Are we paying attention to the new challenges of the digital world?

Jan 22, 2018, by Ambassador Omar Arouna–When Estonia started building its information society about two decades ago, there was no digital data being collected about its citizens. The general population did not have the internet or even devices with which to use it. Sound familiar?

It took great courage to invest in IT solutions and take the information technology route. WHAT ARE WE DOING IN AFRICA to learn about the best e-solutions that have led to Estonia becoming one of the world’s most developed digital societies.

Our visit to President Kersti Kaljulaid of Estonia in January 2018 and the briefing at the NATO Cooperative Cyber Defense Centre of Excellence was an eye opener and Africa needs to take note from that playbook to meet the new challenges of the digital world.

USAFCG Managing Partner, Ambassador Omar Arouna in Estonia in January 2018.

Financial Sector

Private sector businesses and organizations including their consumer base have become extremely vulnerable online. Digital economies are taking off throughout all the regions of Africa. Cybercrime has emerged and already taken advantage of mobile banking, online banking and financial services delivered regionally. Local support for cybersecurity across the region needs to be strengthened, and financial institutions in the region are demanding training, servicing, and consulting services in cybersecurity.

Public and Private Sectors

Government institutions and agencies in Africa have adopted more technology into their operations and services. The lack of adequate knowledge and expertise to deal with security threats is apparent. Both government and private sectors need to invest in sustained training and education informing and providing tools to consumer base and the population at large of the potential threats to their use of the internet and cyber space.

They also need to build frameworks and guidance on how to reach these goals. The private sector seems to take the lead in tackling and preparing to respond to cyber security threats, but much focused and coordinated action with governments and regulatory bodies remains to be taken to the next levels. Both public and private sectors in Africa are still reactionary for the majority of cases, mainly investing in  after falling victim to cyber-crimes.

Energy Sector

The energy sector is increasingly becoming a target for cyber threats, and therefore vulnerable to potential cyber attacks. Risks in Africa are growing due to an ever increasing in populations and demand for access and connections to power grids and utilities. Foreign direct investment in Africa requires stability and security in power supply and infrastructure, which needs to be upgraded with new technologies.

Cyber attacks compromise strategic targets in the power and energy sectors. These threats and attacks have the ability to cause significant disruption to power and utility supplies, which are connected to vulnerable networks. It is important for energy companies to assess and participate in cybersecurity training and information sharing, both among private sector entities and between the private sector and the government.

Governments in Africa are in the process of developing national cybersecurity legislation establishing standards and requirements to enhance the security of critical power and energy infrastructure. It is essential that organisations operating critical power and energy infrastructure integrate cybersecurity training in their operations, technology, business process and human resources.

Companies In Africa Can’t Afford To Turn A Blind Eye To Cyber Security

Oct 30, 2017–Half a billion US dollars – that’s how much cyber-related incidents now cost organizations in Nigeria each year. The figures for many other African countries are similarly high, estimated at $50 million for Uganda and $250 million in Kenya. But even these figures are likely to understate the problem; most African countries don’t record such losses in a formalized, mandatory manner and most organizations don’t report any potential or actual losses to authorities.

Regulation and legislation related to information security and data protection also continue to lag behind other parts of the world. As such, while cyber security is considered an emerging threat in Africa, a lot more work is required in understanding the threat to organizations in specific countries and sectors.

In Control Risks’ conversations with clients, senior executives acknowledge that cyber risk is at the top of their agenda. However, according to African respondents in Control Risks’ latest ‘Cyber Security Landscape’ report, 62% do not have any cyber crisis management plan in place to help them respond to a breach (compared with 40% in Europe & Middle East and 31% in Asia).

This suggests that the threat of a breach remains abstract for many senior executives who have not yet worked out in detail how their organization would deal with one. Additionally, for most organizations in Africa, cyber risk is still primarily the responsibility of IT staff, who struggle to get buy-in from senior management for investment in cyber crisis planning.

Our survey also found that 62% of African respondents say their plans do not cover what their third parties need to do if they suffer a cyber breach. This is despite the fact that most organizations depend on third parties (such as web hosting and IT service providers, as well as clients) to operate their businesses and are connected to them in many ways – offering cyber threat actors potential points of entry to their own systems.

We spoke to a number of organizations in Africa who indicated that the third party risk is largely covered by their contracts with those third parties. A few organizations indicated that they also carry out independent reviews of third parties, which we encourage all organizations to do on a regular basis. One organization also indicated that they require their third party partners to obtain cyber insurance before they allow them to access the organization’s network. As the recent WannaCry ransomware attacks proved, cyber breaches are global in nature; Africa isn’t immune, with reports of attempted and successful attacks in more than 10 African countries. These types of attacks should also lead organizations to treat cyber threats as a matter for the whole business, rather than just the IT department. This means the board should set the right information security culture and risk appetite for the organization, which should then translate into actionable plans for senior management, led by the CEO.

Planning for a cyber crisis should also be the responsibility of senior management rather than just IT. Such planning should involve the whole organization and start with understanding the key threats an organization faces, and the key assets needed to continue operations in the event of a breach.

Source: Control Risks. We are an independent, global risk consultancy specializing in helping organizations manage political, integrity and security risks in complex and hostile environments. We provide strategic consultancy, expert analysis and in-depth investigations, handling sensitive political issues and providing practical on-the-ground protection and support. Visit us at www.controlrisks.com or follow us on Twitter @Control_Risks. 

Patrick Matu is an Associate Director for East Africa at Control Risks, the leading international risk consultancy. He is based in the Nairobi office.

The statements made and views expressed are solely the responsibility of the author.

Global Cybersecurity Index 2017

Jul 20, 2017–The Global Cybersecurity Index (GCI) is a survey that measures the commitment of Member States to cybersecurity in order to raise awareness.

The second edition of the Global Cybersecurity Index 2017, released by the International Telecommunications Union (ITU), an agency of the United Nations, measured the commitment of ITU Member States to cybersecurity and highlighted a number of illustrative practices from around the world.

The GCI revolves around the ITU Global Cybersecurity Agenda (GCA) and its five pillars (legal, technical, organizational, capacity building and cooperation).

The data collected shows that developing countries lack well-trained cybersecurity experts as well as a thorough appreciation and the necessary education on cybersecurity issues for law enforcement, and continued challenges in the judiciary and legislative branches.

According to the report, the 2017 publication of the GCI continues to show the commitment to cybersecurity of countries around the world. The overall picture shows improvement and strengthening of all five elements of the cybersecurity agenda in various countries in all regions. However, there is space for further improvement in cooperation at all levels, capacity building and organizational measures. As well, the gap in the level of cybersecurity engagement between different regions is still present and visible. The level of development of the different pillars varies from country to country in the regions, and while commitment in Europe remains very high in the legal and technical fields in particular, the challenging situation in the Africa and Americas regions shows the need for continued engagement and support.

In addition to providing the GCI score, this report also provides a set of illustrative practices that give insight into the achievements of certain countries.

Source: http://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx