa, can consider and implement in their own context. Not doing it will not only put their own profitability and survival at risk, but also impact the rights of their clients (especially in terms of privacy and identity protection). These actions are even more urgent for organizations involved in critical infrastructure protection (in sectors like health, water and energy, financial services, communications, governments, food, transportation, just to name a few) as it may increase their cyber exposure and put an entire country at risk. They will have no excuse!

[1] Note: Only 2 percent of respondents were in Africa.

Authors

The Brookings Institution is committed to quality, independence, and impact.
We are supported by a diverse array of funders. In line with our values and policies, each Brookings publication represents the sole views of its author(s).