Kathy Gibson reports – Africa needs a comprehensive agenda to deal with its critically low level of cyber resilience and secure its leap into the digital economy.
This is the main message from a Kearney white paper, “Cybersecurity in Africa: A Call to Action”, which calls on governments and businesses across the continent to make a concerted effort to improve cybersecurity.
“There is no time to waste on this,” says Rob van Dale, regional digital lead partner at Kearney, adding that a lack of cyber resilience could spell disaster for the continent if it’s not addressed soon.
He explains that Africa is a prime target for cyberattacks due to its growing strategic relevance, economic development, and evolving digital landscape.
In fact, the continent loses more than $3,5-billion annually due to direct cyberattacks – and billions more are lost due to missed business opportunities.
“To put it in context, we estimate the investment to protect us from cyberattacks is considerably less than that $3,5-billion,” Van Dale points out.
The continent is an attractive target for cybercriminals mainly because it is less protected than other regions and, therefore, attacks on African organisations have a better chance of succeeding. And, as the continent becomes more connected, it’s easier than ever for criminals to launch their attacks.
In more mature markets, countries spend about 0,25% of their GDP on cybersecurity. But the picture in Africa is different: South Africa is the most mature market, spending a less than ideal 0,19% of GDP, but this is way ahead of the rest of sub-Saharan Africa at 0,03%, and the Middle East and North Africa at 0,06%.
Security researchers demonstrated that the number and intensity of attacks on African targets is increasing rapidly. “The threat is real and African countries need to set up their cyber resilience,” Van Dale says.
Even the most advanced countries have low cyber resilience. Just five countries – Nigeria, South Africa, Egypt, Morocco and Kenya – are at a reasonably advanced stage of cybersecurity readiness, and these countries still need to do more.
“The picture as of now is not looking good,” Van Dale says.
The Kearney white paper outlines six main reasons why we have reached this situation.
The top reason is a lack of strategic mindset, policy preparedness, and institutional oversight. This is followed by the absence of a unifying framework, with regional efforts still largely voluntary.
A big issue is that cyber risk is perceived to be an IT rather than a business problem, even though cybersecurity has massive implications for business and the economy as a whole.
At the same time, regional businesses do not have a comprehensive approach to cybersecurity
On the talent front, there is a dire shortage of home-grown capabilities and expertise. Best estimates are that the world is short about 4-million skilled cybersecurity personnel, with that shortage disproportionately affecting Africa.
And, while there are security products and solutions available, these tend to be fragmented with few comprehensive solution providers.
Prashaen Reddy, Africa digital partner at Kearney, says the cybersecurity threats will be exacerbated by the flow of info, goods, and services across the continent as the African Continental Free Trade Agreement (AfCFTA) comes into effect. “This could create a challenge in protecting and managing information flow,” Reddy says.
In addition, the continent faces a host of socio-economic challenges, so resources that might have been used to improve cybersecurity resilience are often diverted to different priorities
There is also a growing hesitancy to share threat intelligence across countries although experiences in other geographies demonstrate that transparency is vital for cybersecurity efforts to succeed.
New technologies also make the threat landscape more complex and difficult to respond to, Reddy adds, pointing to new technologies like generative AI.
To deal with the threats, a comprehensive and collaborative approach with inputs form multiple stakeholders is required.
Kearney believes a four-point agenda can help:
Elevate cybersecurity on the national and regional policy agenda
* Development of a comprehensive framework
* Update the AU Cyber Convention and Policies
* Institute regional co-ordination platforms and agreements
Secure a sustained commitment to cybersecurity
* Address the spending gap
* Define and track metrics
Fortify the ecosystem
* Share threat intelligence
* Extend across the supply chain
* Develop regional public-private partnerships (PPPs) and industry alliances
Build the next wave of cybersecurity capability
* Professional skills development – creating our own skills rather than exporting them
* Local industry collaboration
* Research and development (R&D), with emphasis on technologies like artificial intelligence (AI) and blockchain
* Benchmark global capabilities
“A comprehensive approach is needed to address the threats,” says Reddy. “It is clear there is an urgent call to respond, to create an economy that is thriving, allowing business and societies to grow and develop.”
Among the many actions that need to be taken is a need for the continent to invest $22-billion in cybersecurity. This should be coupled with a comprehensive, forward-looking agenda.
At the same time, African organisations need to change their mindsets to become more active, and foster co-ordination and development across stakeholders.
“But the first imperative is to develop the right talent and skills,” Reddy says. “This issue needs to be top of the board agenda.”
Organisations must formulate groupwide strategies, foster a cybersecurity culture, and extend their efforts to include business partners.
It is vital that organisations and countries share intelligence, he adds.
South Africa will necessarily lead the charge as the country on the continent most mature in readiness to exploit ICT opportunities and with the highest pace of digital growth.
At the same time, as the largest and most industrialised country in Africa, South Africa is under the biggest threat, Reddy warns.
Van Dale stresses that it’s vital for cybersecurity to be regarded not as an IT problem, but as an issue of national security.
“Cybersecurity programs often take a siloed approach to defending infrastructure even though vulnerabilities extend across peer companies and vendors, and adversaries plan and execute sophisticated attacks across several targets at once,” he says.
The African Union (AU) has taken steps to increase collaboration on cybersecurity across the region by establishing the African Union Convention on Cyber Security and Personal Data Protection legal framework. The framework has been signed by 16 out of 55 member countries, but only ratified by 13.
Such a system, based on the loose collaboration of national agencies and voluntary exchanges, is unlikely to go far enough to safeguard Africa. Therefore, a tighter coordination mechanism is needed, according to Kearney.
What is very clear from the study is that Africa must do a lot more about cybersecurity – and it must do it now.
“If it is not addressed we fear that the number and severity of attacks will grow,” Van Dale warns.