Category: Cybersecurity Policy

Priscilla Mutembwa joins USAFCG as Vice President, Cybersecurity Policy and Development

May 29, 2018 (updated September 17, 2022) Published by

May 29, 2018, Washington, DC–Ambassador Omar Arouna, Managing Partner of US-Africa Cybersecurity Group, has appointed Priscilla Mutembwa as Vice President, Cybersecurity Policy and Development.

Further to the appointment, Ambassador Arouna commented: “I’m delighted that Priscilla Mutembwa is joining the Group. Over the past years she has done an outstanding job in various capacity on the African continent. Her work as a member of the ITU Focus Group on Digital Financial Services for Financial Inclusion and her keen interest in the security issues surrounding mobile money in Africa will be essential to our growth.”

Priscilla Mutembwa holds a Master of Business Administration from University of the Witwatersrand Johannesburg. She is currently enrolled in a Master in Cybersecurity, Management and Policy from University of Maryland University College. Before joining US-Africa Cybersecurity Group, she has held various management and financial roles at Unicef, British American Tobacco, Zimbabwe Allied Banking Group and Cargill. In 2006 she was appointed CEO at Cargill in Zimbabwe for seven years. Priscilla Mutembwa was named the 2011 CIMA Businesswoman of the Year.

In 2015 she joined the Corporate Council on Africa as Director ICT. She was responsible for the development and implementation of the ICT program of the association and was a member of the ITU Focus Group on Digital Financial Services for Financial Inclusion and developed interest in the security issues surrounding mobile money in Africa. She currently is a Commissioner on the Judicial Services Commission of Zimbabwe.

Her career has spanned 33 years, across 3 continents and now seeking to develop and implement cybersecurity policies and procedures in Africa.

Cybersecurity in the Age of Digital Transformation

January 10, 2018 (updated September 17, 2022) Published by

Jan 10, 2018–As companies embrace technologies such as the Internet of Things, big data, cloud, and mobility, security must be more than an afterthought. But in the digital era, the focus needs to shift from securing network perimeters to safeguarding data spread across systems, devices, and the cloud.

by MIT Technology Review Custom

January 23, 2017

Technologies such as big data analytics, the Internet of Things (IoT), blockchain, and mobile computing are reinventing the way companies handle everything from decision making to customer service. The automation of virtually all business processes and the increasing digital connectedness of the entire value chain create agility, but they also significantly raise cybersecurity risks and threat levels.

The key to addressing those risks and threats is building security into applications, as well as into interconnected devices, right from the start.

Running IT systems in the cloud supports organizational flexibility. To that end, companies are increasingly moving both data and business functions (e.g., human resources and procurement) between the cloud and on-premises legacy systems.

But as companies embark on their journeys of digital transformation, they must make cybersecurity a top priority, says Michael Golz, CIO, SAP Americas. “We have to maintain confidentiality, integrity, and availability of data in all these contexts: on premises, in the cloud, and in hybrid environments,” Golz says.

Both the value and the volume of data have never been higher, and end points are more vulnerable than ever. That’s especially the case with the IoT, which is still in its infancy. As the IoT is extended to everything from industrial equipment to consumer devices, attacks are growing not just in number, but also in sophistication. Next-generation devices are now deployed in potentially vulnerable environments such as vehicles, hospitals, and energy plants, vastly increasing the risks to human welfare. Concerns about such devices being hacked, turned into botnets, and used to attack targeted computers and organizations are growing as well.

“Any vulnerabilities in the supply chain now have a wildfire effect that results in millions of dollars being lost and trust being destroyed on impact,” says Justin Somaini, global CSO, SAP. “It used to take a while to exploit these weaknesses. Nowadays, it’s very fast and the damage is immediate.”

With the stakes so high, senior IT leaders, including both CIOs and CSOs, need to adopt a more proactive approach to securing critical data. Forensic analysis of what went wrong after a breach won’t be enough to save lives—or C-level careers.

Focusing on Both Applications and Data

Cybersecurity professionals are accustomed to securing access to their networks and applications. But digital transformation leads to an explosion of connected environments where perimeter protection is no longer enough. Attackers and other malicious individuals will continue to compromise weak links, resulting in deep access to companies’ networks, systems, and data.

In a digital world, the classic, contained enterprise network no longer exists. For that reason, security must be embedded into all applications as the first line of defense, Somaini says. To achieve that level of security, SAP favors the “security by default” approach, in which an application’s embedded security controls are, by default, set at the highest levels of protection. “The idea is to build in security, rather than asking users to opt in,” he says. That’s one of the hallmarks of being more proactive in securing data: protection is the default posture.

So-called “self-defending apps” are another example of proactive security. This active-protection technique provides applications with advanced access-control capabilities, allowing them to react to malicious source-code modifications and debugging at runtime. Encryption of all data in transit is another core tenet of preemptive cybersecurity, according to Somaini. SAP HANA, for example, features encryption services for data both at rest and in flight.

Among the most important factors for heading off insider threats are two-factor authentication (which verifies a user’s identity via two different methods) and role-based access controls (which limit the user’s access to data by job role), Golz says. “The insider threat is very real. There are a lot of data breaches today by people who have a legitimate authorization that is too broad. They get to see more than they are entitled to. Two-factor authentication dramatically increases the security of the communications.”

Bringing Two Worlds Together

The cybersecurity issues raised by digital transformation are driving the need for a better understanding between the organization’s cybersecurity professionals and those who provide application security. “Traditionally, those groups don’t speak the same language and don’t understand what the other side is doing,” Golz says.

Today, responsibility for cybersecurity is generally shared by the application team, which tends to focus on hardening and securing enterprise applications, and the cybersecurity professionals, who handle aspects such as access controls and firewalls. “Those are different roles, and they use different technologies and terms,” Golz says. Going forward, with the focus shifting from traditional network-perimeter security to securing application data, those two worlds need to join forces to prevent issues from falling through the cracks, he adds.

Digital transformation makes it essential that the cybersecurity and IT teams find a common understanding, a shared terminology, and a unified approach to securing applications and data. “Systems are being opened in ways that they weren’t before,” Golz explains. “There is more direct connectivity with suppliers, partners, customers, and consumers. There are tighter connections between a company’s Web presence and back-end systems. The seamless process flows mean more things can go wrong.”

When it comes to digitally transforming a company’s business, cybersecurity must be part of that conversation from the start. As a case in point, many companies now sell software along with their products. For example, a large industrial vendor such as GE today provides not just the equipment used in production environments but also subscription-based monitoring and maintenance services to ensure that equipment does not experience an unexpected outage. “That means all the challenges and requirements a software company faces now apply to you. The way you protect the data is paramount. It’s a whole set of new challenges,” Golz says.

As one of the top providers of business-critical applications, SAP will continue to build security into the heart of its applications and to secure cloud operations to protect content and transactions, Golz says. “We are working to help customers define, plan, and execute measures for their secure digital transformation.”

Source: MIT Technology Review Custom https://www.technologyreview.com/s/603426/cybersecurity-in-the-age-of-digital-transformation/

Companies In Africa Can’t Afford To Turn A Blind Eye To Cyber Security

October 30, 2017 (updated September 17, 2022) Published by

Oct 30, 2017–Half a billion US dollars – that’s how much cyber-related incidents now cost organizations in Nigeria each year. The figures for many other African countries are similarly high, estimated at $50 million for Uganda and $250 million in Kenya. But even these figures are likely to understate the problem; most African countries don’t record such losses in a formalized, mandatory manner and most organizations don’t report any potential or actual losses to authorities.

Regulation and legislation related to information security and data protection also continue to lag behind other parts of the world. As such, while cyber security is considered an emerging threat in Africa, a lot more work is required in understanding the threat to organizations in specific countries and sectors.

In Control Risks’ conversations with clients, senior executives acknowledge that cyber risk is at the top of their agenda. However, according to African respondents in Control Risks’ latest ‘Cyber Security Landscape’ report, 62% do not have any cyber crisis management plan in place to help them respond to a breach (compared with 40% in Europe & Middle East and 31% in Asia).

This suggests that the threat of a breach remains abstract for many senior executives who have not yet worked out in detail how their organization would deal with one. Additionally, for most organizations in Africa, cyber risk is still primarily the responsibility of IT staff, who struggle to get buy-in from senior management for investment in cyber crisis planning.

Our survey also found that 62% of African respondents say their plans do not cover what their third parties need to do if they suffer a cyber breach. This is despite the fact that most organizations depend on third parties (such as web hosting and IT service providers, as well as clients) to operate their businesses and are connected to them in many ways – offering cyber threat actors potential points of entry to their own systems.

We spoke to a number of organizations in Africa who indicated that the third party risk is largely covered by their contracts with those third parties. A few organizations indicated that they also carry out independent reviews of third parties, which we encourage all organizations to do on a regular basis. One organization also indicated that they require their third party partners to obtain cyber insurance before they allow them to access the organization’s network. As the recent WannaCry ransomware attacks proved, cyber breaches are global in nature; Africa isn’t immune, with reports of attempted and successful attacks in more than 10 African countries. These types of attacks should also lead organizations to treat cyber threats as a matter for the whole business, rather than just the IT department. This means the board should set the right information security culture and risk appetite for the organization, which should then translate into actionable plans for senior management, led by the CEO.

Planning for a cyber crisis should also be the responsibility of senior management rather than just IT. Such planning should involve the whole organization and start with understanding the key threats an organization faces, and the key assets needed to continue operations in the event of a breach.

Source: Control Risks. We are an independent, global risk consultancy specializing in helping organizations manage political, integrity and security risks in complex and hostile environments. We provide strategic consultancy, expert analysis and in-depth investigations, handling sensitive political issues and providing practical on-the-ground protection and support. Visit us at www.controlrisks.com or follow us on Twitter @Control_Risks. 

Patrick Matu is an Associate Director for East Africa at Control Risks, the leading international risk consultancy. He is based in the Nairobi office.

The statements made and views expressed are solely the responsibility of the author.

African Union Cybersecurity Profile: Seeking a Common Continental Policy

September 23, 2016 (updated September 17, 2022) Published by

Sep 23, 2016–Africa is now home to some of the world’s fastest growing economies–the terms “Africa rising” and “lions on the move” have both been used in recent years to capture the positive economic outlook for the continent. In tandem with this new economic boom, countries in the African Union (AU) have experienced explosive growth in the use of technology and the spread of information and communication technology (ICT) infrastructure over the past decade and a half. About 300 million users have been brought online since 2000 due to the liberalization of telecommunications markets across African countries and the increasingly widespread availability of mobile technologies. For Africa, the technology age is booming– and shows few signs of slowing. The rapid turnaround from being a continent essentially offline in 2000, with only 4.5 million Internet users, to this level of connectivity has left African leaders scrambling to implement adequate cybersecurity policies and regulations.

In spite of the breathtaking growth of ICT use, the development of national cybersecurity legislation has been relatively stagnant in the region. Mauritius, which has legislation addressing cybercrime, e-commerce, data protection, and privacy as well as an established Computer Emergency Response Team (CERT), remains a distant outlier on the continent. Countries such as Chad, Guinea-Bissau, and Gabon, which have minimal-to-no legislation addressing cyber issues, are much more typical. The AU faces the challenge of developing a common continental cybersecurity policy, which requires not just the harmonization of legislation across several economic regions but also encouraging national policy development in a majority of member states. Attaining this level of political cohesiveness–in a regional organization that consistently faces criticism of ineffectiveness–is a steep hurdle to overcome.

Africa is experiencing a unique state of vulnerability due to the absence of national legislation and international cooperation available to handle growing cyber threats. Despite this very real challenge, cybersecurity is inherently intertwined with more general trade and economic development in Africa, creating space for cooperation and consensus. The growing global recognition of the necessity for ICT and cybersecurity policies has been intertwined with AU economic policy since the early 2000s. Additionally, partnerships with the European Union (EU) and United Nations (UN) that have been tied to broad regional economic development have been integral to driving both regional and national cybersecurity initiatives. If it strengthens these partnerships, the African continent has real potential to create a robust and secure cybersecurity environment.

Read more from the author of this article: Skye Terebey

Source: https://jsis.washington.edu/news/african-union-cybersecurity-profile-seeking-common-continental-policy/ The statements made and views expressed are solely the responsibility of the author.

USAFCG is a collaborative organization designed to foster the development and implementation of cybersecurity strategies and initiatives in the public and private sectors taking into account scientific, technological, economic and financial, political, and sociocultural dimensions of the “whole of society" in Africa.

Latest Members

Online Members