Fraud and cyber risk: addressing new threats in Africa

14/04/2021 Global cybercrime costs are expected to hit $10.5 trillion annually by 2025 and two thirds of business leaders rank cybercrime as one of their top five risks. Africa – a world leader in mobile banking – is a prime target for cybercrime and, as phishing and fraud get more sophisticated, businesses on the continent need to find new ways to protect themselves, including strengthening legal frameworks, regulation and cyber education.

Attacks on the rise

It is estimated that every 14 seconds a business falls victim to a ransomware attack. While attacks are rising globally, African businesses have been particularly hit as the continent has rapidly increased its internet penetration in recent years. This has left users vulnerable to fraud and systems unprotected to hackers.

Despite some improved risk mitigation and companies taking cybercrime more seriously – including annual reports and financial statements including information on operational risk and cybersecurity – attacks remain frequent. In 2020, Africa saw 28 million malware attacks and 102 million detections of potentially unwanted applications (PUAs).

While investigations often reveal a strategic motivation of the attacker, it’s not always the case. Hacker Yunus Incredibl attracted global attention in 2014 for his attacks on six Senegalese government sites, exposing vulnerabilities and signalling the need for tightened cybersecurity - all just to show off what he could do.  

Leveraging central banks and regulation to mitigate risks

To better assess cyber risk, central banks on the continent are starting to issue instructions and guidelines on technical and organisational issues. The Association of African Central Banks (AACB) recently shared the fintech and cybersecurity initiatives of African central banks. Of 31 banks surveyed, 11 had specific legal frameworks against cybercrime, according to the report.

In an effort to reduce cybercrime, a number of African countries have developed, or are developing, a regulatory framework - including Benin, Morocco, Tunisia and Togo. While in Ivory Coast there is an oversight body for cybersecurity issues.

Other countries, such as Tunisia and Kenya, have proposed protective frameworks similar to the European GDPR (General Data Protection Regulation) model adopted in 2016, which is designed to give individuals control over their personal data. GDPR requires controllers and processors of personal data to implement data protection principles that consider the six lawful bases: consent, contract, public task, vital interest, legitimate interest and legal requirement.

While the continent might take information and inspiration from GDPR, there are limitations. Article 5 of GDPR calls for the ‘appropriate security of personal data’, which leaves a lot of room for interpretation, Meanwhile the appointment of a data protection officer is only required if the processing is carried out by a public authority. Both points should be addressed by a potential continental version of the regulation.

Important role of education

One of the crucial points of entry for all attackers is to try to take advantage of the technical deficit and make use of tools that are no longer up to date. Education, therefore, is key to preventing cyber-attacks. Investing in education and training could help significantly reduce the amount of cybercrime, as a better understanding among IT users of the common practices deployed by attackers could lead to earlier identification of threats.  

However, cyber risk awareness and the academic training of IT professionals in Africa to combat it remains low. Businesses need to raise awareness of cybersecurity issues and offer adequate training for staff. To do so, they should give cybersecurity professionals more authority: promoting professionals who have cybersecurity experience in areas like risk assessment, as education will facilitate the application of cyber policy and protection.

Building a safer future

While businesses, governments and regulators have been agile in expanding protective measures to tackle cybercrime, the tactics used by malicious attackers are constantly evolving. Adapting to new threats, new technical standards and tools remain a challenge.

Businesses are well aware of the threat and are beginning to take the necessary steps to improve cybersecurity: our ‘Tech Train’ report, cited cyber-attacks as the second biggest concern for business leaders, who acknowledge that no technology comes without risks.

Implementing, creating and formalising cybersecurity rules and education following the models used in the AACB, and incorporating cybersecurity insurance policies, which allow companies to insure against cybersecurity incidents, will be an important step forward. Every stakeholder has a role to play and sharing best practices and experiences will help improve security on a regional and global level.