African governments and corporations are facing the prospect of having to invest hugely in digital security, as cyberattacks are becoming a much greater threat to the region and its internet traffic is doubling every 18 months.
By the end of 2020, 495 million people in sub-Saharan Africa subscribed to mobile services – representing 46% of the region’s population – an increase of almost 20 million on 2019, according to GSMA, a telecommunications association. By the same time, 303 million people in the region were connected to the mobile internet. Registered mobile money wallets in Africa topped 621 million in 2021 – a 17% increase on 2020. The value of Africa’s mobile money transactions jumped by 39% to $701.4bn in 2021.
Africa’s international internet bandwidth leapt tenfold to 12 terabits per second (Tbps) during the decade until 2019. In the next ten years, the number of internet users in Africa is expected to surge by 11% – representing 16% of the total global amount – according to the International Finance Corporation (IFC), part of the World Bank. Furthermore, Africans have started to transition from 3G to 4G: in 2020, 4G accounted for just 12% of the continent’s mobile phone connections, but it is expected to surpass 28% by 2025, according to GSMA. Research from the IFC and Google states that Africa’s e-economy is expected to contribute $180bn to the overall economy by 2025, rising to $712bn by 2050.
However, this rapid digitalisation creates threats as well as opportunities. Cybercrime is estimated to cost Africa $4bn a year (a figure that hits $450bn worldwide). It is estimated that it costs the South African economy $570m a year, Nigeria $500m and Kenya $36m.
The biggest cyber threats in an African context include: online scams (such as phishing), digital extortion, business email compromise, ransomware and botnets. Phishing refers to emails sent with the intention of tricking people into divulging their personal information. Ransomware is a malware designed to deny a user or organisation access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, cyber attackers place organisations in a position where paying the ransom is the easiest way to regain access to their files.
Botnets are networks of compromised machines used as a tool to automate large-scale campaigns, including distributed denial-of-service attacks, phishing and malware distribution. The number of botnet victim detections in Africa is approximately 3,900 per month, according to Interpol.
Nine out of ten African businesses do not have cybersecurity protocols in place
Trend Micro, a Japanese cyber software company, recorded a huge number of threat detections in Africa from January 2020 to February 2021: 679 million detections on email, 8.2 million detections on files and 14.3 million detections on the web. A 2021 study by Deloitte found that 40% of African companies have recorded a rising number of cyber incidents. Approximately 90% of African businesses are operating without the necessary cybersecurity protocols in place. Without them, threat actors are able to exploit increasing vulnerabilities as they continue to invent new cyberattack vectors.
Malware attacks in South Africa jumped by 22% in the first quarter of 2019 compared with the same period in 2018 – which translates to just under 577 attempted attacks per hour – according to Kaspersky, a cybersecurity company. Android mobile phones in South Africa were the second most targeted by banking malware worldwide after Russia. It is estimated that one in nine Android mobile phones in Nigeria has malware-infected applications. More than 61% of companies across Africa were affected by ransomware in 2020 alone, according to Lumu’s 2020 Ransomware Flashcard.
Card-not-present fraud on South African-issued credit cards remained the leading contributor to gross fraud losses in that country, accounting for 79.5% of all losses. In 2019, mobile banking application fraud doubled in South Africa.
Furthermore, Africa is witnessing a rise in attacks directed against critical infrastructure. Banks in particular are common targets, and thefts and outages cost them billions of dollars. Nigeria’s National Security Agency and the municipality of Johannesburg have both been victims of cyberattacks, resulting in the disruption of services or the leakage of sensitive information. With the rise of cyberattacks on maritime infrastructure – which range from hacking to the theft of transaction logs – experts fear that African ports and shipping industries could be the target of an attack that severely disrupts trade.
Africa’s cybersecurity market was valued at $2.5bn in 2020, according to MarketsandMarkets, a market research company.
“The African continent has huge potential in terms of information and communication technologies [ICT], especially because of the youth of its population,” said Tarek Sharif, a former executive director of the African Union Mechanism for Police Cooperation (known as Afripol), in a report. “However, we are also witnessing an upsurge in activities related to cybercrime, especially in the Covid-19 pandemic period.
“On this young continent, every economic challenge generates an innovative solution that may sometimes, unfortunately, be at the limit of what the law allows. For example, the low rate of banking facilities for African populations has led to the creation of new financial services such as mobile banking but also to the resurgence of new forms of scam linked to these new technologies.”
African countries are the world’s least committed to cybersecurity
Afripol’s strategy to fight cybercrime is based on three pillars: first, raising awareness in the population; second, the reinforcement of policy, treaty and common legislation to fight cybercriminals; and, third, the establishment of technologies on a national scale to reinforce cyber defences.
In 2018, the International Telecommunication Union’s Global Cybersecurity Index reported that African countries are the world’s least committed to cybersecurity. Africa lacks the talent and resources to deal with the cybersecurity threats. Of a total population of around 1.3 billion people, the estimated number of certified security professionals in 2018 was only 7,000, representing one for every 185,000 people. The continent faces a growing 100,000-person gap in certified cybersecurity professionals, according to the Tony Blair Institute for Global Change (TBIGC).
“The main challenge in Africa is that there is a massive push to close up the digital divide and there is a massive push to innovate, leapfrogging certain stages of technological development,” says Melanie Garson, TBIGC’s policy lead for Europe, Israel and the Middle East in the internet policy unit.
“There are many good problem-solving technologies being developed. However, they are fundamentally built on the internet and, if you are not securing it, you create a cyber attackers’ gap. Cybersecurity is not necessarily the sexiest thought in the world, the choice of putting in time and money into the cybersecurity element does not seem such a high priority, so an exposure gap emerges that is quite critical.”
She adds that all countries should have their critical infrastructure secure. Not many country-scale critical infrastructure attacks have happened in Africa yet, apart from in Liberia in 2016. A British cybercriminal, Daniel Kaye, set up a ‘zombie’ cyber army to attack Lonestar, the country's leading mobile phone and internet company, crashing the entire national network.
“Most of the threats have been on, what I would call, low-lying fruit,” says Garson. “It is much easier to be a pickpocket than to rob a bank. That is a global phenomenon; it is not just related to Africa. It is the small and medium-sized enterprises that suffer the most because they either pay off ransoms quickly, or they experience phishing campaigns or crypto-jacking.”
Cybercriminals target Africa’s banking and private healthcare sectors
African countries have emerged as a favourite target of international cybercriminal syndicates, partly because of their weak cyber defences. In early October 2020, Uganda’s telecoms and banking sectors were plunged into a crisis in the wake of a major hack that compromised the country’s mobile money network. Hackers used around 2,000 mobile SIM cards to gain access to the system and an estimated $3.2m was stolen.
In June 2020, the second-largest hospital operator in South Africa, Life Healthcare, was hit by a cyberattack in the middle of the Covid-19 pandemic, paralysing the 6,500-bed provider and forcing it to switch to manual back-up systems.
“I think one of the biggest threats to the public and private sectors in Africa is ransomware,” says Boland Lithebe, security lead in Africa at Accenture. “Cryptocurrencies are key for it to work well. International syndicates are normally behind this sort of attack. They could be controlled from Brazil and involve members from Russia or China, for example. Nigerians could also be involved. It is not clear if organisations in South Africa pay up in the face of this kind of attack; if they do, they keep it undercover. Absolutely, I think the problem will get worse as internet penetration in Africa grows.”
Financial institutions, in particular, are facing huge risks from financial fraud, data theft and malware attacks. The greatest source of these risks come from malicious insiders and local organised crime syndicates. Insider threats cause the biggest security lapses and are the hardest to detect, remediate and prosecute.
According to Dataprotect, a Morocco-based data security company, sub-Saharan African banks are especially vulnerable to cyberattacks, mainly due to a dearth of qualified technicians and a lack of investment in cybersecurity. Its survey of 21 banks from West Africa and Central Africa published in 2020 showed that more than 85% had already fallen victim to at least one cyberattack. About 30% of these attacks involved bank card fraud, while one-third involved phishing.
About 24% of the attacks were on core banking, involving viruses and intrusions that affected information systems. Furthermore, the banks are impacted by information leakage, identity theft, money transfer fraud and fake cheque scams.
“There is big growth in internet usage and e-commerce in African countries, but that is precisely where the problem arises in the sense that companies are going into e-commerce and ordinary citizens start using it without being aware of the risks,” says Professor Basie von Solms, the director of the Centre for Cyber Security at the University of Johannesburg. “Therefore, the number of cybercrime victims in these countries are the highest in the world.
“The major attack modus operandi of the cybercriminals in Africa at the moment are phishing attacks. The emphasis has moved away over the years from trying to hack into the main ICT system of a company to try to go for the end users. The end users are people who are not cyber aware and fall very easily for these attacks. They do not practise hygienic cybersecurity. The place to start is the get the cyber users aware, to get a cyber aware workforce. The education must be, ‘don’t open unsolicited attachments’. Now, the question is: whose responsibility is it? I think the responsibility lies basically from the government side; it must ensure that a national form of cybersecurity awareness is rolled out in the country.”
Only 13 African countries sign up to cybersecurity convention
The African Union (AU) – as part of its Agenda 2063 for transforming Africa – has identified cybersecurity as a key priority to ensure that emerging technologies benefit African people and companies. The initiative is guided by the African Union Convention on Cyber Security and Personal Data Protection (known as the Malabo Convention), which was drafted in 2011 but only adopted in June 2014. Its purpose is to establish “a credible framework for cybersecurity in Africa through organisation of electronic transactions, protection of personal data, promotion of cybersecurity, e-governance and combating cyber crime”.
However, by May 2022, the convention has only been ratified by 13 out of 55 AU member states (Angola, Cape Verde, Ghana, Guinea, Mauritius, Mozambique, Namibia, Niger, Republic of the Congo, Rwanda, Senegal, Togo and Zambia). By the same month, only eight African countries had in place national cybersecurity strategies.
The cyber challenge will only get bigger in Africa. Facebook and Google are behind two separate new subsea fibre-optic cables that will bring 150Tbps and 180Tbps, respectively, of bandwidth to African countries by 2024. These will transform digital connectivity on the continent. Andile Ngcaba, chairman of Convergence Partners, a South African investment firm focused on the technology, media and telecoms sector, estimates that by the year 2030, the internet of things will be a massive market in the region and up to ten billion devices – including cars, cameras, sensors and laptops – will be connected to the internet.
With about 41% of the region’s population under the age of 15, a further 120 million new young African consumers will own a mobile phone for the first time within the next few years and participate in the digital economy.
Many private enterprises in Africa – including financial institutions – have talented security professionals but public sector organisations often lack the know-how. The private and public sectors must work together to ensure that countries vastly improve their critical infrastructure systems. Furthermore, governments must start to properly fund national awareness campaigns so that populations are more conscious about the cybercrime threat.