Cyber criminals are targeting African economies in similar ways to their European or North American counterparts. “The numbers show that everyone is getting hit equally hard,” said Charl van der Walt, head of security research at Orange Cyberdefense, speaking on the first morning of the Summit.
While the cyberattack numbers in Africa might be slightly lower than in other parts of the world, van der Walt believes this doesn’t necessarily mean cybercriminals are actively targeting larger economies more than smaller ones. “What we’re seeing is not the bad guys saying, ‘Let’s find American companies to hack.’ Rather, they seem to throw mud at a map and see where it sticks, suggesting the targeting is less deliberate and more opportunistic.”
Everyone is a target
What van der Walt did highlight, however, is that the landscape appears to be changing. With law enforcement in many of the most targeted countries increasingly cracking down on large cybercrime syndicates, these hackers are quickly looking for alternatives. “Similarly, the market for this kind of crime is shrinking as the number of criminal groups grows,” he says. “Again, this drives criminals to start hunting for opportunities elsewhere.” So with this in mind, it’s inevitable that hackers are coming for smaller economies, like those in Africa.
Also speaking at the event, Jonas Bogoshi, CEO of ICT company BCX, noted that this trend is a big concern. According to him, 0% of appointments on large boards in South Africa have any cyber security experience, while only about 8% have some understanding of social networks and digital technologies. This is in contrast with large boards in Fortune 500 companies, where 8% have cybersecurity knowledge and 40% have digital tech expertise.
Everything is a target
As more companies embrace digital means to interact with their customers and use technology to transform business models, an increase in cyberattacks is expected, as well as an evolution in the methods and type of assets these cybercriminals are trying to steal. “When the physical world and the digital world come together, everything that we do online is under threat,” Bogoshi says, citing how a local radio station’s entire content library was accessed and encrypted in a ransomware attack.
Another phishing attack targeted the minutes of a large South African manufacturer’s board meeting due to the company’s substantial M&A activity. As hackers get smarter, they’re not only stealing data, they’re also analysing the information they steal to identify different pieces of value they can use to further extort victims. All too often, not knowing what your assets are, and thus, not putting the necessary processes and procedures in place to secure them, is opening us up to attacks, added Paul McKay, principal analyst at Forrester.
So, what to do? van der Walt suggests that community-led initiatives, like a cyber Neighbourhood Watch, may be the answer. These partnerships should be between a broad range of different players, from security professionals to governments, who want to make our digital world safer. It’s about organising a group of affected parties to collectively try to resolve the problem. And others agree.
On the second day of the Summit, Karen Allen, CEO at consultancy Karen Allen International, explained that because cyberspace touches essentially everything in our modern lives, we all need to play an active role in how it is developed, controlled and governed. “As an enabling technology, cyberspace is shaping the pace of how states develop. This is particularly relevant to Africa.”
As such, Africa can’t afford to take a back seat while others are making decisions about digital security and the future of technology. Incidents of African presidents being hacked and government departments targeted, for instance, are not going to be properly addressed until the continent actively starts to participate in digital development, she continued. Diplomacy shapes how states interact and how they balance their interests, values and red lines, and cyber diplomacy translates these same practices into cyberspace.
“This includes the developments behind the tech,” she adds, “the algorithms that power the tech and the assumptions and cognitive biases hardwired into it.” And much like a CISO will put different controls and safeguards in place to keep a business safe, cyber diplomacy demands that nation states understand the cybercrime landscape, acknowledging the threats and having more proactive conversations about how to address them for the benefit of all.
Robin Barnwell, head for security strategy at Standard Bank, also notes that most security teams across South African corporates are facing a brain drain when it comes to security skills and, in some industries, a lack of a solid skills pipeline, meaning not much is being done to improve the situation, whether diplomacy or development. “It’s great to have good tools but if you don’t have qualified people to use them and make sure your organisation’s security profile is sound, having the technology is pretty pointless,” she says. And according to a 2020 Accenture report, a low investment in cyber security and immature cybercrime legislation makes South Africa a prime target for cybercrime. According to Barnwell, addressing the cyber skills issue demands that all businesses get involved in skills development, not just for themselves but for the broader business community.
Phillimon Zongo, CEO of the Cyber Leadership Institute in Australia, and Sandro Bucchianeri, group CSO at NAB Australia (formerly Absa’s group chief security officer), who also attended the Summit, described cyber security as a group effort. “Given the complexity of cybersecurity, it’s quite tempting for cyber leaders to think they know it all, but the days of the lone wolf are over,” said Zongo. “Cyber security has to be a team sport,” said Bucchianeri. “Making sure that you have enough players on the field is exceptionally important,” adding that there really is safety in numbers.
The right support structure
Unfortunately, more than half of cyber leaders globally find it hard to respond to current challenges because of a shortage of skills. “Cybersecurity is actually quite simple,” said Bucchianeri. “You need to get the basics right and execute your plans well. While I understand that it can be tough to execute when you have restrained resources, you need to focus on what you can do to move the dial forward as much as possible.”
When talking about securing buy-in from business and ensuring that cybersecurity efforts align with broader business goals, the suggestion that cybersecurity is a team sport is even more important. “For cyber leaders, the challenge is to learn to communicate the importance of cybersecurity with those who don’t fully understand the risks,” said Zongo. “If the CFO or any other non-technical executive doesn’t understand a cyber risk report, it’s unlikely that others will understand it either.” So when you articulate the risks well, the funding for efforts and initiatives to combat these risks will start to flow.
Today, the cyber leadership role is fraught with challenges. But the security leaders that drive lasting change have done so by avoiding unnecessary jargon, developing good relationships with key business stakeholders, and understanding that the measure of effective security depends on the well-being of others. “If you want to go fast, go alone. If you want to go far, go together,” said Bucchianeri, citing a well-known African proverb. “This is one of the most pivotal things you can do to make your cybersecurity programme a success.”