Cybercrime is on the increase across Africa, but so are initiatives designed to fight it. From awareness-raising among professionals to the enactment of new laws, African Business examines the measures being taken to combat the hackers.
The phishing attempts happen frequently. A text message purporting to be from a major mobile payment firm will come through to Laura Tich’s mobile encouraging her to transfer funds.
“It happens every week,” says the co-founder of Kenyan collective SheHacks. “In Kenya mobile money frauds are more common because it is so widely used.”
As internet and mobile penetration rates soar across Africa and processes become digitised, cyber threats are multiplying. According to the Africa Cyber Security Report 2017 by Kenyan IT consulting firm Serianu, African businesses lost $3.5bn to cyberattacks in 2017, with the financial, government and SME sectors in the crosshairs of hackers. The report claims around 90% of organisations surveyed are “operating below the security poverty line, significantly exposing themselves to cyber-security threats”.
“With this larger attack vector, organisations will be targeted more aggressively,” says Drew van Vuuren of cyber-security firm ESET South Africa. “More sophisticated attacks will be deployed by hacking collectives… as they become aware of the increased internet footprint in the region.”
With mobile subscriptions topping 444m in sub-Saharan Africa according to GSMA Intelligence and internet penetration rates around 35%, hackers are on the lookout for vulnerabilities.
The Nigeria Security and Civil Defence Corps was hacked in 2017 and overrun with fake job postings, electronic fraud led to the Kenya Revenue Authority losing $39m, and reports in Rwanda point to tens of thousands of attempted network attacks in the financial sector last year. Be it phishing schemes, ransomware, fraud or insider threats, the risks are vast.
“There is a belief that a lot of cyber threat actors emerge from Nigeria; [but] there are quite a good number of more sophisticated threat actors from China and Russia operating on a global scale and targeting countries including Nigeria,” says Rotimi Akinyele, a security consultant and founder of the Nigeria Cybersecurity Conference.
Keen to raise awareness among businesses and locals, Akinyele and Nurudeen Odeshina, a cybersecurity manager at PwC, formed a group with peers in Nigeria and the diaspora to share knowledge on evolving threats.
“We have actors not only trying to exploit vulnerabilities in software or people, but also involved in ‘Business Email Compromise’ – where they send malicious documents, links or attachments through email hoping someone clicks on it. There are also cases of insider threats where people collude to siphon funds or data out of a business,” says Akinyele.
What started out as six people in 2015 has mushroomed to hundreds. They held their first conference in 2017 and have expanded to run hackathons for university students.
“In tackling these cybersecurity problems we face as a country we are actively engaged in sharing knowledge and trying to improve our nation’s cybersecurity capability through awareness, monthly meetups and conferences,” says Odeshina.
Odeshina says that the financial sector is being proactive. The Central Bank of Nigeria has drafted new guidelines while the Nigerian Stock Exchange holds awareness forums. Kenyan and Rwandan banking authorities, among others, are taking similar steps.
“The financial sector is a leading sector in cybersecurity within Nigeria,” he says. “This is primarily driven by banks improving compliance through strong regulation by the apex bank such as the mandate for IT standards to be adopted. We have started seeing this spill over into other sectors”.
Microfinance lender Kiva has partnered with the UN and Sierra Leone government to launch what they call a “credit bureau of the future”. Using blockchain technology, Kiva will create a national digital ID system where all citizens can access its platform more securely.
“We have to be responsible stewards for our borrowers’ data and educate and help our partners to ensure security,” Kiva’s Kevin O’Brien says. “Security is never finished.”
Safaricom, owner of mobile payment giant M-Pesa, launched an ethical hacker initiative and will reward hackers with up to $2,000 for spotting vulnerabilities in its networks. Increasing the security workforce and encouraging investment in cyber procedures are seen as key to staying ahead of threats.
Opportunities for women
At Kenyan collective SheHacks, Laura Tich intends to increase opportunities for women in the sector.
“We want to give women a platform to show off their skills and share knowledge,” she says of the group started in 2016. “When we first started we had about 30 participants and this year we held a bootcamp and we had 250 people sign up.”
Evelyn Kilel, a fellow SheHacks co-founder and part of the cyber team at a major accountancy firm in Nairobi, says awareness is improving. As a penetration tester Kilel tries to unearth weaknesses in business systems.
“It was so hard to report an issue to organisations,” she says. “They would think we were trying to hack them and you wouldn’t even want to report an issue, but now organisations are trying to open up to it.”
The African Union Convention on Cyber Security and Personal Data Protection – created in 2014 to promote best practice among member states – intends to improve standards. Rwanda is digitising government processes and has unveiled a policy to protect institutions coupled with plans for a $3m cybersecurity centre. Senegal has a similar programme, while Uganda has a national centre to oversee its cyber frameworks. Meanwhile, the World Bank has announced a cyber clinic for ECOWAS nations.
However, critics say new cyber laws in Kenya, Uganda, Tanzania and elsewhere risk freedom of speech, are overly vague and could wrongly target individuals. Tich also works at Code for Africa, a technology and open data initiative that helps journalists and civil organisations stay secure. She believes that some new laws are problematic.
“There is a really thin line between the laws we have in place and censorship. If they say you can’t post fake news and they haven’t really defined what it is there is a risk of censoring people… I want to know the information I share with someone is just between us and no-one else is part of that conversation.”