Cybersecurity: Africa’s race against time against attacks

By Anaëlle Salamon
Posted on Tuesday, 31 August 2021 10:37

The pandemic was ripe for hacking and cyberattacks © Tinpixels/E+/Getty

Africa has been hit by an increasing number of cyberattacks since the start of the Covid-19 pandemic. Has it waited too long to launch an effective response?

The Covid-19 pandemic has transformed digital practices and uses, by democratising remote working. But the pandemic and remote working have also revealed cybersecurity’s potential flaws. “Between 2020 and 2021 alone, the number of attacks has almost tripled,” says Ali El Azzouzi, founder and managing director of the Moroccan company Dataprotect.

And yet, not enough resources have been allocated to deal with these threats. According to a study conducted in 2019-2020 by EY, 37% of companies in French-speaking Africa do not have a department dedicated to cybersecurity. And even when they do, 78% of the time it is a very small team made up of less than three people.

The same problem applies to the budget: only 8% of the companies surveyed had a specific budget of more than €500,000.

Cyberattacks on the rise

“The pandemic has intensified digital usage and encouraged malicious operating methods to flourish. During the first lockdown, companies were forced to adopt new means of communication, ones that were not the most secure, but they then found new methods, which are set to continue,” says Nicolas Arpagian, a professor at the École de Guerre Économique and author of La Cybersécurité, published by PUF.

Naturally, the situation differs between countries and sectors. Five African countries are in the top quarter of the International Telecommunication Union (ITU) ranking. The Global Cybersecurity Index rates each country by analysing different factors: national regulations and the international cooperation framework on the one hand, and technological, human and organisational capacities on the other.

Cyberattacks affect all sectors and companies, regardless of size, but banking and insurance seem to have a head start in protection. “These are highly regulated sectors and subject to many standards. Therefore, they cannot ignore cybersecurity, at the risk of facing sanctions, such as the withdrawal of a business license in certain cases. The banking sector, for example, has to comply with a number of financial, accounting and regulatory standards (ISO, SWIFT, central bank directives, Basel II and Basel III agreements) and therefore has no choice but to invest in cybersecurity,” says Azzouzi.

Silencing hacking

“Threats are now inevitable and so we feel that there are only two categories of companies: those that have already been attacked and those that will be attacked sooner or later,” says Dataprotect’s CEO. According to the pan-African consulting firm Serianu, which specialises in the field of cybersecurity, the total number of attacks that took place in 2017 cost the continent $3.5bn.

Another problem is that many companies often do not acknowledge that they have been attacked, as they are worried that it may tarnish their reputation. However, Transnet, which manages 60% of South Africa’s maritime freight, is an exception. At the end of July, it admitted – under pressure from its customers – that it had been the victim of an online “act of sabotage”, without giving any further information.

Often, an attack is not identified, which makes the situation worse. According to global digital security specialist Kaspersky, a one-week delay in detecting an attack increases the total damage by 27%.

“It is utopian to think that zero risk exists, even with the best cybersecurity devices. Companies should be aware that there is always a residual risk,” says Azzouzi.

Increasing awareness

“Mentalities are gradually changing, especially among managers,” says Arpagian. Companies had already started to become aware of the importance of cyber risks even before the pandemic began. Proof of this is the cybersecurity market’s value on the continent, which rose from less than $1bn to $2.5bn in 2020, according to the “Africa Cyber Security Market” survey led by the consultancy firm MarketsandMarkets.

To deal with cybersecurity, it is not only a question of investing, but also of training and recruiting the right resources.

But cybersecurity is not just a question of budget, as it also requires “multidisciplinary” thinking, according to the ITU. Companies often mistakenly place more emphasis on financial services than on other services when it comes to cybersecurity. For example, widespread remote working as a result of Covid-19 means that connections are no longer made from the company’s server and may be less reliable.

A simple lack of vigilance and insufficiently protected access to sensitive documents can cause numerous problems. Furthermore, employees themselves, without knowing it, can put their company at risk. According to Philippe Trouchaud, Chief Technology and Products officer at PwC, more than a third of data breaches that occurred in 2016 were due to human error and were therefore preventable.

“To deal with cybersecurity, it is not only a question of investing, but also of training and recruiting the right resources,” says Azzouzi. Although the number of opportunities in the sector are increasing, there is still a serious lack of IT engineers. “Today, the global need in terms of recruitment is more than 3 million cybersecurity engineers. In Africa, this is a major problem because it lacks sufficiently skilled people and does not produce enough cybersecurity engineers to meet companies’ needs,” continues the cybersecurity expert.

Search for skills

Dataprotect currently employs 150 specialised engineers from around 10 countries. “We have no other choice but to look for skills wherever they are,” adds its managing director.

Arpagian is more optimistic: “It should be noted that there are more and more training courses available on the continent at both technical and legal levels. Real African expertise can emerge, provided that these courses are expanded and made accessible to all, especially women.”

Existing establishments and new institutions are now beginning to offer training courses. For example, ENSA, the École Nationale des Sciences Appliquées in Marrakech, recently started offering a three-year course entitled “Cyber Engineering and Embedded Telecommunications Systems.”

In Kinshasa, the Institut Africain de Cybersécurité et de Sécurité des Infrastructures (I-CSSI) will open in early October. The goal is to eventually welcome 500 students and to inaugurate new campuses in Brazzaville as well as in Libreville, Douala and Casablanca in the next two years.

“We started from the premise that there was a shortage of skills on the continent, just like elsewhere. These jobs are new and there are many opportunities available. Our various courses are all taught at a professional level, and our students will very quickly go out into the field, doing apprenticeships in companies,” says Nathalie Kienga, the Institute’s director.

However, new graduates, who are highly prised by recruiters, are often tempted to leave the continent. “We have to admit that once our engineers have acquired the necessary skills, we are faced with a brain drain towards Europe and North America,” says Azzouzi.

Understand Africa's tomorrow... today

We believe that Africa is poorly represented, and badly under-estimated. Beyond the vast opportunity manifest in African markets, we highlight people who make a difference; leaders turning the tide, youth driving change, and an indefatigable business community. That is what we believe will change the continent, and that is what we report on. With hard-hitting investigations, innovative analysis and deep dives into countries and sectors, The Africa Report delivers the insight you need.

View subscription options