hack attack

Cybercrime: West African banks are under-protected

in depth

This article is part of the dossier:

Cyber surveillance: a new market, with old clients


By El Mehdi Berrada, in Casablanca

Posted on January 31, 2020 12:23

 The digital revolution will be one of the driving forces behind the continent’s development – and it needs protecting. © Wikimedia Commons/Colin
The digital revolution will be one of the driving forces behind the continent’s development – and it needs protecting. © Wikimedia Commons/Colin

According to analysts from the Morocco-based firm Dataprotect, sub-Saharan African banks are particularly vulnerable to cyberattacks (bank card fraud, phishing, intrusions, etc.), mainly due to a lack of qualified technicians and investment in cybersecurity.

This is part 4 of a 4-part series.

While cybercrime is estimated to cost Africa €3.5bn, compared to €528bn worldwide, this does not at all mean that Africa fares better in handling cybersecurity challenges than other continents. According to analysts from the Moroccan firm Dataprotect, founded by Ali El Azzouzi, the opposite is actually true.

They examined the cybersecurity environment of 148 banks from the eight UEMOA member states and three Central African countries, including Gabon, the Congo and the Democratic Republic of Congo. 21 banks directly or indirectly participated in the survey entitled ‘Banking Fraud in sub-Saharan Africa’.

More than 85% of these financial institutions reported that they have already fallen victim to at least one cyberattack resulting in losses, and some faced recurrent attacks. Thirty percent of these cyberattacks involved bank card fraud, while one-third involved phishing, i.e., emails sent with the intention of tricking people into divulging their personal information.

The third most common target of cyberattacks, accounting for 24% of all cases, is core banking, meaning viruses and intrusions affecting information systems. In addition, the banks are impacted by information leakage, identity theft, money transfer fraud and fake check scams.

Increasing, yet still insufficient, investment

“Clearly, African banks are dealing with professional criminals,” said Ali El Azzouzi’s teams, which estimate that for the area covered by the survey, only 6% of incidents are detected by cybersecurity staff at the financial institutions. Even when incidents are detected, they are not systematically disclosed by the institutions concerned, thereby making the financial impact of cyberattacks on the continent hard to assess.

The estimated losses of the banks reporting financial information concerning cyberattacks amount on average to €770,000 over the past few years. However, Dataprotect analysts suggest that each computer infected by malware costs companies €9,000 on average. “This amount can increase fast if the attack is not contained,” they said.

Eighty-five percent of the banks surveyed by Dataprotect said they invest at least €500,000 a year to address cybersecurity threats, while 50% reported investing between €100,000 and €500,000 a year. An Orange Cyberdefense report published in 2018, “African investment in cybersecurity,” forecasted that the African cybersecurity market would grow from €1.5bn in 2017 to more than €2.2bn in 2020.

A mainly outsourced segment

Although on the rise in recent years, cybersecurity investment remains very low given the losses sustained. According to Dataprotect’s report, “Cybersecurity investment must be proportional to the information risk incurred by the business. Companies in the financial sector are most at risk.”

From an operational perspective, 55% of financial institutions outsource their cybersecurity needs, arguing that doing so allows them to focus on their core business. Outsourcing also resolves the issue of finding and hiring qualified technicians, a problem faced by more than 85% of the banks surveyed.

The report underlined that “cybersecurity experts are often reluctant to work for a company in which they are professionally isolated and have no advancement opportunities in the field” and added that only 20% of the institutions surveyed are taking the matter seriously and addressing it from all angles.

While vigilance does not protect businesses completely, it does prevent the vast majority of intrusions. The Dataprotect report concludes that the remaining 80% of institutions “are operating blindly in a high-risk area and, once attacked, they will suffer the most losses.”

The Morocco-based information security firm currently operates in more than 35 countries and has over 500 clients, including 100 banks, in Africa, Europe, the Middle East and Asia. The company reported revenue of more than 110 million dirhams (€10m).

Understand Africa's tomorrow... today

We believe that Africa is poorly represented, and badly under-estimated. Beyond the vast opportunity manifest in African markets, we highlight people who make a difference; leaders turning the tide, youth driving change, and an indefatigable business community. That is what we believe will change the continent, and that is what we report on. With hard-hitting investigations, innovative analysis and deep dives into countries and sectors, The Africa Report delivers the insight you need.