You are on page 1of 88

Demystifying

Africa’s Cyber
Security Poverty Line

Botswana
The Africa Cyber Immersion Centre is
a state-of-the-art research, innovation
and training facility that seeks to
address Africa’s ongoing and
long-term future needs through unique
education, training, research, and
practical applications.

For more information Serianu Limited


contact: info@serianu.com http://www.serianu.com
3

Content
Editor’s Note and Acknowledgement Cost of Cyber Crime

4 We are excited to finally publish the 5th edition of Africa Cyber


Security Report 2017. 58 We estimate that cyber-attacks cost Africa
businesses around $1.048 trillion a year.

Foreword Sector Ranking in 2017

7 The global cyber security landscape is evolving and becoming


quite complex. 66 Cyber security is no longer a concern for the
financial & banking sectors only.

Executive Summary Home Security

9
It is in our own best interests to make sure
The global landscape of cyber threats is quickly changing.
72 everyone – from the young to the old, on
snapchat, facebook and twitter - know and
practice basic security habits.

Top Trends Africa Cyber Security Framework


We analysed incidents that occurred in 2017 and compiled

14
Attackers are now launching increasingly
a list of top trends that had a huge impact on the economic
and social well-being of organisations and African citizens. 77 sophisticated attacks on everything from
business critical infrastructure to everyday
devices such as mobile phones.

Top Priorities for 2018 Appendixes

20 We have highlighted key priorities for 2018.


82
Cyber Intelligence Statistics, Analysis, & Trends References

29
We have monitored organisations’ network for malware
and cyber threat attacks such as brute-force attacks
against the organisation’s servers. 86
2017 Africa Cyber Security Survey

43
This survey identifies current and future Cyber security
needs within organisations and the most prominent
threats that they face.
4

Editor’s Note and


Acknowledgement
We are excited to present the 5th edition of Africa Cyber Security Report. Over the last 5 years,
we have consistently strived to demystify the state of cyber security in Africa. In this edition
themed ‘Demystifying Africa’s Cyber Security Poverty Line’, we take a deeper look at the financial
limitations impacting many African organisations. We also provide a comprehensive analysis of
the top Cyber security questions for Board members and Executives. This report comes at a time
when African organisations are grappling with evolutionary changes in their social, technological,
economic and regulatory environments.

The report contains content from a variety of sources and covers highly critical topics in Cyber Brencil Kaimba
Intelligence, Cyber Security trends, Industry Risk Ranking and Home Security. Editor-in-chief

Our research is broken down into the following key areas:

Top Trends: We analysed incidents that plus post-attack disruption to the normal What can our readers look
occurred in 2017 and compiled a list of course of business.
forward to in this report?
top trends that had a huge impact on
the economic and social well-being of Sector Risk Ranking: The risk appetite for
organisations and African citizens. This organisations varies. In this section, we rank This report gives
section provides an in-depth analysis of different sectors based on their risk appetite, insightful analysis of
these trends. number of previous attacks reported, likelihood
and impact of a successful attack.
cyber security issues,
Cyber Intelligence: This section highlights trends and threats
various Cyber-attacks, technical Anatomy of a Cyber Heist: This section in Africa. Its sections
methodologies, tools, and tactics that provides a wealth of intelligence about how
are well researched
attackers leverage to compromise Cybercriminals operate, from reconnaissance,
organisations. The compromise statistics gaining access, attacking and covering their and structured to
and indicators provided in this section tracks. This section is tailored to assist Security cater for the needs
empower organisations to develop a managers identify pain points within the
organisation.
of all organisational
proactive Cyber security posture and
staff including Board
bolster overall risk.
Home Security: In light of the increased Directors. The anatomy
Survey Analysis: This section analyses residential internet penetration, smart phone of a cyber-heist was
the responses we received from over 700 use and cases of Cyber bullying, it has become
necessary to raise awareness on Cyber compiled with security
organisations surveyed across Africa. It
measures the challenges facing African security matters at a non-corporate level. This implementers and
section highlights key challenges in the modern
organisations, including low Cyber security forensic investigators
budgets and inadequate security impact smart home and sheds light on the growing
issue of Cyber bullying. in mind while the top
awareness that eventually translates to
limited capabilities to anticipate, detect, priorities section
respond and contain threats. Africa Cyber Security Framework (ACSF): In caters for Directors
order to assist businesses in Africa, especially
SMEs, we developed the Africa Cyber Security and Senior Executives.
Cost of Cyber Crime Analysis: Here we
closely examine the cost of Cybercrime in Framework (ACSF). This section highlights the
four (4) key domains of ACSF which serves to We have also highlighted other
African organisations and in particular, to
help businesses identify and prioritize specific social issues such as home security
gain a better appreciation of the costs to
risks plus steps that can be taken to address that plays an important role away
the local economy. We provide an estimate
these risks in a cost effective manner. from the corporate standpoint.
of this cost, which includes direct damage

Demystifying Africa’s Cyber Security Poverty Line


5

Appreciation Commentaries

In developing the Africa Cyber Security Report 2017, the Eng. Haru Al Hassan
Serianu CyberThreat Intelligence Team received invaluable
Director, New Media and Information Security Department,
collaboration and input from key partners as listed below;
Nigerian Communications Commission - Nigeria

Kaleem Ahmed Usmani


Officer in Charge, Mauritian National Computer Security Incident
Response Team, Mauritius

The USIU’s Centre for Informatics Research and Innovation Aashiq Shariff
(CIRI) at the School of Science and Technology has been our CEO, Raha - Liquid Telecom Limited, Tanzania
key research partner. They provided the necessary facilities,
research analysts and technical resources to carry out the Henry Kayiza
extensive work that made this report possible.
Ag. Assistant Commissioner, Cyber Crime Unit, Uganda Police

Ibrahim Lamorde
Our key partners in the various countries in scope provided
immense support through their network of members spread Commisioner of Police, Police Special Fraud Unit, Lagos- Nigeria
across Africa. Key statistics, survey responses, local intelligence
on top issues and trends highlighted in the report were as a John Sergon
result of our partnership. These are: Ag, Chief Executive Officer, ICT Authority, Kenya

Fredric Bobo
IT Audit Manager, African Organisation of English-speaking
Supreme Audit Institutions, South Africa

John Ayora
Director, Information Systems Security, Bank of Africa Group,
Botswana
Senegal

Shimelis Gebremedhin Kassa


The Serianu CyberThreat CISA, MSCS,CEH - General Manager, MASSK Consulting PLC,
Intelligence Team Ethiopia

Baidy Sy
We would like to single out individuals who worked tirelessly Associate Director, Digital Transformation and Cybersecurity
and put in long hours to deliver the document. Lead of Finetech Groupe, Senegal
Joseph Mathenge Faith Mueni Morris Ndung’u
Ben Roberts
Jackie Madowo Stephen Wanjuki Margaret Ndung’u
Chief Technical Officer, Liquid Telecom Group, Kenya
Kevin Kimani Jeff Karanja Paul Ingari
Martin Mwangi Nabihah Rishad Ayub Mwangi Arnold Mangemi
Barbara Munyendo Samuel Keige Samuel Momanyi Director Information Security, National Information Technology
Daniel Ndegwa Authority Uganda (NITA-U) - Uganda
George Kiio Bonface Shisakha
Kenneth Ogwang
USIU Team Group Head of IT, East African Breweries Limited (EABL),
Osemeke Onyibe Shalom Lucy Nathan a subsidiary of Diageo PLC, Kenya
Stephen Maina Kuta, Jamilla Uchi
Dr. Peter Tobin
Gitau Polly Mugure
Privacy and Compliance Expert, BDO Consulting, Mauritius

Demystifying Africa’s Cyber Security Poverty Line


6

Building Data Partnerships


In an effort to enrich the data we are collecting, Serianu continues to
build corporate relationships with like- minded institutions. Recently,
we partnered with The Honeynet Project ™ and other global Cyber
intelligence organisations that share our vision to strengthen the
continental resilience to cyber threats and attacks. As a result, Serianu has a regular pulse
feeds on malicious activity into and across the continent. Through these collaborative efforts
and using our Intelligent Analysis Engine, we are able to anticipate, detect and identify new
and emerging threats. The analysis engine enables us identify new patterns and trends in the
Cyber threat sphere that are unique to Africa.

Our new Serianu CyberThreat Command Centre (SC3) Initiative serves as an excellent
platform in our mission to improve the state of Cyber security in Africa. It opens up
collaborative opportunities for Cyber security projects in academia, industrial, commercial and
government institutions.

For details on how to become a partner and how your organisation or institution can benefit
from this initiative, email us at info@serianu.com

Design, layout and production: Tonn Kriation

Disclaimer

The views and opinions expressed in this report are those of the authors and do not necessarily reflect the
official position of any specific organisation or government.

As new research and experience broaden our understanding, changes in research methods or professional
practices, may become necessary. Practitioners and researchers should therefore also rely on their own
experience and knowledge in evaluating and using any information described herein.

For more information contact:

Serianu Limited:

info@serianu.com | www.serianu.com

Copyright © Serianu Limited, 2017


All rights reserved

Demystifying Africa’s Cyber Security Poverty Line


7

Foreword
The global cyber security landscape is evolving and becoming
complex. This evolution is largely being driven by the rapid change
and quick adoption of technology innovations. Since the launch
of our inaugural report in 2012, the Africa Cyber Security Report
(ACSR) has focused on unravelling the African Cyber security
landscape. We have focused on understanding how African
organisations in private and public sector perceive and respond
to the cyber security challenge. This approach has enabled us to
influence and enhance the quality of discussions around cyber
security across the continent.

Through six years of research, we then cross-examined their annual


have grappled with a critical question expenditure on Cyber security. The
that still puzzles the cyber security findings from this survey shockingly
industry across the world. What is point that most businesses, especially
the right level of cyber security for SMEs, are struggling to put in place
an organisation? One clear output basic cyber security structures. More
of our research is that most African than 95% of African organisations
organisations perceive Cyber security in private and public sectors are
as a very technical and expensive either operating on or below the
affair. They are struggling to
determine the right level of security
“Security Poverty Line”. Most of these
organisations spend a maximum of
The 2017 Cyber
and adequate budgets for security USD 1,500 annually on cyber security
initiatives. These questions, coupled technologies and services. security survey
with numerous requests from readers
of our reports across Africa informed In Africa, Small and Medium shockingly reveals
our 2017 cyber security report Enterprises (SMEs) create around
theme; Demystifying the Africa Cyber 80% of the continent’s employment that over 95% of
Security Poverty Line. The theme (World Economic Forum, 2010),
borrowed from the term “Security
Poverty Line.” The Security Poverty
which clearly shows the importance
of SMEs to African economies. The
African businesses
Line means the point below which an
organisation cannot effectively protect
lack of adequate Cyber security
controls in these organisations is an
are operating
itself against losses to cyber attackers. economic threat that the entire SME
sector must address. Businesses below the cyber
within the SME sector are continually
automating their processes and as ‘security poverty
a result their continued dependency
10 700 12 on technology is driving them deeper line’.
countries in africa respondents Industry Sectors into risk. Our research reveals that the
most vulnerable SMEs are those in
In our quest to answer this question, the financial services sector such as
we surveyed over 700 business cooperatives, Saccos, micro-finance
William Makatiani
professionals from various businesses institutions, Fin-tech service providers CEO, Serianu Limited
in 10 countries across Africa. We and mobile money transfer services.

Demystifying Africa’s Cyber Security Poverty Line


8

The 2017 Ransomware attack is for these companies to adopt


a good case in point, where many complex Cyber security frameworks,
cyber security professionals in Africa leaving them exposed and
were contracted by established vulnerable to attacks.
organisations. At the height of the
crisis, the small Cyber security The 2017 Africa Cyber security
professionals’ talent pool were report is a call to action. The
snapped up by huge multi-nationals African Cyber security ecosystem –
that offered better incentives. government, consultants, vendors,
This left the vulnerable SME sector academia – need to find cheaper
completely at the Cyber criminals’ and practical ways to address
mercy. Considering the skills and the continent’s cyber security
technical resource challenge in the challenges. The continued reliance
continent, who was taking care of on overly expensive and elaborate
the SMEs? frameworks is not working for 95%
of the key constituents – SMEs. We
SMEs in Africa are facing a several need to develop new approaches
challenges including the prohibitive and attitudes towards the problem
cost of Cyber security solutions and build self-reliance and self-
and services, limited budgets, lack sufficiency to adequately address
of skilled personnel. With these the Cyber security challenge in the
challenges, it’s become prohibitive continent.

Demystifying Africa’s Cyber Security Poverty Line


9

Executive Summary
The global landscape of cyber threats is quickly changing. The 2017 Cyber Security Report is
part of our contribution to this shift as we help customers and the public better understand
the nature of the threats in Africa.
Our research is broken down into 8 key areas: Using the Africa Cyber Security Maturity Framework, we were
able to establish the maturity levels of these organisations.
• Top Attacks
• Cyber Intelligence
• Survey Analysis
Levels of cyber maturity
• Home Security

5
• Top Trends A comprehensive IT security program
Excellent is an integral part of the culture. Status
metrics for the IT security program are
• Sector Risk Ranking
established and met.
• Industry Analysis

4
• Anatomy of a Cyber Heist
Has a superior security program and is
As more business models move away from physical to
Intelligent extremely well positioned to defend its IT
assets against advanced threats.
cyber operations, it’s become evident that the African
cyber health is poor. The 2017 Cyber security survey

3
shockingly reveals that over 90% of African businesses
are operating below the cyber ‘security poverty line’. Has a well-developed security program
Engaged and is well positioned to further
improve its effectiveness.
What is the cyber security poverty line?

2
Many organisations particularly SMEs lack the basic
Has generally implemented some security best
“commodities” that would assure them of the minimum Informed practices and thus making progress in
security required and with the same analogy, be providing sufficient protection for its IT assets.
considered poor.

1
In the context of a cyber-security poverty line there Falling well short of baseline security practices and
thus neglecting its responsibility to properly protect its
are still numerous organisations particularly SMEs that Ignorant IT assets. Many enterprises lack a holistic
do not have the skills, resources or funding to protect, understanding of their cyber risks and therefore, an
detect and respond to cyber security threats. Many effective strategy to address these risks.
organisations and individuals fall below this line. We aim
to demystify the cyber security poverty line within Africa.

What are the characteristics of organisations What is the impact of operating below the poverty line?
operating below the poverty line?
The overall survey results found about 90% of respondents in
Firms rated their own capabilities by responding to 24 Africa have significant Cyber security risk exposure (with overall
questions that covered the four key functions outlined in capabilities falling below under Ignorant capability).
the Africa Cyber Security Framework: Anticipate, Detect,
Respond, and Contain.

Demystifying Africa’s Cyber Security Poverty Line


10

General characteristics of What does the future hold


organisations operating below the for this problem?
Cyber security poverty line are:
As cyber-attacks continue to
• Lack the minimum requirement evolve, it’s paramount that
for fending off an opportunistic organisations rise above the
adversary. cyber security poverty line. In
• Are essentially waiting to get taken a world where buying a tool
down by an attack. is considered a silver bullet to
solving cyber security issues, it’s
• There’s also the idea of technical critical that we ask ourselves
debt as a result of postponing key questions:
important system updates.
• What are my organisations
• Lack in-house expertise to maintain
top risks?
a decent level of security controls
and monitoring • What is the worst that can
happen to my business?
• Tremendously dependent on third
parties hence have less direct control • What do I need to do to
over the security of the systems they ensure that I have secured
use. my systems against
these threats?
• They also end up relinquishing risk
decisions to third parties that they This approach creates room
ideally should be making themselves. for dialogue between business
• Lack resources to implement and IT. Years of experience in
separate systems for different tasks, the Cyber security field has
or different personnel to achieve shown that organisations with
segregation of duties. little budgets can still maintain
reasonable security levels
• They’ll use the cheapest software granted they understand the
they can find regardless of its quality few critical areas that need to
or security. be protected the most.
• They’ll have all sorts of back doors
to make administration easier for
whoever they can convince to do it.

Demystifying Africa’s Cyber Security Poverty Line


11

Key Highlights
Breakdown of key statistics for different countries:
Penetration Estimated
Population GDP (2017) Estimated Cost of
% Population No. of Certified
(2017 Est.) in USD cyber-crime (2017)
(2017) Professionals

1,300,000,000 $3.3T 35% $3.5B 10,000


Africa

Nigeria 195,875,237 $405B 50% $649M 1800

Tanzania 59,091,392 $47B 39% $99M 300

Kenya 50,950,879 $70.5B 85% $210M 1600

Uganda 44,270,563 $24B 43% $67M 350

Ghana 29,463,643 $43B 34% $54M 500

Namibia 2,587,801 $11B 31% * 75

Botswana 2,333,201 $15.6B 40% * 60

Lesotho 2,263,010 $2.3B 28% * 30

Mauritius 1,268,315 $12.2B 63% * 125

*Certified Professionals is limited to the following certifications: CISA, CISM, GIAC, SANS, CISSP, CEH, ISO 27001, PCI DSS QA and other relevant courses.
*Economic and internet usage data extracted from respective country Internet regulator reports and World Bank site.

The past year was a particularly tough period for local organisations with respect to cyber security. The number of threats and data breaches
increased with clear evidence that home grown cyber criminals are becoming more skilled and targeted.

Cost of cyber-attacks Fake News has hit Africa’s


over

90%
are operating below
the security poverty
line significantly
$3.5B media streams as we
increasingly see unverified
and often conjured up news
of African exposing themselves annually being circulated through
organisations to Cyber security risks various medium.

over

90% Banking Sector is


still the most
Most organisations’
Cyber security programs are 96%
Cyber security
of parents don’t understand what
measures to take to protect their
targeted industry
in Africa
Tool Oriented incidents either go
unreported or
children against in Cyber bullying
unsolved

Demystifying Africa’s Cyber Security Poverty Line


12 Industry Players Perspectives

What is fake news? What happens when fake news spreads?

Written and published news with the intent to What actions can people take to verify
mislead in order to damage an entity or person news stories, photographs and of online
and/or gain financially. information?
How did fake news become such a big It is very difficult to verify information on the
problem? internet, preventive and proactive measures
taken through collaboration with all relevant
People believe what they see in the public stakeholders would be the best way to prevent
domain, especially on popular information the spread of fake news. Counter narratives
sharing sites. Because it was designed to using the same media, but indicating authentic
instigate outrage and shock, some readers or credible sources may help in certain
Eng. Haru Al Hassan share it on Facebook, twitter, or other types of circumstances.
social media without questioning it or with the
Director, New Media and purpose of helping others. We do everything online - book doctors’
Information Security appointments, manage our bank accounts
Department Fake news is a problem because it is aided by and find dates. Do you think we are ready to
speed and large number of audience in the vote from our PCs or smartphones? Explain.
Nigerian Communications social media domain.
Commission No. The stakes are higher in the case of voting
What will ultimately get brands to fight as compared to other online endeavors.
Nigeria fake news? Moreover, availability of network services
in most remote areas will be a challenge to
Google now work with international fact- contend with. Even where there are services
checking network, IFCN, in three main ways: and people have smart phones, we have to
increasing the number of verified fact checking make sure that the people are in control of
in the world, expanding the code of principles their own computers as far as security is
into new regions, and offering free fact concerned.
checking tools. It should be encouraged in
other climes too, countries should enter into There are two major concerns when it comes
partnership with content providers to find to security: the vulnerabilities of voters’
solutions to this problem. personal computers, and the vulnerabilities of
the servers and back-end systems that would
Should regulators force influential power the online voting infrastructure and host
platforms like Google and Facebook to the websites for particular jurisdictions.
remove fake news and other extreme
forms of content from their platforms? The fears on the server side concern hackers.
The biggest fears there revolve around users
Yes, though both companies already have being redirected to fake sites and servers, thus
strict policies for their ad networks, it is also causing a vote to go to the wrong place and
important to reach an agreement with these leading to inaccurate tallying. But the security
companies on what to remove as fake news. of those systems are easier to control than
By removing a potential revenue stream, it citizens’ computers.
makes the business of fake news a bit less
lucrative. It’s clear that it’s not just about What is the highest risk that we face by
influencing people’s conviction, they also take moving to electronic voting?
advantage of social networks to make money
using fake news. If Facebook, Twitter, Google In any elections, verification or validation and
News and other website flagged inappropriate anonymity of votes is very important. Voting
content, then there would be no reason to away from polls also raises the spectra of vote
create fake news sites in the first place. manipulation. The major issue at stake will be
ignorance and lack of awareness, which can
lead to one internet savvy ‘expert’ voting on
behalf of many.

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 13

What are some of the pros? How often do you transact using your Based on your experience,
mobile phone? approximately how many times do
• It will make collation of election results
organisations within the country carry
much easier.
Daily. out comprehensive Cyber security
• People can vote from anywhere.
• Ransomware. audits annually?
Have you ever been a victim of online/
Why is Ransomware so effective? mobile scam? Once a year, albeit rarely.

Ransomware displays intimidating No. Where would you rate the Cyber
messages that will induce a victim not to
security maturity levels of the
ask for help, it is done in such a way that a
Why does the cyber skills shortage organisations you have interacted
victim is meant to believe the only option
he/she has is to pay the ransom, in order
need immediate attention? with?
to disinfect your system. The authors of • To help in the combat against cyber • High
Ransomware tend to instill fear and panic criminals in the country. • Medium
into their victims, causing them to click on • To enhance security and confidence in • Low
a link or pay a ransom, and users systems the use of cyberspace.
can become infected with malware. In your opinion were there more cyber-
Social engineering concepts are also used How many unfilled security jobs are attacks in the year 2017 as compared
in some cases to convince a target to estimated to exist today? to previous years?
succumb to ransomware attack.
The low availability of professionals Yes.
What is the possible impact of with specialized cyber skills is one of
Ransomware? the biggest issues facing organisations
looking to defend their core business Which categories of Cyber security
systems against cyber-attacks. A recent should organisations be most keen on?
Ransomware not only targets home users;
report from Information Systems Audit • Vulnerability assessment and
businesses can also become infected
and Control Association (ISACA) one penetration testing services.
with Ransomware, leading to negative
of our important stakeholders, titled • Cybersecurity risk audit services.
consequences, including;
“The Growing Cyber Security Skill Crisis,” • Forensics and investigations
• temporary or permanent loss of estimated that there are as many as 1 services.
sensitive or proprietary information, million unfilled security jobs worldwide.
• Managed security services.
• disruption to regular operations,
• financial losses incurred to restore How does collaboration help enrich the Which sector releases the highest
systems and files, and students’ learning? number of cyber security tenders
• potential harm to an organisation’s within the country?
reputation.
It serves as an avenue for knowledge • Financial sector
Paying the ransom does not guarantee sharing - learning new concepts, • Manufacturing sector
the encrypted files will be released; techniques, solutions and services • Hospitality
it only guarantees that the malicious rendered by relevant stakeholders. • Government institutions
actors receive the victim’s money, and in • Others
some cases, their banking information. In In the year 2017, what were the key
addition, decrypting files does not mean Cyber security consultancy services Based on your previous experience,
the malware infection itself has been that the industry need the most? what are the most critical Cyber
removed. security challenges being faced by
• Vulnerability Assessments local market?
Have you or know someone you know • Forensics
• Audit Services • Budget or Management buy–in.
been affected by Ransomware?
• Risk Management Programs • Lack of awareness.

No.

Demystifying Africa’s Cyber Security Poverty Line


14

Top Trends
Fake News: Insider Threat: The enemy within
Vulnerability of truth Insider threats still top our list when it comes
A lie can travel half way around to high risks. From the numerous cases
the world while the truth is reported this year, it’s clear that the group most
putting on its shoes’, they say. implicated is administrators and other privileged
users, who are in the best position to carry
out a malicious breach, and whose mistakes or
In 2017 our media platforms
negligence could have the most severe effects
were overwhelmed by rogue
to the organisation. The key contributors to the
politics, misinformation and
success of these attacks were inadequate data
dubious claims. From videos of
protection strategies or solutions and a lack of
post-election violence to news
privilege account monitoring.
about politicians who have
deflated from their political
parties, the real impact of Top insider threats:
the growing interest in fake
• Administrator accounts
news has been the realization
that the public might not be • Privileged users accounts
well-equipped to separate
quality information from false • Contractors, consultants and temporary
information. workers.

It is paramount that
governments and social media
owners lay down stringent
measures to clamp down on fake
news. We however appreciate
that fabricated stories are not
likely to disappear soon as they
have become a means for some
writers to push their agendas,
manipulate emotions, make
money and potentially influence
public opinion.

Demystifying Africa’s Cyber Security Poverty Line


15

Ransomware: I don’t WannaCry

Key:
Countries affected
by Wannacry attack

Countries not affected


by Wannacry attack

Worldwide attack map

Throughout the first half of 2017, one thing still The Polymorphic technique with minor changes leads
stood: ransomware is here to stay. We have seen to unknown malware and greater obfuscation. For
an explosion of new variants, new attack tactics. example, there is a PowerPoint malware that spreads
by simply hovering a mouse pointer over a tainted
The level of sophistication in distribution methods PowerPoint slide, WannaCry which spread itself within
and attack vectors have expanded and it’s no corporate networks without user interaction, by
longer enough to just rely on signatures and exploiting known vulnerabilities in Microsoft Windows.
antiviruses, because, unfortunately, the data also
shows no one is immune.

Demystifying Africa’s Cyber Security Poverty Line


16

Cyber bullying: It takes the It is critical that we develop the right


skills for our IT team that will enhance
entire Cyber Community to the ability to Anticipate, Detect,
raise a child Respond and Contain Cyber threats.

From cases of ordinary citizens Mobile and Internet related


committing suicide to popular artists
claiming to be victims of Cyber
services. Battery is low is no
bullying, it goes without saying that the longer the only warning
uncontrolled liberty to write messages
on social media has brought with it As the use of online services has risen
social injustices. - with more than half of the banking
users using internet banking and
three quarters using mobile banking
services. Attackers are now leveraging
these platforms to steal money from
customers.

This year, several attacks reported


Skill gap: What you do not indicated that hackers used dormant
know will hurt you accounts to channel huge sums of
money from banks. Majority of the
The cost of Cybercrime grew by attackers also leveraged the no-limit
approximately 20% but the skill gap is vulnerability present in most internet
widening. Very few people know what banking systems to channel out money.
they’re doing, most IT and security
staff are downloading templates from Mobile banking users have also become
the internet and applying these in their victims of social engineering attacks
organisations. From our analysis, a key especially with the increased number of
contributor to this is that organisations betting and Ponzi schemes.
tend to look for people with traditional
technology credentials — IT, Computer
There is a clear need to bridge the
Science. But when you look at the
knowledge gap on mobile money
matter, we need Technology analysts,
operations among security teams and
Cyber Risk Engineers, data analysts,
to identify common security, fraud
Risk experts most of which do not
Blue Whale Challenge is an example and money laundering challenges
necessarily warrant a technology
confronting mobile money operations
of an evolved Cyber bullying course. Majority of organisations
across the financial services sector.
mechanism targeting vulnerable encourage their IT teams to take up
Mobile money users are also to be
teenagers. The game assigned courses that don’t necessarily add value
educated on identifying and evading
daily tasks for 50 days, thereafter to the security of the organisations.
phishing scams.
encouraged the user to commit
suicide. A number of children fell It is also concerning that companies
victim to this game- one teenager in would rather poach talent from each
Kenya. other and from training providers than
develop it themselves.
It is critical that African organisations
formulate laws to criminalize cyber This points to the sad fact that
businesses are thinking in the short
buying. A number of countries
term. Rather than cultivating the
have made strides in this and have
needed talent, organisations are
criminalized Cyber bullying.
continuously relying on ready-made
talent pool.

Demystifying Africa’s Cyber Security Poverty Line


17

Network Architecture: We have noted a few


initiatives from the
Defense In-depth private sector including
the “Nigeria Blockchain
The success of most attacks in 2017
Alliance” (NBA) which brings
were in one way or another linked to one
together law enforcement
critical issue: Weak Security Architecture.
agents, legal practitioners,
Successful ransomware attacks were
forensic investigators and
mainly due to missing patches. Other
government in the fight
cases involved inadequate privilege
against crypto currency
account monitoring and poor third party
related crimes and the CBK
risk management.
in Kenya and the Bank of
This means, putting controls in place Tanzania and capital market
Yet these organisations have invested and Securities Authority issue
heavily in the latest Antivirus programs or for Remote Access (see appendix
for Remote access tools list), Change warning on ponzi scheme. More
SIEM solutions. awareness and initiatives needs
and vulnerability management.
to be put in place to ensure that
Phishing: The weakest Link citizens are protected from these
scams.
Phishing is one of the attacks that
leverages the inadequacies of System Integrity:
humans and remains worryingly Eroding Public Trust
effective. In quarter on 2017,
Kaspersky Lab products blocked 51 Government systems have
million attempts to open a phishing become a target for hackers
page. Over 20% of these attacks seeking to make news or disrupt
targeted banks and other credit service delivery. From Electoral
and financial organisations. With the systems to Integrated Financial
evolution of phishing, it has become Management Information System
clear that basic awareness training (IFMIS), 2017 registered the
may not be sufficient to safeguard highest number of alleged election
your organisations. 2017 has proven hacking in Africa, Europe and
High technology solutions installed on top
that we need to leverage technology America. Whether the allegations
of weak architecture only equals one thing
especially since education programs, for hacking are true or not, there
A WHITE ELEPHANT. Most organisations in
awareness campaigns and product is no denying that these systems
2017 focused a large part of their IT budgets
innovation on their own have failed. have become a juicy for hackers.
on acquiring high end technologies but
As such tighter controls need
forget to set the foundation on which these Cyber Pyramid Schemes: to be in place to ensure that
technologies will effectively operate.
Easy come, Easy go the confidentiality, integrity and
availability of these systems are
A SIEM tool is a useless investment if auditing maintained.
2017 has seen a fair share of Ponzi
is not enabled in network devices, no expertise
schemes. Notable example in Kenya
exists for continuously analyzing and refining
is Public likes which cost Kenyans
the alerts. Defense-in-depth means, applying
roughly Ksh. 2 trillion, D9 ponzi
multiple countermeasures in a layered or
scheme in Tanzania, and crypto
stepwise manner. Because there are ways
currency scams in Nigeria. These
around traditional protective systems such as
schemes rely on a constant flow
firewall, it is imperative that individual systems
of new investments to continue to
be hardened from the Network, Application,
provide returns to older investors.
Endpoint and Database levels.
When this flow runs out, the scheme
falls apart. In recent times, we have
seen these schemes evolve to now
include crypto currencies.

Demystifying Africa’s Cyber Security Poverty Line


18 Industry Players Perspectives

In your opinion, what was the key cyber Should regulators force influential
security issue facing your country or platforms like Google and Facebook to
Africa, what is being done to address remove fake news and other extreme
this issue? forms of content from their platforms?

Wannacry and petya Ransomware were the It varies from country to country. For
biggest. Mauritius, whenever we identify these
messages or fake news, we liaise with the
We took the following steps: relevant platform owners (Google/Facebook)
to remove the messages. At times we are
• Advisory: We circulated an advisory to successful. For continued effectiveness, we
organisations and people in the country need to enhance the relationship between
3-4 times. law enforcement, private sector and
Kaleem Ahmed Usmani • We actively monitored key systems government.
within the country for any malicious
Officer in Charge
indicators of compromise
• We engaged with our partners in the
What can be done to improve the
Mauritian National country to gather more intelligence on general user awareness on the
Computer Security Incident key indicators of compromise, statistics detection of fake news in the country?
Response Team and patching of systems.
Education is crucial. We conducted a number
Mauritius Do you think fake news is a major of campaigns all year round for parents,
problem in your country or Africa? senior citizens and children to sensitize them.
We also liaise with various vendors such as
Yes it’s a problem, especially on social media. IBM, Symantec to gather better intelligence
Our internet penetration is well over 50% and action on these.
and majority of these users have access to
social media. Social media has been used to Many governments in Africa are
spread false information and ignite unrest in investing in e-services (e-government,
the country.
e-voting, e-tax systems and many
other portals.) Do you think the African
Who should be responsible for
citizenry is ready to consume and
controlling the creation and
utilize these systems without the worry
distribution of fake news (government,
of privacy, security and fraud?
end users, Telcos or ISPs or content
owners)? We are in the digital transformation age
where such automation is expected in order
This is a collective responsibility. Given that to improve efficiency and service delivery.
the channels used to transmit fake news There are a number of e-services that are
are privately owned, Telcos only provide the working properly and some which still need
connectivity and the privacy of users has to to be secured.
be maintained at the end of the day. This
needs the combined effort of all involved In Mauritius particularly, we have made a
stakeholders. We need to educate people number of strides in this regard, we are
and have systems in place to detect them. ranked 6th best in the world rankings,
The police in Mauritius have done a good job and we have strong legislations and cyber
ensuring that they inform people accordingly. security strategy that we are implementing.
E-government strategy addresses the
security of systems. Security can never
be 100% however, so we are continuously
reviewing our strategies to minimize our
cyber threat exposure.

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 19

In 2017, we had several cases of Do you think organisations are In your opinion, what should
cyber security attacks including spending enough money on African countries/universities
ransomware attacks across the combating cyber-crime? focus on to encourage innovation
world– were you impacted by in the development of cyber
these attacks? This is subjective as it depends on the security solutions?
country. The Mauritian government
Yes, mostly by the ransomware is committed to ensuring that It is important that we develop
Wannacry and petya. organisations are secure by putting frameworks that support innovation
in proper policies in place. Many within our countries and universities.
organisations have different priorities, Platforms such as COMESA, SADC
If yes, how did you (company or
but over the years they have now should also be leveraged to promote
country) respond to these cases? started paying attention. Government partnerships for innovations in the cyber
• Advisory: We circulated an advisory budget has also increased in recent space.
to organisations and people in the years.
country 3-4 times. In your opinion and from an African
• We actively monitored key systems Based on our research the Africa context, what are the top 2018
within the country for any malicious cyber security market will be
indicators of compromise
cyber security priorities for African
worth USD2 billion dollars by countries and organisations?
• We engaged with our partners in the
2020. Despite this opportunity,
country to gather more intelligence
on key indicators of compromise,
Africa has not produced a single We are lagging behind in legislation,
statistics and patching of systems. commercially viable cyber security organisational and national strategies,
product/solution. capacity building of professionals,
Considering the shortage of skilled alignment of our legislations with
resources in Africa, how can we This is true. African universities don’t international standards, international
limit the impact of ransomware have specialized courses for cyber cooperation.
cases? security while at the same time, we
do not promote the culture of cyber Cyber security attacks are borderless,
Education is key. We need to empower security. As a country, Mauritius is if we have a harmonized legislation (AU,
people with basic knowledge to working to address this challenge SADC), it will be easier to contain these
understand what to do for example through its Software development threats.
with an email attachment which is a strategy that is currently in draft. This
ransomware. We also need to train will provide a framework for software
our cyber security experts to have the development within the country.
capacity and competence to manage
such cases.

Demystifying Africa’s Cyber Security Poverty Line


20

Africa’s

Transitioning from 2017 to 2018, the journey of attaining a


secure cyber ecosystem is a long but optimistic one. Cyber-
attacks will continue to grow and only the informed
and prepared would survive with minimal losses. In 2018,
cyber threats and counter measures are likely to take the
following dimensions:

Continuous Monitoring:
Database Security:
Askari Vigilance
10 1 Secure the vault

Security Privileged User


Architecture/ 9 2 Management:
Engineer skill set: Who has access to
Widen your the crown jewels
employee gaze

Africa’s

The Board’s
Changing Role:
8 3 Patch
Management:
Security begins at To patch or
the top not to patch

Vendor/Third Party Unstructured Data


Security:
Bring Your Own
7 4 Management:
There is no one
Vulnerability size fits all

Employee Security
Awareness:
Ignorance is not Bliss
6 5 Endpoint Security:
Cyber security
front-line

Demystifying Africa’s Cyber Security Poverty Line


21

Organisations must adopt a privileged Emails, medical records and contracts


1 Database Security:
account security strategy that includes are a few examples of unstructured data
proactive protection and monitoring of that exist in the organisation. Whereas
Secure the vault all privileged credentials, including both most institutions have some form of
passwords and SSH keys. unstructured data, it’s the healthcare and
Database (DB) security concerns
insurance industries that top this list with
the protection of data contained
within databases from accidental or 3
Patch Management:
terabytes of data in file shares and home
directories. The security of this data
intentional but unauthorized access,
however remains an under-recognized
view, modification or deletion.Top priority To patch or not to patch
problem as these files and folders are
for security teams is to gain visibility on
75% of vulnerabilities identified within left unsecured. This has resulted in
activities on the databases particularly,
local organisations were missing patches. often-unnecessary data exposure and
direct and remote access to DB by
In 2017 alone, we have seen vendors such unauthorized access. To help secure
privileged users. Fine grained auditing
as Microsoft releasing over 300 patches against the security risks of unstructured
of these activities is essential to ensure
for their windows systems. This presents data it’s necessary that we;
integrity of data. Going to 2018, database
two obvious lessons:
security should be a top priority that • Identify critical unstructured
focuses on ensuring that access to the • The increased number of released information assets
database is based on a specific role, patches are choking organisations • Identify which employees possess
limited to specific time and that auditing • Organisations have not developed critical unstructured data
and continuous monitoring is enabled to comprehensive patch management • Implement technology and process
provide visibility. strategies and procedures. controls to protect data assets eg
DLP, Email Monitoring
2 Privileged User
Now more than ever, organisations need
to narrow down to one critical thing: What

Management: Who has do we patch? 5


Endpoint Security:
access to the crown jewels Not all of the vulnerabilities that exist in
Cyber security front-line
products or technologies will affect you, Often defined as end-user devices –
The main obstacle between your
2018 presents a great opportunity for such as mobile devices and laptops,
organisation’s crown jewels and hackers
organisations to strategize, focus more endpoint devices are receiving more
are privileged accounts.
energy on identifying testing and applying attention because of the profound
critical patches released. This may change in the way computer networks
These accounts are found in every
require adoption of an automated patch are attacked. With so many pluggable
networked device, database, application,
management system. devices in the network, this creates new
server and social media account and as
such are a lucrative target for attackers. areas of exposure.
More often, privileged accounts go 4 Unstructured Data • Unsecured USB devices leading to
unmonitored and unreported and
leakage of critical data, spread of
therefore unsecured. We anticipate that Management: There is no malware.
in 2018, abuse of privileged accounts one size fits all • Missing security agents and
will worsen and it’s therefore critical that
Unstructured data is information that patches accounts for 70% of all
organisations inventory all their privileged
either does not have a pre-defined data misconfigurations within the network
accounts, continuously review the users
model or is not organized in a pre- allowing attackers to exploit well
with these privileges and monitor their
defined manner. known vulnerabilities.
activities.

Demystifying Africa’s Cyber Security Poverty Line


22

• Unauthorized remote control Key questions that modern board


software giving attackers full control 7
Vendor/Third party
members should be asking themselves
of the endpoint. are:
• Unauthorized modems/wireless
security: Bring Your Own
access points Vulnerability ANTICIPATE
What are our risks and how do we
It is critical that before endpoints are In 2017, several attacks were launched mitigate them?
granted network access, they should meet against organisations and these had one DETECT
minimum security standards. Beyond this, thing in common; vendor involvement. Should these risks materialize, are we
organisations should invest in endpoint Be it directly or indirectly, vendors able to detect them?
security tools that provide capabilities introduce risks to organisations through RESPOND
such as monitoring for and blocking risky or their interactions with critical data. We What would we do if we were hacked
malicious activities. Focus areas: anticipate that in 2018, cases involving today?
rogue vendors will increase; we will see CONTAIN
• DISCOVER all devices that are
rogue vendors: What strategies do we have in place to
connected to a company’s network.
ensure damage issues don’t reoccur?
Including new or suspicious • Use privileged accounts to access
connections, other network systems,
• INVENTORY the OS, firmware and • Use remote access tools (RDP, 9 Security
software versions running on each Teamviewer, Toad) to access critical
endpoint. This information can also applications and databases Architecture/Engineer Skill
help prioritize patching • Manipulate source code for critical Set: Widen your employee
• MONITOR endpoints, files and the applications in order to perform gaze
entire network for changes and malicious activities
Majority of IT staff are tool analysts
indicators of compromise.
Organisations need to evaluate their focusing on understanding a tool instead
• PROTECT the endpoints using
potential vendor’s risk posture, ability of data processed within the tool.
technologies such as Antivirus
to protect information and provision of
service level agreement. At the end of
the day, when a breach occurs on your
10 Continuous
6 Employee Security vendor’s watch, regardless of fault, you Monitoring: Askari Vigilance
shoulder the resulting legal obligations and
Awareness: Ignorance is cost. There is need for continuous monitoring.
not Bliss The predicted increased number

If infrastructure is the engine, staff 8 The Board’s Changing


of attacks in 2018 demand for a
mechanism to detect and respond to
awareness is the oil that ensures the
life of the engine. Uninformed staff or
Role: Security begins at the threats and incidents. Even though most
organisations cannot adopt a real-time
employees not familiar with basic IT top round the clock monitoring and reporting
security best practices can become the
The traditional role of boards in providing it’s necessary that these organisations
weak link for hackers to compromise your
oversight continues to evolve. The impact look for alternate solutions and practices
company’s security. Staff awareness is
of Cyber attacks now requires board including managed services and day long
key.
member level participation. This proactive monitoring.
and resilient approach requires those at
the highest level of the organisation or
government to prioritize the importance
of avoiding and proactively mitigating risks.

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 23

Kindly highlight some of the Do you think the African More awareness and risks
top cyber security issues of citizenry is ready to consume involved, and guidance on
2017 and how these issues and utilize these systems appropriate systems to
impacted you personally, without the worry of privacy, suggest comparing on the size
of data and risks involved.
your organisation or country. security and fraud?
• Malware with worm Based on our research the
capabilities What are some of the risks we
Africa cyber security market will
• Basics – Endpoint security, face with the introduction of
be worth USD2 billion dollars by
patching government driven e-services
2020. Despite this opportunity,
• Weakness of mobile and do you have any examples
Africa has not produced a
carriers of these cases in your country?
single commercially viable cyber
• Overwhelming client with security product/solution.
alerts If there is no appropriate
• Adapting firewall to face firewalls in place the
In your opinion, what
Aashiq Shariff new threats information can be gathered by
should African countries
• Monitoring |cloud wrong entity.
CEO or universities focus on to
configuration and Security
encourage innovation in
In 2017, we had several
Do you think fake news is the development of cyber
raha - Liquid Telecom Ltd cases of cyber security
a major problem in Your security solutions?
attacks including
country or Africa?
Tanzania ransomware attacks
What role can the private
across the world–were you
Yes sector and consumers of
impacted by these attacks?
imported cyber security
If yes, who should be products play to ensure
If yes, how did you (company
responsible for controlling we can encourage local
or country) respond to these
the creation and distribution players to start developing
of fake news (government, cases?
African grown cyber security
end users, Telcos or ISPs or products or solutions or even
content owners)? Some ended up paying in order
services?
to get the data.
Initially government, Telco’s, end Conduct the awareness and
users – collective efforts. Some who had end point
ready with solutions.
security worked with Antivirus
owners to patch and recover
Should regulators force the information. Ready solutions depending on
influential platforms like the organisations/entity.
Google and Facebook to
Considering the shortage of
remove fake news and other In your opinion and from
skilled resources in Africa,
extreme forms of content an African context, what
how can we limit the impact
from their platforms? are the top 2018 cyber
of ransomware cases?
security priorities for African
What can be done to improve countries and organisations?
Awareness, appropriate firewall
the general user awareness on
that can mitigate such attacks. • Technical Trainings
the detection of fake news in
• Awareness & Information
the country?
Do you think organisations are Sharing
spending enough money on • Collaboration –
Platforms that can be Government & Companies
combating cyber-crime?
confirmed – Government sites, (Private)
No. • Government Policies
Many governments in Africa • Other collaboration –
are investing in e-services Universities, Cyber security
What can be done to
(e-government, e-voting, experts, research institute,
encourage more spending
e-tax systems and many media houses.
on cyber security issues?
other portals.)

Demystifying Africa’s Cyber Security Poverty Line


24

Engaging Board Members in African Organisations


Top Cyber Security Questions
and foremost identify all your assets Organisations need to be aware of
and prioritize these based on their the kinds of connectivity allowed from
business need. both internal and external sources
and have management policies and
ANTICIPATE What are my institution’s key procedures around them.
business assets? Do I have
The first core cyber security adequate protection for them? How are staff at my institution
function is to identify your identifying risks, and providing
organisation’s cyber security risk, To adequately assess risk to your me with accurate and timely
which is the amount of risk posed organisation, you must first identify information about those risks?
what your organisation’s “crown
by your institution’s activities,
jewels” are, their location, and how At any given time your institution
connections, and operational they are being protected. These can could be exposed to several different
procedures. be employees or customers, property types of information security
(both tangible and intangible), or threats such as internal threats, like
Questions Executive’s should ask: information (databases, software malicious or unaware employees;
code, records). Physical threats by a potential
Does my institution fully intruder; and Internet threats, such
understand what information it What types of connections as hackers. Consider the threats
manages, where the information does my institution have (VPNs, your organisation is exposed to and
is stored, how sensitive is the wireless, LAN, etc.) and how are we the vulnerabilities that may exist
information, and who has access managing these connections? surrounding these threats.
to it?
A leak of confidential data whether
To identify risks that your organisation accidental or through thieving could
is exposed to require that you first lead to significant company losses.

Demystifying Africa’s Cyber Security Poverty Line


25

What is our ability to mitigate program enables organisations to There is need for executive leaders
those risks? improve their security posture by to be aware of the costs of cyber
offering employees the knowledge risks to the business. There should
60% of all identified vulnerabilities they need to better protect the be a defined set of metrics used in
go un-remediated/unmitigated. organisation’s information through reporting and making information
While 50% of successful attacks are proactive, security-conscious security related business decisions.
as a result of previously identified behavior.
vulnerabilities. It’s critical that for Are we prepared to prevent or
every vulnerability identified, the Do they have an understanding of limit the damage caused by these
organisation evaluates its ability to risk from their actions? attacks?
mitigate the risks
There is need to conduct organisation There is need for organisations to
How is my institution connecting to wide training on cyber security carry out risk assessments so as to
third parties and ensuring they are awareness. Employees need to identify critical business assets as well
managing cyber security controls? comprehend the significance of as their associated vulnerabilities. This
protecting company confidential will help in prioritizing risks as well as
Third party vendors not only have and client confidential information. resource allocation.
access to internal network but also They need to be aware of the
sensitive data. There is need for consequences of their actions as well  
third party vendor assessment as the penalties involved.
and development of a third party
management program.

How effective are my RESPOND


organisation’s policies and
procedures for monitoring Effective incidence response is
DETECT
information inventory? the backbone of any successful
Although prevention is ideal, not Cyber Security Program. It is
There is need to validate that policies important that organisations
and procedures for information all attacks can be prevented,
making compromise inevitable. adequately prepare for a cyber-
security exist, are up to date and
Therefore, a better approach to security incident, and this includes
reflect the organisation’s current
operating environment. security is timely detection of the knowing how you will respond
attack detection that will contain once an incident occurs. To do
Do my IT personnel have the and control the damage. this, organisations must have an
appropriate knowledge or skills to incident response plan.
protect against a potential cyber- Breaches are often detected
attack? after weeks, months or even Where to Start in Developing an
years. Detecting breaches Incident Response Plan.
The IT team needs to be equipped happening right now would of
with skills and techniques that they Questions Executives should ask:
course be very desirable.
can leverage against cyber attackers.
Have we created an effective
Questions Executives should ask:
Are my staff informed about cyber incident response plan?
threats?
How is our executive leadership
It is crucial that as an executive,
The people in an organisation are informed about the current level you ensure that there is an incident
the weakest link when it comes to and business impact of cyber risks response plan and team to support it.
cyber security. A security awareness to our company? At a minimum, the incident response

Demystifying Africa’s Cyber Security Poverty Line


26

plan should address the preservation Do we have a plan to inform A good incidence response plan will
of evidence, step by step guide on internal and external stakeholders? contain a step by step plan for:
handling different incidents and
optimum duration for incident handling • Rebuilding network devices that
Stakeholders need to be defined may have been compromised and
and escalation.
and documented. A communication restoring baseline configurations.
mechanism needs to be established • Restoring the integrity of data that
How often is it tested?
and documented in an incidence may have been compromised
response plan. • Restoring normal business critical
Regular testing of the Incidence
operations
response plan ensures timely
Conduct preparedness training for
containment of security incidents. When did we last test our incident
Testing of the Incident response
the incident response team.
response plan?
plan ensures that it remains current
and useful. Testing may include the There is need for Training and
Testing of the incidence response
following steps; resource requirements need to be
plan should be done at least annually
defined. The incident response team
or whenever any major changes occur
needs to be aware of the action plan
1. Updating the contact lists for in the business environment. This
that is to be executed when a crisis is
incidence response team, vendors ensures that the plan and its user’s
discovered.
remains updated on the activities
2. Performing table top exercises that are critical for business process
what are facilitated recovery.

3. Carrying out discussion based How will we communicate with


exercises where employees get internal staff, customers, third
to discuss their various roles parties, regulators and law
and responsibilities in case of a CONTAIN
enforcement of a data breach at
disaster. my organisation?
Getting to the root cause involves
What would we do if we were a level of understanding beyond A good response plan should
hacked today? that of simply identifying that a provide details of how and what to
system in infected. communicate during an incident. This
The incidence response plan should should cover the following:
cover steps provide an answer Executives need to understand
to this very critical question. The • Proper Incident notification channels
what specifically enabled or
following are three steps that should • Communication to customers,
facilitated the infection or regulators, media, law enforcement,
be addressed within the Incident
response plan:
compromise. Identifying the root and other stakeholders.
cause allows us to understand • Evaluation of the event and
1. Evaluation of the Cyber-event; why the malicious activity documentation – Evaluation is done
answer the following critical succeeded. This is then followed by answering and recording critical
questions such as were high value by precise measures to prevent questions, such as were high-value
assets compromised? Were any the reoccurrence of the issue. assets compromised? Were any
data altered/stolen? data altered?
Questions Executives should ask:
2. Invoke the Incident Response
Plan; this steps helps to prevent Does my organisation’s incident
further damage or loss. More response plan include steps for
often than not, at this points it’s recovering after a cyber-attack?
often too late to develop the right
procedures.

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 27

In your opinion, what was the key • The anonymity that comes with the
cyber security issue facing your Internet makes criminals feel more
secure when committing the crime.
country/Africa, what is being done to
address this issue? • Cybercrime in its nature is not
hampered by physical borders or
territorial jurisdictions.
Yes, indeed.
• Malice
If yes, what do you think is the main • Espionage
cause of the Cyber security problem? • Egoism
• The Laws are relatively new and
have been already challenged in the
Do you think the government has put
Constitutional court (e.g. the computer in place processes and infrastructure
Henry Kayiza to support the private sector in
misuse act was challenged in UG vs.
Assistant Commissioner Dr.Stella Nyanzi among others) combating cyber security issues?
• Limited knowledge about cybercrime /
security Yes there are laws in Uganda:-
Cyber Crime Unit, Uganda
Police • Technological advancement is good • Computer Misuse Act
but criminals are taking advantage. It’s • Electronic Signatures Act
easier to commit ‘old crimes’ such as • Lawful Interception Act
fraud
There are also government parastatals in
What can be done to improve the place:-
situational awareness in the country? • NITA-U
• Public – private partnerships are vital to • UCC
carryout awareness campaigns. Do you personally know of a company
• Improve on the laws to close the gaps or individual who’s been affected by
that criminals are taking advantage of. cyber-crime?
• Increase expenditure on information
systems security. Yes. Several individuals, companies, banks,
NGOs, Service Providers and including
Do you think the private sector is government ministries have all reported
investing enough in cyber security? to us cases such as electronic fraud,
impersonations, defamations, unlawful
• I don’t think so because most of the
access hacking and pyramid scheme
cases I have handled, the companies
scheme fraud.
use third vendor system products which
can also be accessed by criminals to
analyse them and capitalise on their
vulnerabilities to commit crime where
they are being used.
• Private sector businesses tend to
spend less on I.T security so as to as to
minimise costs in the short run but end
up losing more in the long run.

In your opinion, what drives criminals


to commit cyber crime?
• The financial gain is high and it comes
with less physical danger

Demystifying Africa’s Cyber Security Poverty Line


28 Industry Players Perspectives

Were these cases reported to providers (mobile money platforms),


government authorities and government ministries, NGOs as
prosecuted? having most affected in terms of
the huge sums of money they lose
annually. Then individuals and savings
Yes most of the cases are reported
groups have lost more in terms of the
and prosecuted; however financial
number of cases reported and when
institutions tend to hide their cases
summed up they also make huge
preferring ‘the insurance solution’ to
amounts of losses.
reimburse their client victims so as not
to alarm their other clients.
From an African context, what
What do you think would be the would be the top priority to
best approach to address the address cyber crime across the
cyber crime issue in Africa? continent?
• Enact and harmonise laws on
The best approach is a combined cybercrime across the Continent
approach, partnerships such as borrowing from more advanced
international, regional, governmental, countries in the World but
public and private are very vital and domesticating them to the local
should be emphasized to fight this new situations.
trend of crime which is increasing at • MOUs for cooperation among
an alarming rate not only in Africa but countries should be established.
globally as well. No one can fight Cyber This is because cybercrime cuts
crime as a single entity. across borders/territories and
jurisdictions.
According to you, what is the • Invest more resources on training
most affected sector in the cyber security and investigation
country regarding cyber crime? experts.
• Public and Private Organisations to
When you say ‘most affected’, it intensify awareness campaigns.
sounds relative because you have to
consider two things:- • Investment should be increased in
securing I.T systems.
• In terms of amounts involved
• In terms of number cases
(quantity)
Therefore according to my experience;
I have cases of banks, service

Demystifying Africa’s Cyber Security Poverty Line


29

Cyber Intelligence
Statistics, Analysis, &
Trends
EAT CO
For the purposes of this report, we inspected network traffic
-THR MM
ER A inside a representative of African Organisations, reviewed contents
YB
of online network monitoring sites such as Project honeypot and
ND
C
NU

CE

reviewed information from several sensors deployed in Africa.


SERIA

NTRE

The sensors perform the function of monitoring an organisation’s


network for malware, and cyber threat attacks such as brute-
ANT

AIN

force attacks against the organisation’s servers. In an effort to


NT
ICI

• enrich the data we collected, we partnered with the Honeynet


CO
PA

•D
TE
ND
C T • R E SP O project and other global cyber intelligence partners to receive
ETE

regular feeds on malicious activity within the continent.

In this section, we highlight the malicious activity observed in the period under
review. This data represents malicious activity captured by our sensors and
publicly available intelligence.

Project Honeypot Intelligence Analysis

This section covers data from the honeynet project, a global database of
malicious IP addresses.

Demystifying Africa’s Cyber Security Poverty Line


Cyber Attack Timeline
Bank of Uganda
warns of
Cyber-attacks in
commercial Banks

Man charged with


hacking KRA and
causing Sh4b loss

Man suspected of Kenya bans ‘Blue


hacking into Whale Challenge’
Safaricom’s after Nairobi teen
systems suicide

Ministry of
Finance, Uganda
website
hacked impacting service
delivery

MAR MAY

2017
FEB APR

Detectives link
Ugandan Ronnie Alleged hacking
Nsale to Kenyan IEBC of JAMB
hacking website

Makerere system All Not So


hacked, 50 Quiet On the
students deleted Business
Fraudsters allegedly from 2017 Front As
hack Nigeria Security graduation list Cyber Crime
and Civil Defence Slowly Takes
Corps (NSCDC’s) Cyber- bullying to Shape
website earn you 10 years in
prison
Brazilian investor
operates cyber
scam in Uganda

Public Likes
scam costs
Kenyans
Ksh. 2 trillion
Personal Data
Protection Act to block
dissemination of ill
information and West African
facilitate prosecution Examinations
of cyber-crimes Council (WAEC)
website hacked Two Arrested for
Hacking Into
Centenary Bank,
Uganda, Accounts

JUL SEP

JUN AUG NOV

Uganda’s tech
regulator (UCC)
worried as foreign
hackers expand
frontiers
Ugandan editors
Nigerian Man arrested over ‘fake
Uganda Hacked Thousands news’ on alleged
ranked 7th highest of Global Oil & Gas Uganda-Rwanda
risk country Uganda’s tech and Energy Firms tension
globally regulator worried
as foreign hackers
expand frontiers

Maersk apm Uganda still


terminal systems regarded a
hacked operations 3 men allegedly high-risk nation
grounded hack bank for
account, steal Cyber-attacks.
N39m
32 Industry Players Perspectives

What is fake news? What will ultimately get brands to fight


fake news?
This in our view is false or distorted
information, or stories usually initiated on Public apathy, consumer resistance and
electronic media mostly to smear targeted mass platform boycott.
individuals or entities, gain financially or
politically advantage, or influence public Should regulator force influential
opinion. Significant information available
platforms like Google and Facebook to
on Nigerian social media contains such
deliberate, unsubstantiated and often
remove fake news and other extreme
negative content. forms of content from their platforms?

This concern is not completely applicable


Ibrahim Lamorde How did fake news become such a big
to the Nigerian context, as all level 3
problem? Internet platforms – Google, LinkedIn, Yahoo,
Commissioner of Police, Facebook, Twitter, Instagram, WhatsApp etc.
Special Fraud Unit The problem has assumed alarming are conveniently located outside Nigeria to
proportion in Nigeria due to the easy access avoid national oversight by our regulators.
Lagos, Nigeria to smartphones and Internet.There are over There is no available evidence that they
147 million registered GSM phones (mostly have shared direct investigation related
Internet capable) to quickly spread any information with Nigerian regulators or law
scandalous fake news. enforcement.

Some print and electronic media do not They and their users are also greatly averse
confirm information before publication, to any regulation or control, to sustain the
thus falling prey to planted stories, which concept of freedom of the Internet.
the undiscerning public, fascinated with
melodrama circulate. Sensational headlines
However, victims in other Countries with
improve numbers of active online visitors
strong Internet legislation have recourse
to blogs and websites, thus boosting their
to civil action against originators of fake
advertisement income.
news and the platform providers in specific
cases. Public apologies, takedown of injurious
Industry regulators do not check the vicious publications and even damages have been
circle of fake news, online followers and awarded in favor victims.
advertisement income, as practically no
sanction or deterrence has been recorded.
What happens when fake news
Some online and print journalism spreads? What actions can people
are controlled and financed by non- takes to varify news stories,
professionals, whose primary goal is to photographs and other sources of
promote personal interests not obliged to online information?
follow any ethical standard, such as editing
and confirmation of stories. Once fake news appears on any medium,
it is inevitable that it is swiftly disseminated
Anonymity of fake news purveyors is further electronically to millions of people through
enhanced by the overseas location of any of the available mainstream or social
platforms, website owners and domain name media. The story is copies and pasted on
providers, while local regulators and law other websites, becoming amorphous and
enforcement agencies possess inadequate uncontrollable. Intellectual property rights or
technical capacity to track origins of fake original source becomes opaque. The more
news posts. scandalous, disastrous or fantastic the story
appears; the faster it spreads.

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 33

Verification cannot be done through What is the highest risk that we Have you ever been a victim of
any online platform at this stage, since face by moving to electronic online or mobile scam?
all search engines will only replicate
voting?
the same negative story in their
No.
top searches. Credible verification, • Hacking
confirmation or corroboration can • Rejection of electoral result by
only be safely done manually through skeptical voters Why does the cyber skills shortage
hard copy document reviews and • Disenfranchisement of illiterate need immediate attention?
comparison, direct interviews, visitations voters who are unable to utilize
and physical checks with concerned computers, tablets and smart For law enforcement, critical mass
entities. phones to vote is urgently needed to design vital
• Technical issue such as disruption, intelligence, investigation and
We do everything online - book malfunctioning of portal, software, public education strategies, as well as
doctors’ appointments, manage Internet connectivity and servers criminal databases archiving.
during voting exercise
our bank accounts and find dates
- Do you think we are ready to vote How many unfilled security jobs
What are some of the pros?
from our PCs or smartphones? are estimated to exist today?
Explain Digital bulk data is always easier to
store, retrieve, process, analyze and Unknown.
The electronic verification through the protect against theft or destruction.
digital card readers at the 2015 general How does collaboration help
elections clearly demonstrates that Why is ransomware so effective? enrich the students’ learning?
the Independent National Electoral • Practical skill acquisition for
Commission will be able to conduct Targets sometime want to pay the successful field operations.
online voting through voting machines, money demanded quickly, and avoid • Focusing on specialized areas of
PCs and smartphones in the near contact with law enforcement. comparative advantage.
future. • Task de-confliction.
We believe that ransomeware attacks in
It is however imperative to improvethe Nigeria are grossly under reported.
technical capacity of the national and
state electoral bodies to transmit, What is the possible impact of
secure, authenticate or repudiate digital
Ransomware?
signatures that electronic voting entails.
Financial and personal data loss.
Development of indigenous software
and servers required for such critical
endeavor will prevent remote backdoor Have you or know someone
access by foreign parties. you know been affected by
Ransomware?
Our telecommunication and power
infrastructure also needs to be No.
upgraded to support nationwide
electronic voting. How often do you transact using
your mobile phone?
Citizens’ education is key towards
public acceptability of electronic voting Rarely.
system.

Demystifying Africa’s Cyber Security Poverty Line


Malware
Petya
Attacks Ransomware has
spread
BankBot Trojan internationally,
Targeting Over 420 wreaking havoc.
Banking Apps
A new variant of
Hackers Steal Marcher Android
Payment Card Data sophisticated
From Over 1,150 Inter banking malware
Continental Hotels disguised as

New Malware strain Major Malware


TeamSpy Malware ‘Xavier’ hits play
targeting Linux-based
transforms store infecting
systems
Teamviewer into a 800 Android
Spying software apps.
False Guide malware

2017 JAN FEB MAR APR MAY JUN

PDF file containing


New Variant Macro Malware for
Ransomware down-
of KillDisk is MacOS users
loader
Ransomware
Torrent Locker
PowerPoint Malicious
Ransomware
Hover Vulnerability
DNSMessenger
Wannacry Ransomware
malware
affects more than
200,000 computers in
New Ransom-
150 countries
ware-as-a-service
Program, Dot Ransom-
Fireball Malware infects
ware
250 million computers

OakBot banking Trojan


harvests financial
information
Backdoor Gazer
Bad Rabbit
Ransomware
Ransom Lukitus
IoT Reaper CoinMiner
IKARUS dilapidated

JUL AUG SEP OCT NOV DEC

GhostCtrl ZeuS/ZbotPCRat/Gh0st
Android-information
Stealer Malware with Gh0st
Ransomware
capabilities CCleaner Malware:

FruitFly malware Locky Ransomware


variant. Variants

Android.Bankbot.211.o Gazer Backdoor-


rigin targeting
governments
SambaCry Variant-
CowerShell
36 Industry Players Perspectives

Kindly highlight some of the top cyber governments have not invested in proper
security issues of 2017 and how these security solutions thereby putting the
citizenry data at risk of data breaches.
issues impacted you personally, your
organisation or country?
In 2017, we had several cases of
• Attack on SWIFT Money Transfer cyber security attacks including
System ransomware attacks across the
• Ransomware Attacks
world– were you impacted by these
• Fake News
attacks?
Do you think fake news is a major
problem in Africa? Yes.

John Ayora Yes. If yes, how did you (company or country)


respond to these cases?
Director, Information Systems Who should be responsible
Security We had several cases of Ransomware
for controlling the creation
and distribution of fake news attacks across our subsidiaries. Directors
Bank of Africa Group were the main targets. We carried out
(government, end users, Telcos or
user awareness programs, upgraded and
ISPs or content owners)? updated the Windows OS, applied patches
Senegal
issued by Microsoft and issued each
Should regulators force influential director with an external hard drive to back
platforms like Google and Facebook to up their data. For the affected ones, we
remove fake news and other extreme did not recover the data as we didn’t pay
forms of content from their platforms? the ransomware. We simply issued new
computers to the affected individuals.
Yes.
Considering the shortage of skilled
What can be done to improve the resources in Africa, how can we limit
general user awareness on the the impact of ransomware cases?
detection of fake news in the country?
User awareness is key. Organisations and
Users should use traditional methods users need to carry out patching as soon
like Radio and Newspapers for news as critical vulnerabilities are discovered
verification. While online, users can follow and patches issued. It is also important
news especially on the verified accounts. that users have effective Anti-malware
applications.
Many governments in Africa are
investing in e-services (e-government, Do you think organisations are
e-voting, e-tax systems and many spending enough money on
other portals.) Do you think the African combating cyber-crime?
citizenry is ready to consume and
utilize these systems without the No.
worry of privacy, security and fraud?
What can be done to encourage more
The e-services have made service delivery spending on cyber security issues?
quicker. However, many African nations are
still not very well covered technologically. Organisations view security solutions as an
Privacy is a major concern especially expense with no real return on investment
when the e-systems are hacked. Many and this is where the problem lies. Security

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 37

solutions are an investment that is put


in place to protect the organisation’s key
resources and properties.

Based on our research the Africa


cyber security market will be
worth USD2 billion dollars by
2020. Despite this opportunity,
Africa has not produced a single
commercially viable cyber security
product or solution.

In your opinion, what should African


countries and universities focus
on to encourage innovation in the
development of cyber security
solutions?
• Invest in up to date research
centers and labs
• Send students and researchers for
exchange programs across various
countries.

What role can the private sector


and consumers of imported cyber
security products play to ensure
we can encourage local players
to start developing African grown
cyber security products and
solutions or even services?

The private sector and consumers


should give an opportunity to the
African Grown Cyber-security products
in their sectors.

In your opinion and from an African


context, what are the top 2018
cyber security priorities for African
countries and organisations?
• Invest in user training and
awareness programs
• Update and or upgrade outdated
systems, especially the non-
supported Microsoft Systems
• Invest in effective Cyber security
products and solutions.

Demystifying Africa’s Cyber Security Poverty Line


38

Threat Intelligence
The main aim of this phase was to identify active systems easily accessible online and using this
information identify areas of weaknesses and attack vectors that can be leveraged by malicious
players to cause harm.

We broke down the findings into the following sections:


• Open Ports
• Operating Systems
• Top Vulnerabilities by Application or Services

Open Ports
There is a total of 65,535 TCP ports and another 65,535 UDP ports, we examined risky network ports based on
related applications, vulnerabilities, and attacks.

65,535 TCP ports 65,535 UDP ports

TCP
PORTS
Kenya Tanzania Ghana Uganda Nigeria Namibia Mauritius

Port 80 29% 28% 24% 22% 29% 23% 26%

Port 23 19% 13% 6% 16% 10% 6% 9%

Port 443 18% 18% 15% 15% 16% 20% 20%

Port 8080 3% 9% 4% 3% 2% 3% 2%

Port 22 14% 15% 12% 10% 10% 18% 16%

Port 21 6% 7% 10% 4% 6% 11% 12%

Port 53 4% 3% 4% 18% 3% 5% 5%

Port 445 1% 1% 3% 3% 2% 3% 2%

Port 135 1% 2% 3% 3% 2% 3% 4%

Port 25 3% 2% 1% 4% 10% 5% 2%

Port 110 2% 2% 1% 2% 10% 3% 2%

Demystifying Africa’s Cyber Security Poverty Line


39

• TCP port 80, 8080 and 443 support web transmissions via fundamentally unsafe. Telnet sends data in clear text
HTTP and HTTPS respectively. HTTP transmits unencrypted allowing attackers to listen in, watch for credentials, inject
data while HTTPS transmits encrypted data. Ports such as commands via [man-in-the-middle] attacks, and ultimately
25 and 143 are also transmit unencrypted data therefore perform Remote Code Executions (RCE).
requiring the enforcement of encryption. These ports are • UDP port 22 is a common target by attackers since its
commonly targeted as a means of gaining access to the primary function is to manage network devices securely at
application server and the database. Attacks commonly the command level. Attackers commonly used brute-force
used include SQL injections, cross-site request forgeries, and dictionary attacks to obtain the server credentials
cross-site scripting, buffer overruns and Man-in-the-Middle therefore gaining remote access to the server and deface
attacks. websites or use the device as a botnet - a collection of
• TCP/UDP port 53 for DNS offers a good exit strategy for compromised computers remotely controlled by an attacker.
attackers. Since DNS is rarely monitored or filtered, an • TCP port 21 connects FTP servers to the internet. FTP
attacker simply turns data into DNS traffic and sends it servers carry numerous vulnerabilities such as anonymous
through the DNS server authentication capabilities, directory traversals, and cross-
• TCP port 23 and 2323 is a legacy service that’s site scripting, making port 21 an ideal target.

Heartbleed Vulnerability
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness
allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the
Internet.

Nigeria Kenya Ghana Tanzania Mauritius Uganda Namibia

% 27% 27% 11% 11% 9% 7% 7%

Vulnerable OS
A computer running XP today is a castle with doors flung open. Microsoft first introduced in 2001 and hasn’t supported
since 2014. Hackers have targeted XP for years. Its lack of defenses and persistent popularity make it a popular target.

Nigeria Kenya Ghana Mauritius Tanzania Uganda Namibia

% 26% 25% 18% 13% 11% 6% 1%

Demystifying Africa’s Cyber Security Poverty Line


40

Web Defacements in 2016 and 2017 Open DNS Resolvers


Nigeria was the most affected by web defacement in 2017
Open DNS Resolvers
‘16 ‘17 %change
Port 53/DNS
38% 11% -28%
Kenya Ghana
29%
Kenya
11% 23% 12% 27%
Nigeria
Nigeria
26%
2% 7% 5%
Ghana Mauritius 10%
Tanzania
3%
17% 5% -12%
Tanzania
Uganda
3%
11% 23% 12% Namibia
2%
Uganda

Lesotho
1%
2% 1% 1%
Mauritius
Why is an Open DNS resolver a bad thing?

An Open DNS Resolver is any DNS resolver that is publicly


12% 18% 6% accessible, and willing to resolve recursive queries for
Namibia
anyone on the internet. While this sounds like the good
Samaritan thing to do, the DNS protocol is one of a few
that can turn a very small query into a large response (in
2% 2% -1% both size, and required computing power). Because of this,
Lesotho
having an open resolver opens your server up to be used
in DNS Amplification Attacks.

2% 2% 4%
Ethiopia

2% 3% 1%
Rwanda

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 41

Kindly highlight some of the top cyber have the ability to remove the fake news. It
security issues of 2017 and how these is also possible to use filters and different
technologies that can assist in fixing this
issues impacted you personally, your
issue.
organisation or country?
What can be done to improve the
No formal information or statistics are
available. However, based on the informal general user awareness on the
information that I receive and my personal detection of fake news in the country?
experience, the impact of cyber security is
crippling. I think the main solution is enhancing
awareness using different mechanisms like
The following are issues that we faced in radio, TV’s, journals, magazine, telephone
2017: SMS etc both by government and private
Shimelis Gebremedhin organisations. In addition, for highly
Kassa • Compromise or misuse of personal and susceptible and sensitive organisations like
companies files/data due to malwares, financial industries, airlines, medical centers
CISA, MSCS, CEH - General Worms, viruses etc etc, the government/regulators should
Manager • Individuals personal information theft set some enforcement to create regular
(like copy of films, music, book etc) awareness on how to use their products by
MASSK Consulting PLC • Insiders attack attempted on some customers/ end users.
financial institutions of the country in
collaboration with outsiders.
Ethiopia Many governments in Africa are
• We are aware of the ransom ware
attacks which happened during May
investing in e-services (e-government,
2017,though did not impact our country. e-voting, e-tax systems and many
other portals.) Do you think the African
Do you think fake news is a major citizenry is ready to without the worry
problem in your country or Africa? of privacy, security and fraud?

Yes, to some extent. Consuming and utilizing these systems


without considering the risk of security,
If yes, who should be responsible for fraud and privacy issues is not praiseworthy.
controlling the creation and distribution Organisations often rush to implement
of fake news (government, end users, complex technologies without considering
Telcos/ISPs or content owners)? the Cyber security risks present. As a result,
most of these projects tend to be exploited
Actually, depending on the situation, by Cyber attackers to commit fraud.
everyone would bear the responsibility. End
users are usually responsible for the creation What are some of the risks faced with
and distribution of fake news, government, the introduction of government driven
Media and ISPs will take second degree e-services and do you have any examples
responsibility in relation to stopping the of these cases in your country?
distribution.
Most of the African countries including
Should regulators force influential Ethiopia are now moving to E-services
platforms like Google and Face book to without considering the security gaps and
remove fake news and other extreme attack vectors such as denial of service,
forms of content from their platforms? disruption, loss of critical customers, loss
of confidential information and loss of user
interest in general. A good example is the
In our case, regulators do not have direct
dissatisfaction created by school net and
influence on these sites. However, they
woreda net e-service projects.
can report such cases to the platform
owners (Google/Facebook) who in turn

Demystifying Africa’s Cyber Security Poverty Line


42 Industry Players Perspectives

In 2017, we had several cases of • Need to create strong collaboration In your opinion, what should African
cyber security attacks including between professionals throughout countries/universities focus on
Africa. to encourage innovation in the
ransomware attacks across the
• Establish professional security development of cyber security
world– were you impacted by associations to defend security
these attacks? solutions?
issues together and share
experiences
NO, we were not affected directly. This Cyber security is a global issue and
• Create current status security
is because of a number of reasons key no country/continent (Africa, Asia,
awareness frequently through
being lack of e-commerce, credit card Europe or America) can manage on
publications like Serianu’s journal
facilities and the strict financial policy their own. We need to collaborate.
(Africans Cyber Security Report).
that we have. Also, Cyber security not only requires
Do you think organisations are knowledge but also skill, talent and
Also, banks have enforced a number spending enough money on interest. So, engaging youngsters and
of controls that ensure loss of money combating cyber-crime? kids will improve our innovation. Further,
is reduced. For example the Limited government should organize different
amount of fund transfer/withdrawal security innovation competition and
No, most organisations invest a lot on
which was enforced. It was made encourage private investors in the area.
technology implementation without
mandatory that users had to inform considering the security aspect.
the central bank to withdraw more than In your opinion and from an African
7,500USD/200,000ETB, lengthening Based on our research the Africa context, what are the top 2018
authorization process. Limits were
cyber security market will be cyber security priorities for African
also set such that it’s only possible countries and organisations?
to withdraw from ATM terminals a
worth USD 2 billion dollars by
maximum of 10,000ETB/370USD. 2020. Despite this opportunity,
I think Ransomware will get the first
Africa has not produced a single
attention in African then, DDOS, Social
Considering the shortage of skilled commercially viable cyber security engineering, Email phishing attack will
resources in Africa, how can we product or solution. take next priority on 2018.
limit the impact of ransomware
cases?

Demystifying Africa’s Cyber Security Poverty Line


43

2017 Africa Cyber


Security Survey
The goal of the 2017 Africa report was to explore
the evolving threat landscape and the thousands
of Cyber-attacks that have been perpetrated
against individuals, SMEs and large organisations
within Africa. Cybercriminals continue to take

Africa 700
respondents
12
Industry Sectors
advantage of the vulnerabilities that exist within
systems in Africa and the low awareness levels. This
survey identifies current and future Cyber security
needs within African organisations and the most
prominent threats that they face.

About the Survey The respondents


who participated in
This survey was prepared this survey included
Academic Insurance
based on data collected technical respondents
from a survey of over (predominantly chief
700 respondents across information officers,
organisations in Africa. chief information security
Banking officers, IT managers and
This included companies IT directors) and non-
from the following sectors: Legal Advisory technical respondents
(procurement managers,
Cyber Security senior executives, board
members, finance
Professional professionals and office
Services managers). The survey
measures the challenges
Financial facing African organisations
Services and the security awareness
and expectations of their
Telecommunication employees.

Government

Others

Healthcare
Services

Demystifying Africa’s Cyber Security Poverty Line


44

Summary of Findings
According to the survey findings, 99.4% of respondents have a general understanding of what cybercrime is. With the
many advances in information technology and the transition of social and economic interactions from the physical world
to cyberspace, it is expected that majority of individuals have a general idea of what cybercrime is.

Majority of the respondents were from the 62% of the organisations allow the use of IoTs
government sector
Organisations that
Government

Banking & Financial


30% allow/utilize Cloud
Services or IoTs Tech 62%
Services 29%
lack policies to

58%
Insurance 15% govern the usage of
Cloud Services or
Telecommunication 10% IoTs Tech

Others 9%
It is paramount that organisations which have adopted
Manufacturing cloud and IoT services implement policies and
7%
procedures to govern the adoption, maintenance and
retirement of these technologies.
25% of the respondents are organisations with 1000+
employees 58% of organisations are concerned about
cybercrime
of the respondents extremely

25% are employees of


organisations with
1000+ employees
58% concerned about
cybercrime in their
organisation

0 - 100 22% The telecommunications sector experienced a


2% decrease of cybercrime in their organisations
101 - 500 25% there was a relative increase in
cyber crime in 2017

501 - 1000 28%


Banking 55% 59%

1000+ 25% Government 63% 67%


Telecommu-
nications 67% 65%

Others 48% 51%

2016 2017

Demystifying Africa’s Cyber Security Poverty Line


45

this can be attributed to two main issues: 90% of organisations spend less than US $10000
annually for cyber security. Majority of these
• Internet penetration in Africa is still low
organisations came from the Banking and Financial
• majority of people do not understand what qualifies sectors
as Cyber-crime. As such, a huge percentage of
people lack the ability to recognize a Cyber-attack spend less
when it occurs.
US $10000
90% have been impacted by cybercrime
90% on cyber security
Dont know their organisation’s
43%
90%
of the respondents have cyber security expenditure
had an impact of Cyber
crime Spend US $ 1 - 1000 22%

Spend US $ 1001 - 5000 17%


Money Lost 40%
Spend US $ 5001 - 10000 16%
System Downtime 32%
Spend US $ 10000+ 2%
All of the above 18%

Reputation damage 10% 75% of the organisations manage their entire security
functions inhouse
Financial institutions, Saccos and organisations that deal

25%
with transaction processing are the primary targets for of the respondents
the Cyber-attacks. outsource the entire
security function for
72% did not report cybercrime to the authorities their organisations
Manage Cyber Security
inhouse 75%

5%
Reported cyber crime to
the police and followed it Outsourced to Internet
Service Provider 14%
through to successfull
prosecution Outsourced to Managed
Services Provider 11%
Did not report to the police 72%
Reported to the police with
no further action 14%
Reported to the police, who
contacted me /organisation 6%
but no further action
Reported to the police, who
followed it up to successful 5%
prosecution
Reported to the police, who
followed it up but no 4%
successful prosecution

Demystifying Africa’s Cyber Security Poverty Line


46

75% of the organisations do not carry out a 72% believe that cyber crime has increased in Africa
combination of security testing techniques

28%
DO NOT think that cyber
of the respondents carry crime has increased in

25% out security testing


techniques in their
organisations Has increased in the
Africa

simultaneously last year 72%


Audits 30% Has not changed since
last year 15%
Penetration testing,
Vulnerability Assessments 25% Not much of an issue 9%
and Audits
Has reduced in the
Vulnerability past year 4%
Assessments 25%
Penetration testing 66% of the respondents do not believe that cyber
20% crime is rooted in technology

34%
of the respondents
15% of the organisations do not train their employees believed cyber crime is
on cyber security isssues rooted in technology
of organisations do not

50%
have an established Technology
Cyber security training
34%
program on cyber risks
Security Education 22%
Staff trained yearly 35%
Economic Interests
Staff trained only if (Financial gain) 17%
there is a problem 35%
Business Competition
Sabotage, IP theft 15%
Staff trained monthly 15%
Lack of Intergrity
Staff never trained 15% (Corruption) 12%

59% of organisations have a best practise policy for


40% of the respondents do not keep upto date with BYOD
cyber security news

41%
of organisations in of organisations allow

60% Africa do not keep up


to date with Cyber
security trends and
the use of
Bring Your Own Devices

attacks while

59%
I do not keep upto date 22% of the respondents
have a best practice
Specialised news sources 18% policy for BYOD
in their oganistions
Generic newspapers and
news broadcasters 16%
Social media networks
contacts 15%

Outsourced services 15%

Consulting companies 14%


Industry Players Perspectives 47

Kindly highlight some of the top cyber All institutions should have general user
security issues of 2017 and how these awareness on issues that impact them
issues impacted you personally, your through the society. They should be
organisation or country? taught how to identify fake news.

We saw attacks on systems in general, Many governments in Africa are


Information theft especially from the investing in e-services (e-government,
financial institutions and hackers going e-voting, e-tax systems and many
ahead to use this information to further other portals.) Do you think the African
cybercrime. citizenry is ready to consume and
utilize these systems without the worry
John Sergon Do you think fake news is a major of privacy, security and fraud?
problem in your country?
Ag, Chief Executive Officer People have adapted to using these
It is an issue in this country. Social media systems. However, the rapid use has
ICT Authority news is very versatile we seem not to be been without the thought, is my data
ready for it. It is hard to tell the source safe?
Kenya a lot of times. The fake news “industry”
growing and wanting to be felt. What are some of the risks we face
with the introduction of government
If yes, who should be responsible for driven e-services and do you have
controlling the creation and distribution any examples of these cases in your
of fake news (government, end users, country?
Telcos/ISPs or content owners)?
There are risks but people trust the
Every organisation should have a government with their data.
responsibility to counter fake news seen
on social media that regards them. Fake In 2017, we had several cases of cyber
news is actually a threat to organisations security attacks including ransomware
that users need to learn how to identify. attacks across the world – were you
impacted by these attacks?
Should regulators force influential
platforms like Google and Facebook to No. We were not impacted, but there
remove fake news and other extreme were reports of attacks elsewhere.
forms of content from their platforms?
Considering the shortage of skilled
Regulators should put responsibility on resources in Africa, how can we limit
these platforms for accountability and to the impact of ransomware cases?
ability to follow up on custodians on these
platforms who should be accountable Awareness and build capacity be able to
for the content they post. Regulators deal with such incidences.
should put in place mechanisms to know
from these platforms to know who these
Do you think organisations are
people are.
spending enough money on combating
cyber-crime?
What can be done to improve the
general user awareness on the
No. First of all it is very expensive and
detection of fake news in the country?
second they don’t know it is an issue to
prioritize on.

Demystifying Africa’s Cyber Security Poverty Line


48 Industry Players Perspectives

What can be done to encourage Putting in more effort in research and to produce local cyber security
more spending on cyber security development and allocating resources solutions.
issues? for this. Already existing innovation
centers should also dedicate In your opinion and from an African
Create awareness for all involved resources solely for cyber security context, what are the top 2018
stakeholders as encourage people to research and development, say a lab cyber security priorities for African
push up the agenda of why investing solely for cyber security practice. countries and organisations?
in cyber security is important.
What role can the private sector I am not in a positions to fully
Based on our research the Africa and consumers of imported cyber comment on this, but I believe
cyber security market will be worth security products play to ensure going forward there needs to be
USD2 billion dollars by 2020. Despite we can encourage local players frameworks through government to
this opportunity, Africa has not to start developing African grown private sector that cut through the
produced a single commercially viable cyber security products/solutions cyber security space.
cyber security product/solution. or even services?
Cyber security is an area we cannot
In your opinion, what should African As local consumers it is our ignore anymore, and since technology
countries/universities focus on responsibility to “Buy Kenya, Grow is always growing, people need to
to encourage innovation in the kenya”. The government also needs always catch up cyber security wise.
development of cyber security to encourage local players through
solutions? policies to ensure there is a capacity

Demystifying Africa’s Cyber Security Poverty Line


49

Summarized Findings Report – What are Cybersecurity Gaps in Africa?


*Reporting approach adopted from cyberroad-project and survey

Theme Scenario Consequence(s) Mitigation Identified Gap(s)


Limited visibility on 1. Fraudulent database Continuous monitoring of How can African companies
activities on the postings! activities within databases. improve visibility on DB
databases. activities at a cost effective
2. Loss of sensitive Limit and monitor access to and resource friendly
Database information! database.
Security manner?
Audit and review privileged
access to DB.

Compromised Unauthorized access to Audit the activities of privileged How can organisations
administrator accounts. critical systems within the users within the network. implement segregation of
organisations! duties when resources (staff)
are limited?
Privileged User
Management

Missing patches Exploitation of missing Remediation roadmaps that How can African
contribute 70% of patches to compromise ensure that critical patches are organisations maintain
vulnerabilities identified. confidentiality, integrity applied while medium and low risk a patch management
60% of these are never and availability of critical vulnerabilities are fixed within a program without exhausting
Patch mitigated. informational assets! stipulated agreed upon period. resources?
Management
Employees are trained Employees fall victims of Regular employee training How can organisations ensure
only after an incident. social engineering attacks! programs that have an employees understand
effectiveness measuring metric. the concepts taught during
awareness workshops and
trainings?

IT Training is done on IT teams lack the expertise Regular training on both How can IT teams transform
specific tools. for defensive and defensive and offensive cyber from being “tool analysts”
offensive security! security concepts. to network engineers and
architects?
Training and
Awareness
Board members Lack of visibility on actual Board training to involve How can Board members
lack cyber security cyber security posture! reporting metrics for enhanced shift from the traditional
expertise and rely on visibility that can provide a basis “oversight” role into the
standard audit reports No standard way of and guide on future decision proactive cyber security role?
to understand the measuring progress and making.
security posture of ROI on IT investments!
organisations.

Limited expertise Networks are Organisations to invest in or Where can organisations


in the country on misconfigured to allow outsource security engineers/ get specialized training on
Security Architecture/ easy manipulation and architects for network design security architecture and
Engineering skill set. system sabotage! purposes. Engineering?
Network
Security
Engineering

Demystifying Africa’s Cyber Security Poverty Line


50

Theme Scenario Consequence(s) Mitigation Identified Gap(s)


Greedy and Disgruntled Compromise of Audit and monitor activities of How can African
employees are being administrator accounts privileged accounts organisations share
recruited by cartels to information on malicious
launch attacks Privilege escalation insiders?
Insider Threats
Malicious transaction Segregation of duties
posting
Develop a user access matrix
Data exfiltration
Sabotage of critical
systems

Multiplicity - Remote Compromise of Multiplicity as an Indicator of


Access to critical confidentiality, Integrity Compromise – Establish a
system after business and Availability baseline for what is normal.
hours goes undetected
Continuous
Monitoring
Velocity – Multiple failed Compromise of Velocity as an Indicator of
logins to critical system confidentiality, Integrity Compromise - Establish a
within a short period of and Availability baseline for what frequency is
time goes undetected normal for the organisations.
by security teams

Volume – Bulk Compromise of Volume as an Indicator of How can African


transactions go confidentiality, Integrity Compromise - Establish a organisations establish a
undetected by security and Availability baseline for what number, baseline for what “normal” is.
teams bandwidth or utilization metric is
normal for the organisations.

Limits - Security Malicious postings of Limits as an Indicator of


personnel are unable transactions Compromise - Establish a
to determine a baseline baseline for what threshold is
for understanding normal for the organisations
limits as an indicator of
compromise.

Demystifying Africa’s Cyber Security Poverty Line


51

Inter Industry Analysis - Africa

SECTOR Banking and


Financial Telecommu- Other
Services Government nication Industries

YEAR ‘
16 ‘17 ‘
16 ‘17 ‘
16 ‘17 ‘
16 ‘17
Been victims of any 55% 59% 63% 67% 67% 65% 48% 51%
cybercriminal activity
in the last 5 years;
Through work

Organisations spending 33% 30% 45% 45% 30% 27% 48% 50%
below $1,000 USD
annually on cyber
security

Organisations with 63% 55% 58% 58% 71% 71% 40% 48%
Cyber Security
managed In-house

Yearly training staff on 39% 45% 45% 47% 55% 57% 38% 33%
Cyber Security risks

Organisations that 20% 26% 60% 61% 49% 40% 60% 60%
allow Bring Your Own
Devices (BYODs)
usage

Organisations who 30% 35% 74% 74% 60% 56% 57% 55%
lack BYOD policy

Organisations utilizing * 46% * 43% * 40% * 58%


Cloud Services or
Internet of Things Tech
(Big Data Analytics)

Organisations * 35% * 71% * 54% * 54%


which lack an IoT
and Cloud Policy

* No statistical analysis done in 2016 on this section.

Demystifying Africa’s Cyber Security Poverty Line


52 Industry Players Perspectives

Kindly highlight some of the top cyber What can be done to improve the general
security issues of 2017 and how these user awareness on the detection of fake
issues impacted you personally, your news in the country?
organisation or country?
We need more campaigns that incorporate
Senegalese companies seldom share the Cyber awareness from as early as primary
Cyber security issues that they face. The and secondary school. We also need to
rare cases known to the general public are create a culture and sense of responsibility
those on whom legal action has been taken by the media and information sector actors.
and for which media is aware.
Many governments in Africa are
Of these cases we can mention the case of investing in e-services (e-government,
Baidy Sy
a high school student named Assane Lopy e-voting, e-tax systems and many
charged for fraudulent intrusion into bank other portals.) Do you think the African
Associate Director accounts. citizenry is ready to consume and
Digital Transformation and utilize these systems without the worry
In early 2017, one of the major banks in
Cybersecurity Lead of of privacy, security and fraud?
Senegal called CBAO GAWB fell victim to a
Finetech Groupe vast network of cyber criminals aided by an
African citizens are actually ready to fully
insider that resulted in brand erosion and
Senegal digitize their operations. However, limited
financial loss.
knowledge and training has provided
opportunities for cyber criminals to exploit
Do you think fake news is a major vulnerabilities and weaknesses in these
problem in Africa? digitized platforms. Most of the crimes
committed against these systems include
Fake news is currently one of the biggest data leakage, defacement and fraud.
nuisances of the cyber space, especially in
the online press and social networks. In 2017, we had several cases of cyber
security attacks including ransomware
If yes, who should be responsible for attacks across the world– were you
controlling the creation and distribution impacted by these attacks?
of fake news (government, end users,
Telcos or ISPs or content owners)? During the WannaCry attack, Senegal was
affected 4 hours after the first case was
First of all there should be a state regulator detected. As mentioned earlier, it is possible
in-charge of following up and investigating many more companies were affected but
such cases. In Senegal for example, a due to the low rate of information sharing,
new press code was voted in the National many did not report.
Assembly this year after eight years of
negotiations. One point, in particular, was
Considering the shortage of skilled
blocking the discussion: specific measures
resources in Africa, how can we limit the
of deprivation of liberty for press offenders
resulting in possible “liberticidal” shift from impact of ransomware cases?
professionalism. This code also gives rise
to better supervision of the online press, Beyond the skills, African countries should
as Senegal has more than 200 news sites. invest more in raising awareness and training
Most online sites tend to pick information end-users who are, as always, the weakest
from other media - without citing them. link of the chain. Offline backups, Disaster
Others simply broadcast “fake news” and Recovering Plan and Business Continuity
unsubstantiated rumors. Plan are also important.

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 53

Do you think organisations are Based on our research the Africa In your opinion and from an African
spending enough money on cyber security market will be context, what are the top 2018
combating cyber-crime? worth USD2 billion dollars by cyber security priorities for African
2020. Despite this opportunity, countries and organisations?
Not enough unfortunately. Africa has not produced a single
commercially viable cyber security The top 2018 cyber security priorities for
What can be done to encourage product or solution. African countries are to:
more spending on cyber security
• define a national cyber security plan.
issues? In your opinion, what should African • create a national cyber security
countries or universities focus on agency.
Train security managers and directors. to encourage innovation in the • set up a national CERT (Computer
development of Cyber security Emergency Response Team).
Educate the technical teams on how to solutions? • identify and protect national critical
communicate to the Board of Directors infrastructure.
to show return on investment for Cyber In my opinion, African countries must • awareness and training.
Security spending. invest in university training and research
centers specializing in Cyber security.
They also need to develop national
cyber security cultures.
54

Inter Country Analysis - Africa

Country
Kenya Uganda Tanzania Nigeria Ghana

% of organisations who
Conduct Regular 64% 60% 55% 50% 55%
Training of Employees

% of organisations
who allow Bring Your
Own Devices (BYODs)
73% 62% 67% 65% 67%
usage

% of organisations
who lack BYOD 48% 58% 60% 50% 58%
policy

% of people who
have experienced 72% 40% 32% 80% 30%
cyber crime

% of successful
prosecutions per 11% 4% 6% 4% 4%
country

% of organisations who
have Zero (0) budget
allocation for cyber 10% 15% 13% 43% 43%
security products

Demystifying Africa’s Cyber Security Poverty Line


55

Trend Analysis - Africa

Country
Kenya Nigeria Ghana Tanzania Uganda

Year ‘
16 ‘17 ‘
16 ‘17 ‘
16 ‘17 ‘
16 ‘17 ‘
16 ‘17
% of organisations who
Conduct Regular 58% 64% 40% 50% 48% 55% 45% 55% * 60%
Training of Employees

% of organisations
who allow Bring Your
Own Devices (BYODs) 62% 73% 56% 65% 61% 67% 56% 67% * 62%
usage

% of organisations
who lack BYOD
policy
49% 48% 53% 50% 59% 58% 61% 60% * 58%

% of people who
have experienced
cyber crime
71% 72% 37% 80% 20% 30% 64% 32% * 40%

% of successful
prosecutions per 3% 11% 7% 4% 1% 4% 9% 6% * 4%
country

% of organisations who
have Zero (0) budget 6% 10% 41% 43% 42% 43% 11% 13% * 15%
allocation for cyber
security products

* No statistical analysis done in 2016 on this section.

Demystifying Africa’s Cyber Security Poverty Line


56 Industry Players Perspectives

Kindly highlight some of the top cyber Regulators may not be well positioned to
security issues of 2017 and how these force takedowns on platforms that they
do not regulate. Communication regulatory
issues impacted you personally, your
bodies in Africa regulate traditional
organisation or country. media, but have no jurisdiction to regulate
Facebook, a foreign company. So they can
Ransomware and particularly Wannacry force local media houses to take down a
have made the most noise in cyber security fake story from their websites, but they
in 2017. But from our own experience, it is cannot ask Facebook to take down a fake
social engineering, very sophisticated ‘spear story. Communication service providers
fishing’ or ‘whaling’ (like phishing but aimed at in East Africa are regulated by the
bigger fish- senior execs) that has bothered Communication Authority (CA) of course,
us the most. This constant barrage of
Ben Roberts emails, instant messages, phone calls, to
but the service providers are completely
technically unable in any way to selectively
Chief Technical Officer get people to give up their passwords block content, web pages, hashtags on any
voluntarily, is there all the time and is often of the social media or international news
good enough to fool very savvy smart sites. So the CA would be unable to force
Liquid Telecom Group
people. An IT manager can secure his own service providers to block content, since it is
company systems, only to find that people in totally impossible to do so.
Kenya the organisation are using personal Gmail, or
Skype, they get hacked and causing damage
What can be done to improve the
within the corporate organisation. The
general user awareness on the detection
motive for this kind of phishing is normally to
conduct direct monetary theft.
of fake news in the country?

All of us are responsible to assess


Do you think fake news is a major information before passing it on; think about
problem in your country or Africa? the source and whether we trust it, and
whether the information seems feasible.
Yes. It’s easy to blame media, or social media
platforms for fake news, but in fact society is
If yes, who should be responsible for to blame. Just before the Kenyan elections,
controlling the creation and distribution I came across really good campaign from
of fake news (government, end users, Facebook about how to spot Fake news. It
Telcos/ISPs or content owners)? had 10 points of indicators that something
might be fake news. It was a really good
Fake news has made headlines globally. campaign from Facebook, and its targeting
But we need to distinguish between what’s towards Kenyan audience was well meaning.
fake and what is not, and global leaders I republished the campaign on Twitter under
need to communicate responsibly. But yes, hashtag #dontfwdfakenews, the important
fake news in East Africa, particularly Kenya message was, if it looks like fake news, it’s
(where I live) has been terrible this year, probably fake news, and don’t forward fake
with the election season that has taken news.
place. WhatsApp was the worst platform
for circulating of completely fake news, Many governments in Africa are
but the traditional media did a poor job on investing in e-services (e-government,
responsible election coverage. e-voting, e-tax systems and many
other portals.) Do you think the African
Should regulators force influential citizenry is ready to consume and
platforms like Google and Facebook to utilize these systems without the worry
remove fake news and other extreme of privacy, security and fraud?
forms of content from their platforms?

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 57

African society may not yet have We were not impacted by ransomware What role can the private sector
gained full trust in e-services, from at Liquid Telecom in 2017. But let us not and consumers of imported cyber
e-government to e-commerce. As pinpoint. I would consider myself a highly
security products play to ensure
they get used to using such services skilled experienced ICT professional,
and noticing improved service delivery, with long experience of leadership we can encourage local players
then the trust will grow. E-government in technology. Yet in 2013 I picked up to start developing African grown
services are almost certain to be more a ransomware from a downloaded cyber security products and
accurate, more transparent and more Trojan and totally got my hard drive solutions or even services?
efficient than existing manual systems wiped. Just from my own carelessness,
which are often flawed with loopholes and lack of up to date antivirus tools I would refute that statement.
leading to inefficiency, corruption and employed by my highly skilled IT
financial loss. department in London. Thawte, a security certificate company
founded by South African Mark
What are some of the risks we face Do you think organisations are Shuttleworth in South Africa was
with the introduction of government spending enough money on a security company specializing in
driven e-services and do you have combating cyber-crime and what certificates for secure communications.
any examples of these cases in your can be done to encourage more Thawte was sold to Verisign for $575
country? million in 1999 making Thawte the first
spending on cyber security issues?
African tech Unicorn. African innovators
The main risk in implementing should be inspired by Mark, and look
Organisations are yet to understand to create cyber security solutions that
e-government is having pushback what they should be spending on
from cartels that are benefitting from are well placed to deal with cyber
combatting cyber-crime, and even security issues in Africa at a price and
corruption networks. If we look at where to spend it. Cyber Security and
the technologies, E-government, IoT, service level that is good for the local
associated risks need to be understood market. What about a WhatsApp bot
Blockchain and big data, they have at board level, since the average
the ability to totally transform and that you can add to your groups that
cost of the impact of a cyber breach will spot and delete fake news? African
eradicate most forms of corruption, if (estimated 1.3M$ per breach in US
implemented properly. But those cartels innovators need to start with a problem
in 2017), is enough to bankrupt many then go out and solve it.
that profit right now may do their best companies. But there are ways to be
to frustrate the implementation of smart about Cyber security spending.
technology that will cut off their income. Deploying systems in trusted public In your opinion and from an African
cloud, may likely be more cost effective context, what are the top 2018
In 2017, we had several cases of than managing the risks of deploying cyber security priorities for African
cyber security attacks including your own security on your premises. countries and organisations?
ransomware attacks across the Cyber breach insurance will be a
world–were you impacted by these growing product that companies should My top 3 priorities are, education,
attacks? consider. education and, education. All
companies need to do their best to
Based on our research the Africa cyber make sure the whole organisation
If yes, how did you (company or
security market will be worth USD2 understand and are aware of cyber
country) respond to these cases? security, both at home and at work. IT
billion dollars by 2020. Despite this
opportunity, Africa has not produced a departments and Infosec officers need
Considering the shortage of skilled single commercially viable cyber security to be educated to the highest level, but
resources in Africa, how can we limit product/solution. Cybersecurity, just like physical security,
the impact of ransomware cases? is the responsibility of every member of
In your opinion, what should an organisation.
African countries and universities
focus on to encourage innovation
in the development of cyber
security solutions?

Demystifying Africa’s Cyber Security Poverty Line


58

Cost of Cyber Crime


Estimating the Cost of Cyber Crime for the
Countries in Scope
Cost of
As internet and device penetration in Africa rises, so does the rate cyber-attacks
of cybercrime. Individuals, groups and countries with malicious
intent are now targeting sensitive information generated by
different organisations/entities. Past estimates of the cost of
cybercrime have failed to address the breadth of the problem and
have not been able to provide a justifiable estimate of economic
impact. In this section, we look more closely at the cost of
cybercrime in Africa and try to gain better insights of the costs to
$3.5B
annually
the African economy.

From our research and analysis, we estimate that Cyber-attacks cost African businesses $3.5 Billion. Further analysis of
cost of Cybercrime for the countries; Nigeria, Kenya, Ghana, Uganda and Tanzania was estimated at $1.078 Billion a year,
which includes direct damage and loss, post-attack disruption to the normal course of business and reputational loss.

Analysis A significant proportion of • Costs as a consequence


Methodology the $ 1.08 Billion losses is of cybercrime, such as
attributed to insider threats, direct losses and indirect
Our analysis is based
on information in the
The traditional forms which we estimate at $216 costs such as weakened
Million (50% of all direct competitiveness as a
public domain, law of crime committed costs) and result of intellectual
enforcement and $352 Million (33% of property compromise.
economics experts
over electronic overall costs) per annum. • Costs in response to
from a range of public communication In all probability, and in cybercrime, such as
and private-sector line with our worst-case compensation payments
organisations and our networks and scenarios, the real impact to victims and fines paid
of cybercrime is likely to be
tremendous knowledge information systems much greater.
to regulatory bodies.
of numerous cyber • Indirect costs such as
security attacks in the and crimes unique to reputational damage to
As for measuring costs,
region. electronic networks, this report decomposes
firms, loss of confidence
in cyber transactions
With this said, the e.g. attacks against the cost based on these 4
categories:
by individuals and
businesses, reduced
boundary between information systems, • Costs in anticipation public-sector revenues
traditional crime and
cybercrime remains denial of service and of cybercrime, such and the growth of the
fluid. Therefore for our as antivirus software, underground economy.
research, the term
hacking. insurance and
cyber-crime refers to: compliance.

Demystifying Africa’s Cyber Security Poverty Line


59

Total Cost of cyber attacks Breakdown of Direct Cost of cyber attacks

Cost of
cyber-attacks
$431 Million
Compensations to
Victims of Breaches 43% $185M

Money withdrawn 43% $185M


$1.078B from victim accounts
Investigation and
annually Remediation Costs 14% $61M

Direct Cost $431 Million 40%


Types of Cyber Crime by Cost
Indirect Cost $647 Million 60%
$216M - 50%
$136M - 21%
Breakdown of Indirect Cost of cyber attacks Insider Threat
$352M - 33%

$95M- 22%

$647 Million Attacks on Computer


Systems (Unauthorized
$201M - 31%
Access and Malware) $295M - 27%

Technical Controls 47% $304M $43M - 10%


$123M - 19%
Security Consulting 22% $142M Social Engineering
Services and Identity Theft $166M - 15%
Loss of trust in
e-services 16% $103M $30M - 7%
$78M - 12%
Training 11% $72M Email Spam &
Phishing $108M - 10%
Reputational Damage 3% $20M $30M - 7%
Insurance and $45M - 7%
1% $6M
Compliance Costs Data Exfiltration
$75M - 7%

$17M - 4%
$65M- 10%
Online Fraud
Scams $82M - 8%

Direct Loss Indirect Loss Total Loss

Demystifying Africa’s Cyber Security Poverty Line


60

Cyber crime cost for Industry Analysis Type of cost: Direct/indirect costs.

1. Insider threat
23% 2. Investments in technologies to detect and prevent
Banking & Financial $248M cybercrimes such as Antivirus, SIEM Tools, IDS/IPS.
Services
3. Banking malware (Keyloggers and other malware)
4. ATM Skimming
19% 5. Audit and compliance with regulators
Government $204M
Cost of Cyber crime to African Governments
$ 16%
19%
E-Commerce $173M
Government $205M
13%
Source: Reported losses resulting from:
Mobile based
transactions/ $140M
e-commerce/e-payment
1. Tax fraud
11% 2. Benefits fraud
3. Local-government fraud
Telecommunications $119M 4. Website defacements and
5. Ransom demands
18%
Other Sectors/
Although we have used the most up-to-date information
Industries $194M available, we believe that this is an underestimation of the
total level of cybercrime against government systems.
With many cases of tax evasion being reported such
TOTAL 100% as the panama papers scandal, we believe that African

$1B governments are losing much more.

Cost of Cyber crime to E-commerce


Breakdown of the Statistical Analysis per Industry
$ 16%
For our statistical analysis, we computed the number
of reported incidents *the average cost of an incident E-commerce
$173M
*estimate number of under-reporting (we estimated that
only one in 15 incidents are reported i.e. 7%). Type of cost: Direct cost

Cost of Cyber crime to Banking Sector 1. Online fraud


2. Credit card fraud
23% 3. Social Engineering

Banking & Financial $248M


Services

Demystifying Africa’s Cyber Security Poverty Line


61

Cost of Cyber crime to mobile based Cost of Cyber crime to other sectors
transactions
18%
13% $194M
Other Sectors/

Mobile based $140M Industries

transactions/ e-com-
merce/e-payment Source: Information from budget declarations, investments
analysis and interviews with aviation experts.
Type of cost: Direct consequence of cybercrime. These
were: Type of Cost: Costs in anticipation of cybercrime, such as:
1. SIM Card Swiping 1. Antivirus software and endpoint protection
2. Social Engineering 2. Cyber insurance,
3. Insider Fraud 3. Adoption of NED (network extension device) solutions
4. Applying encryption standards
Cost of Cyber crime to Telecommunication 5. Securing communication technologies such as the
Sector flight management system (FMS).

11%

Telecommunication $119M

Type of cost: Direct/Indirect cost

1. Advanced Persistent threats


2. Spam
3. DoS

Demystifying Africa’s Cyber Security Poverty Line


62 Industry Players Perspectives

Do you think Cyber security is a major i. Provide a conceptual structure for


problem in Uganda/Africa? guiding information security activities

Yes. ii. Provide a common risk based


approach for addressing information
security issues
If yes, what do you think is the main
cause of the Cyber security problem?
iii. Secure Government of Uganda
information and other assets
Yes, Cyber security is a major problem in
Africa in general and Uganda in particular.
iv. Improve understanding of
information security risk, roles and
The main causes of the cyber security responsibilities
Arnold Mangeni problem are;
• Governance. In Uganda’s public sector v. Guarantee information security
Director, Information Security cyber security is still not on the agenda compliance by critical national
of top management. There is lack of information infrastructure operators
National Information accountability for and treatment of
Technology Authority Uganda cyber security as a corporate – level vi. Improve information security
(NITA-U) risk. There are no personnel with cyber governance and the environment
security responsibilities and majority of
Uganda end users lack adequate awareness, The framework encompasses the domains
education as well as training. of Governance, Information security,
• Institutions lack cyber security Physical security and personnel security.
strategizes and policies to guide Below is a brief on what each domain
matters cyber security. Security addresses;
incidents are not reported both
internally and externally. Cybersecurity i. Governance; Structures must be
is more reactive than proactive. created to enable people perform
• There is inadequate skilled cyber specified roles and responsibilities.
security professionals to continually The first step, thus, is to ensure that
meet the cyber security needs in the organisations create clear structures
country to enable staff at all levels to
perform information security & risk
• Inadequate risk assessment and
roles effectively.
compliance of organisations

What can be done to improve the ii. Information Security; Organisations


situational awareness in the country? must protect both the information
they handle internally and that which
they share with external partners.
4. First and foremost at the heart of
Assuring the confidentiality, integrity
improving the situational awareness
and availability of information is a
in the country has been the National
corporate-level concern because
Information Security Framework
security incidents threaten
(NISF). A framework that places cyber
organisational reputations, legal
security at the top of the agenda of
positions and the ability to conduct
top management. Organisations, must
business operations.
assume accountability for and treat
information security as a corporate –
level risk.

Ultimately the NISF seeks to achieve the


following amongst others;

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 63

iii. Personnel Security; Employees i. Enhancing private public 8. Make the most out of our
are the most important asset partnership in development of international and regional
for any organisation. However, cyber security capacity; collaboration on cyber security
staff could also be potent threat with a number of liked minded
sources and actors. Indeed, ii. Ensuring trust and confidence of organisations and governments.
changes in national information citizens in the use of Information These include; Korea Internet
security policies worldwide have Technology enabled services; Security Agency (KISA), the
roots in high-profile accidental Government of Estonia, International
and deliberate disclosures of iii. Taking into consideration Security Forum (ISF), Global
sensitive national security and international collaboration due to Forum on Cyber Expertise (GFCE)
personal information. Therefore, the borderless nature of cyber , amongst others. Out of these
it is vital to reduce the likelihood space; collaborations is skilling of our
of staff exploiting legitimate information security professionals,
access to critical infrastructure iv. Promoting a culture of cyber technical support, information
facilities, sites, information and security across all levels of sharing, amongst other benefits.
staff for unauthorised use. society;
Personnel security is important 9. Maximize the benefits from the
in the context of defending the National Information Security
v. Promoting continuous
cyber supply chain against State Advisory Group (NISAG), whose
improvement in cyber security
and industrial espionage threats. mandate is to advise, protect and
and;
respond to the nation’s critical
iv. Physical Security; Managing infrastructure, we are achieving
vi. Promoting responsibility and
unauthorised physical access, collaboration with the private
action amongst CII operators
damage, and interference sector who run majority of the
as regards Cyber Security
to information, premises and nation’s critical infrastructure. This
readiness.
resources by a range of physical ensures robust Cybersecurity
security threats including crime, implementations.
7. Utilize the national Computer
espionage, natural disasters
Emergency Response Team /
and acts of terrorism, must be Do you think the private sector is
Co-ordination Center (CERT / CC)
of paramount importance to investing enough in cyber security?
(established in 2014) to:
organisations. Physical security
also protects personnel against
i. Ensure the protection of the Naturally, the private sector investment
violence and other sorts of harm.
nation’s Critical Information is guided by amongst others, the
Infrastructures through incident principal of return on Investment
5. Education, training and awareness (ROI). In the private sector, security
management amongst other
sessions are routinely being carried professionals are still struggling
measures;
out. Plans are underway to carry out to demonstrate business value of
massive nationwide awareness and investment in security to senior
training for the Financial Year 17/18. ii. Assist in drafting the overall plan
on the country’s approach to management. Management would be
cyber security related issues; and more willing to deal with consequences
6. Adoption of the National Cyber than mitigations. This is heavily affecting
Security Strategy (NCSS) which has private sector investment in cyber
been drafted following the revision iii. Serve as a focal point for further
security.
of the National Information Security building and implementing
Strategy (NISS). The NISS was the National Culture of Cyber
security. In your opinion, what drives
implemented in 2011, to address
matters of Information Security.
criminals to commit cyber-crime?
Currently the NISS has been revised The National CERT/CC is complimented
to establish the NCSS. The guiding with sub sector CERTs to cater i. Monetary gain; like is the case
principles for the National Cyber for constituents that have unique with many crimes committed
Security Strategy include but are requirements for example, the outside the internet, financial
not limited to the following: communications and telecom sector. gain is a big motivator for many
cyber criminals. Case in point; the

Demystifying Africa’s Cyber Security Poverty Line


64 Industry Players Perspectives

Ransomware attackers that were c. The Computer Misuse Act (2011) 6. Establishment of the Uganda Police
asking for payment in Bitcoin, to prevent unlawful access, abuse Cyber Crime Unit, whose is to;
banking systems that are hacked or misuse of information systems
a. provide enforcement of cyber
into. including computers and to make
security related laws
provision for securing the conduct
b. provide efficient cybercrime
ii. Hacktivism; activists have of electronic transactions
investigation
increasingly taken to breaking into in a trustworthy electronic
c. ensure collaboration with similar
computer systems demonstrate environment.
international institutions
for political or social causes.
2. National Information Security Do you personally know of a
iii. Industrial Espionage; illegally and Advisory Group (NISAG). This NISAG company or individual who’s been
unethically obtaining confidential encourages collaboration between affected by cybercrime?
information from competitors public and private stakeholders
with the intention of using to ensure robust Cybersecurity is
Yes
the said information to gain a implementated.
competitive edge.
Were these cases reported to
3. The National Information Security
Framework (NISF) with its 6 security
government authorities and
iv. State Espionage; State
standards; prosecuted?
sponsored cyber espionage is
becoming a common occurrence
a. SS1 - Technical Risk Assessment Yes.
and is being used as a form of
b. SS2 – Risk Management &
intelligence gathering.
Accreditation The Computer Misuse Act (2011) has so
c. SS3 – Security Classification far been used to prosecute a number
Do you think the government d. SS4 – Personnel Security of cybercrime cases.
has put in place processes and e. SS5 – Physical Security
infrastructure to support the f. SS6- Incident Management
Some Notable case below:
private sector in combating cyber The NISF incorporates risk management
security issues? as a delivery area within the Uganda v. Sentongo & 4 others criminal
executive management (both public session case 123 of 2012) [2017]
Yes, included among the initiatives is; and private enterprises) provides a UGHCACD 1 (14 February 2017)
strong foundation for cyber security
1. An Enabling legal and Regulatory implementation covering the areas of Electronic fraud C/S 19 of the Computer
environment. Included are the cyber people, process and technology. Misuse Act, 2011
laws;
4. Capacity development on the Unauthorized disclosure of access
a. The Electronic Transactions application of the cyber laws for codes C/S 17 of the Computer Misuse
Act (2011) to make provision both investigating and prosecuting Act, 2011.
for and to regulate the use officers. Application of these cyber
of electronic signatures, to laws should be guided by adhering to Court ruled that “For an offence to
provide for the use, security, principles of digital forensics as well be committed, the disclosure must be
facilitation and regulation of as chain of custody. unauthorized and likely to cause loss.”
electronic communications and
transactions; 5. Through the CERT/CC Identification What do you think would be the
and prioritization of key resources
best approach to address the
b. The Electronic Signatures Act is being done. This is aimed at
(2011) to encourage the use of improving the country’s security,
cyber-crime issue in Africa?
e-Government and to make resilience, operational capacities to • Enabling environment. Enact laws
provision for the safety and effectively manage and respond to and regulations to comprehensively
security of electronic transactions cyber incidents as well as protect address Cyber issues. This should
and information systems; and against ever persistent threats. be reinforced with awareness and

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 65

support through initiatives like (the Convention) adopted in July


capacity building for investigating, 2014. Unfortunately only Senegal
prosecuting and judicial officers. has ratified the convention out
• Actively support institutions of the required 15. If ratified this
with a role and mandate to play convention will go a long way in
in the cyber-crime prevention the harmonization of the African
ecosystem. For example, Police, Cybersecurity policies.
Judiciary, sector regulators. • Harmonization of the cybercrime
This support can be in form of laws at regional and continental
financial resources or other forms level.
of resources, collaboration, and • Establishment of missions
capacity development. to strengthen police and law
• Promotion of a culture of good enforcement capacities in
practices like responsible sharing, handling, investigating and
reporting of incidents, education prosecuting cybercrime.
and awareness, amongst others. • Provision of mutual Legal
• Encourage and focus on Assistance
cooperation and collaboration »» Collaboration during amongst
(domestic, regional, and others:
international) amongst the various »» Investigations
stakeholders. »» Prosecutions
»» Capacity building
According to you, what is the »» Bench marking
most affected sector in the »» Formulation of laws
country regarding cybercrime? »» Incident response
• Establishment of regional cyber
• Banking and Financial Services
security centres to address the
• Telecommunication
escalating cyber threats
• Government

From an African context, what


would be the top priority to
address cybercrime across the
continent?
• African states need to work
closely and directly through the
African Union and other regional
frameworks to implement
enhanced measures for
cooperation, mutual assistance
and coordination among security
agencies, prosecutors and judges.
• A positive step was made
during the development of
the AU convention on Cyber
Security and Data Protection

Demystifying Africa’s Cyber Security Poverty Line


66

Sector Ranking
Banking

Banks are top on our list of risk by


sector. These institutions face two
main issues: On one hand, they Government
are increasingly being targeted
by attackers and on the other,
those who are attempting to stay African government have
ahead of the attackers are pulled automated most of their
back by malicious insiders and too systems: - IFMIS in Kenya,
many “false positives”. This means online visa applications,
issues being flagged that aren’t e-government platforms. Financial
actually fraudulent activities, This shift has made the Services
taking up valuable analyst time. government to become a
This year more attacks targeting prime target for Cyber-
attacks. These systems In 2017, the number
banks ranging from insider
hold vast amounts of of successful attacks
threats to spear phishing and
personal data, process launched against financial
ransomware attacks were noted.
vast amounts of services doubled. Sacco’s,
Banks are getting hit through their
transactions making them Cooperatives and
web applications, Internet and
a lucrative attack point for microfinance institutions
Mobile banking platforms. While
attackers. Although the have seen rapid growth
the attack vectors may differ, the
government has heightened in Africa, however, these
execution of the attacks often
Cyber monitoring and institutions, for the longest
the same. It is paramount that
surveillance mechanisms, time, have not prioritized
local banks continue to sharpen
there is still need for Cyber security. This has
their Cyber resilience capabilities
security awareness, made them a popular
in order to Anticipate, Detect,
hardening of systems target for Cybercriminals.
Recover and contain Cybercrime.
and implementation of Larger institutions have
policies and laws around invested more in Cyber
Cybercrime. security in comparison to
smaller institutions hence
making them an easier
attack target.
67

Cyber security is no longer a concern for the financial & banking sector only. As the adoption of
Internet use and automated services increases across various industries, Cyber security comes along
as part of the package. In Africa, as in the rest of the world, there have been instances of Cyber
compromise, attacks and attempts that have raised Cyber security to a critical level. Cyber security
keeps metamorphosing across a wide range of fields. Here is a most current ranking of different
sectors facing different Cyber risks.

Mobile
Money

The revolution of Mobile


Money in Africa comes with
unprecedented levels of
fraud. Of the top twenty (20) Hospitality &
countries in the world that Retail
are leading in mobile money
usage, fifteen (15) are in
Africa. These services have The hospitality industry is primarily
been integrated fully into client facing and as such deals with
numerous platforms such a great deal of sensitive customer
as banking, insurance and information. Processes ranging
e-commerce, among others. from reservation details, payment,
Unfortunately, the adoption travel, personal information are
of these technologies has now automated and we are seeing
not been supplemented by introduction of services such as digital
secure controls, with most conference facilities, smart room
mobile money applications keys and mobile applications which
lacking basic security controls enable the client to perform a wide
such as encryption of data. range of otherwise manual processes.
However, information security aspects
tends to be neglected as most of the
focus is on automation. This leads
to a myriad of risks ranging from
information theft, data breaches and
credit card theft. Malware targeting
these businesses are now being seen
in POS (point-of-sale) terminals to
steal credit card data and targeted
attacks against hotel systems to
steal confidential data. This has both
financial and reputational impact on
these organisations as customers
quickly lose trust in them.
68 Industry Players Perspectives

In your opinion, what are the key point of security weakness. Based on this,
cyber security issues facing Kenya/ ransomware was a big issue. The increase
in number and nature of attacks was a
Africa, what is being done to address
cause of worry to many organisations.
these issues and what is the best way Two technologies have emerged in recent
forward?. years to mitigate the risks of malware and
other malicious behavior on PCs and mobile
I regard the following as the significant risks devices. Endpoint Detection & Response
with respect to Cyber Security:- Denial (EDR) software complements antivirus
of Service, Supplier Compromise due to software on PCs and uses machine learning
inherent weaknesses with our partners, to identify and stop malicious behavior
Securing our assets in the era of digital (e.g., ransomware). And with the growth
explosion, theft/loss of information, IP or of “mobile first” strategies, organisations
corporate data and lastly system or data
Kenneth Ogwang manipulation.
need to respond to growing mobile threats.
Mobile Threat Defense (MTD) software also
CIO uses machine learning to identify and stop
It is not helpful to look at these in isolation. malicious behavior.
East African Breweries Ltd Firstly, an organisation needs to have a
broad Cyber Security strategy that then In addition, with all the automation
informs the execution of the plans. Overall, happening in Industries, a major area of
Kenya
the ownership of Cyber Security and her concern is on Operational Technology
inherent risks need to lie at the highest level (OT) which encompasses industrial control
either at the board level or within the Senior systems. This is at the heart of the Supply
Executive Leadership Team. This is to ensure Chain Operations of any organisation
that the funding and drive is made at the and more focus is needed to address the
right level with the right agility in terms of growing number of cybersecurity breaches
execution. in OT. I will refer to an article where a petro
chemical company was hit by a Cyber-
All this is in the context that Cyber Security attack. The aim of the attack was to trigger
is not an IT responsibility but since it is an an explosion. The implications of this are
enterprise wide risk, then the appropriate huge. To address this growing threat, we
ownership within the business must be are seeing that information cyber-security
established. IT though remains a significant is beginning to merge with OT security
partner in terms of driving the agenda as to ensure the availability and integrity of
the expertise on such matters usually rests manufacturing processes.
with IT. It is important for the IT teams to
demystify Cyber Security and break it down On a personal front, I still meet several
in the simplest of terms. people with default WiFi passwords at their
homes. If you consider that you connect
One cannot take ownership of something your TV (some with camera), Mobile devices,
one may not comprehend and therefore CCTV equipment on that, you can imagine
cannot measure. how much information can be stolen if it
is hacked. Home automation technologies
Kindly highlight some of the top cyber make it easy to control a number of home
security issues of 2017 and how these functions such as home entertainment
issues impacted you personally, your systems, heating, lighting, and even exterior
door locks. Home owners need to follow
organisation or country?
best practices to secure these devices
and manufacturers of home automation
There has been a great focus on end user systems need to ensure their devices can
and end user technology such as emails, provide security or they will not survive.
computers and mobile devices as the

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 69

Do you think fake news is a major What can be done to improve If yes, how did you (company or
problem in Your Country? the general user awareness on country) respond to these cases?
the detection of fake news in the
If yes, who should be responsible country? Considering the shortage of skilled
for controlling the creation resources in Africa, how can we
and distribution of fake news Same as above. Social Media platforms limit the impact of ransomware
(government, end users, Telcos/ISPs should make it possible for users to cases?
or content owners)? quickly indicate whether content is fake
or not similar to the concept of ‘likes’. • Have a broad Cyber Security
A robust Social media PR mechanism Strategy
In my opinion, definitely. The concept of
should be in place to tackle fake news • Assign the rightful ownership and
fake news is nothing new. Pre-digital era
affecting a government institution or an accountability
and even now, it was manifest in society
organisation. • Assess your organisation and
through rumors carried orally from one
mitigate the risks both from legal
person to the other. During the print
Many governments in Africa and technical side.
era, it could be used as a propaganda
• Continuous User Awareness
tool against certain persons/ are investing in e-services
including simulated phishing attacks.
organisations. More credible print (e-government, e-voting, e-tax I cannot emphasize this enough. It
institutions though confirm accuracy systems and many other portals.) starts with the user.
before printing. However with digitization Do you think the African citizenry • Have an IT DRP and BCP in place
and proliferation of social media, there
is ready to consume and utilize and routinely test these so that
are hardly any safe guards. The ease of
creating an account and the pseudo-
these systems without the worry of in the event of an attack, you are
privacy, security and fraud? aware of what to do.
anonymity of social media makes it easy
for lots of people to engage in this. Do you think organisations are
I do believe the citizens are ready,
however, more awareness is needed.
spending enough money on
Fake news will never be ended but each combating cyber-crime?
of us should have the responsibility Blind trust could mean laxity by
of fact checking before sharing any government and her agencies in
establishing the right controls. Citizens Organisations are beginning to wake up
fake content. It is easy to verify facts
need to understand what to look out for to the reality of Cybercrime. This trend
even through a simple google check.
in terms of data privacy and demand needs to be upped to match with the
Social Media platforms should make
for such if the standards don’t match rapid evolution of the nature of cyber
it possible for users to quickly indicate
up. For example, your address and ID security threats. Cybercrime is not
whether content is fake or not similar
should not be shared with any external only growing rapidly, it is also becoming
to the concept of ‘likes’. A robust
parties without consent of the owner. organized, sophisticated, well-funded,
Social media PR mechanism should
Do citizens know this? and focused on profit making attacks.
be in place to react to any fake news
Although cybersecurity budgets are
affecting a government institution or
 What are some of the risks we face growing, it will be a challenge to keep up
an organisation. These are some of the
with the introduction of government with the growth of cybercrime.
ideas I could share to control fake news.
driven e-services and do you have
any examples of these cases in your What can be done to encourage
Should regulators force influential
country? more spending on cyber security
platforms like Google and
issues?
Facebook to remove fake news Breach in data privacy as mentioned
and other extreme forms of above. Ensuring you have a Cyber Security
content from their platforms? Strategy and assigning the right
In 2017, we had several cases of ownership and accountabilities.
For extreme forms of content such as
cyber security attacks including
terrorism, I do agree. On fake news, my
opinion is to let the users identify this,
ransomware attacks across the
get marked as fake and for everyone to world– were you impacted by
move on. these attacks?

Demystifying Africa’s Cyber Security Poverty Line


70 Industry Players Perspectives

This makes it easier to apportion The nature of Cyber Security threat In your opinion and from an African
budgets where needed. is a global one; the assets targeted context, what are the top 2018
that are of the highest risk are global in
cyber security priorities for African
Remember it is not an IT department nature hence I would not encourage an
African centric solution to drive this on a countries and organisations?
accountability. It could be the
responsibility of IT to execute the separate path and re-invent the wheel
approved technical plans but the overall but rather a consolidated effort. Cyber Implementing a robust Cyber Security
accountability lies within the business Security attacks are evolving fast and Strategy with clearly defined vision,
leadership. The business needs to collaboration with all players. goals and objectives both at the
understand the growing cybersecurity national and organisational level.
threats to their information security The real focus in Africa should be on
and operational technology. Security legal and regulatory fronts. Putting in To those African countries that have
professionals need to present the place laws, policies, regulations that done so, enforcing what is on paper
real risks to their organisation and the help drive the National Cyber Security and that will need ensuring the agencies
potential consequences and financial awareness, prevention and control. It responsible are well skilled and funded
impacts if appropriate security controls should be mandatory for example for to handle the increasing threat.
are not implemented. organisations to report a significant
breach and for institutions to enforce For enterprises, continuously assessing
Based on our research the Africa data privacy. Also, heavy punishment the environment for additional threats
for those caught in the act of Cyber- and fine tuning internal plans to adopt
cyber security market will be
attacks should be inflicted to discourage to those threats. As mentioned earlier,
worth USD2 billion dollars by this could extend to the manufacturing
the vice. Bi lateral agreements should be
2020. Despite this opportunity, in place to ensure even those remotely sites. Lastly, it all begins with the
Africa has not produced a single culpable are brought to book. individual person. Keep them informed!
commercially viable cyber security
product/solution. What role can the private sector
and consumers of imported cyber
In your opinion, what should African security products play to ensure we
countries/universities focus on can encourage local players to start
to encourage innovation in the developing African grown cyber
development of cyber security security products/solutions or even
solutions? services?

I would differ on this with the majority.

Demystifying Africa’s Cyber Security Poverty Line


MULTIPLICITY • Scanning from external IP • Traffic to core VLAN from extenal IP • Dormant account activity • Logs deleted
VELOCITY • Bruteforce attempts • Multiple posting on DB • Bulk transaction • System unavailable
VOLUME • Excessive DNS queries • Remote Access tool detected processing • AV disabled
INDICATORS OF
COMPROMISE LIMITS • IP conflicts • Auditry disabled • Transaction over limit

KEY
SYSTEMS
Firewall Antivirus Active Directory

ATTACK
STAGES
RECONNAISSANCE GAINING ACCESS ATTACK HIDE TRACKS

Stage 1

Stage 2
Social Engineering
and Identity Theft
File Data Exfiltration
Gaining DB Server
Access Attack
Users

Document
Stage 3 Malicious DB ATM/POS/MPESA
Management Manipulation
Servers • Admin credentials Systems
Admin
• Customer account
Stage 4 Email

Malware Server

Cyber Hide
Criminal Using Erasing logs to
Tracks
TOR/Proxy remove evidence
Server to Web Defacement
hide actual IP

Clean PC

Sending money to
multiple recipients
72

Security Begins

Home Security at Home

Home-owners and
Our culture, Pan Africanism, emphasises on the need TO BE MINDFUL OF essentially anyone
FELLOW AFRICANS. We’re all connected via the shared network we call
the Internet. It is in our own best interests to make sure everyone – FROM with property in
THE YOUNG TO THE OLD, ON SNAPCHAT, FACEBOOK AND TWITTER - KNOW and
practice basic security habits. Africa, locks their
This section highlights top trends and security issues and corrective measures for
doors without
security in our homes. thinking twice.
African parents
IP Cameras/Nannny Cams they come with certain risks. In
are well known for
October, hackers took over 100,000
For young parents, a baby monitor is
an essential device to check on the
IoT devices and used them to block
traffic to well-known websites,
monitoring who
baby’s welfare. Majority of these devices including Twitter and Netflix. their children are
are misconfigured and have default
passwords. This means a hacker or a Home Routers associating with,
pervert could potentially gain access and
monitor your child or play eerie music. When buying a home router, no the language they
This calls for home owners to be vigilant consideration is put on the security
of these devices. Recent research
use around other
in securing their electronic devices.
has shown that your home routers people and so on.
Smart Homes can be used by malicious outsiders
But millions of users
to launch attacks against websites
IoT is changing our traditional approach
to how we live and interract with our
belonging to other organisationss
without your direct involvement.
around Africa still
homes. A number of houses, apartments don’t have the same
and estates in Kampala have CCTV As a home owner, you run the risk
surveillance, Smart TVs, DVRs and of being blocked by certain sites, mentality about their
connected thermostats that you can your internet speed may be slow
monitor and handle from any part of the due to the excessive bandwith digital presence.
world. These gadgets add convenience utilization and you will incur higher
like locking your door or shutting off the costs.
lights all from a smartphone app, but

Security Tips
Buy from Connect to a
Change trusted guest network
brands

Install
default updates
Disable unused
passwords Use all included features
right away
security features

Demystifying Africa’s Cyber Security Poverty Line


73

Securing the Child

Children in particular have


unprecedented access
to computers and mobile
technologies, and have in
recent decades tended
to adopt these from an
early age, resulting in ICTs
becoming thoroughly
embedded in their lives. To
ensure security of the child
online, it is necessary for
parents to position and equip
themselves with the right
tools as follows:
Teach Yourself Get them offline
Educate yourself about the It’s key to remind children
apps they’re using in order that there’s a whole world Parents should educate themselved on detecting
to make informed decisions offline too. This is important
when their child is being bullied and ways of
about what they’re able to in a number of way, most
do on those apps. important being to help helping them through this.Here are some other
dampen the impact of examples of behavior that could cross the line into
Check Privacy Settings potential cyberbullying. It’s cyberbullying:
important to remind children
Take advantage of built-in to have fun in other ways off • Sending or posting mean things to or about
parental controls. Major mobile phones. someone
apps and services – like
• Creating a hostile environment in an online
Facebook or your DSTV box Cyber Bullying
– have ways of restricting world or game
access for young people, so With the statistics and
check through the settings games such as blue whale
thoroughly before letting piling up, it has become Parents can
your child onto a device. increasingly clear that
the cruelties inflicted by • Talk about bullying with their kids and
Parents can also leverage cyberbullying have become have other family members share their
technologies meant to a devastating reality for experiences.
secure kids online such many teens.This can cause
damaging self-esteem • Remove the bait. If it’s lunch money or
Google’s Kiddle, this presents
a colorful space-themed issues, depression, self- gadgets that the school bully is after.
page with a filtered search harm, feelings of isolation • Don’t try to fight the battle yourself.
bar to ensure only kid that hinder performance
friendly content is displayed. in school, social skills, and
general well-being.

Demystifying Africa’s Cyber Security Poverty Line


74 Industry Players Perspectives

Love it or hate it, the GDPR is here to stay!

Historical context for the GDPR countries have data privacy legislation,
with an additional 14 countries working on
Global recognition of the importance of legislation, leaving a balance of 24 currently
data privacy can be traced back to the having taken no action so far. There are
United Nations (UN) which has a long history some leading examples in Africa, such as
of promoting the right to privacy through Mauritius which passed the Mauritius Data
its Human Rights treaties. This includes Protection Act (MDPA) in late 2017, swiftly
article 12 of the Universal Declaration of brought the MDPA into full force in January
Human Rights in 1948 and article 17 of the 2018 and thus positioned itself as a leading
International Covenant on Civil and Political nation in Africa and the Indian ocean
Rights in 1966. More recently in July 2015 the island states in terms of alignment with
UN appointed a “Special Rapporteur on the the European Union and its General Data
Dr. Peter Tobin right to privacy” to bring additional focus to Protection Regulation (GDPR).
the importance of data privacy. Supporting
Privacy and Compliance the UN is the Organisation for Economic Co- So what is the European Union GDPR?
Expert operation and Development (OECD) which in
1980 issued its “Guidelines on the Protection
BDO IT Consulting Ltd of Privacy and Transborder Flows of
Personal Data” which were revised and re-
issued in 2013, just as the POPI Act (POPIA)
Mauritius
was gazetted in South Africa, allowing that
country to join the growing list of those
forming part of the African community of
nations that have embraced personal data
protection legislation. Following the UN
and OECD initiatives, nearly one hundred
countries and territories have established or
are developing data protection laws.

African personal data privacy and


protection developments
During 2016 the General
Data Protection Regulation
In Africa, the African Union (AU) Commission
and the Economic Commission for Africa – commonly known as
have spearheaded the development the GDPR – was finalised,
of the AU Convention on Cybersecurity
and Personal Data Protection, which was with a transition period to
adopted by the AU Heads of States and
Governments Summit in June 2014 in
full compliance required
Malabo, Equatorial Guinea. Eight Countries by those organisations
had already signed the convention by July
2016 according to AU Commission: Benin, impacted - those
Chad, Congo, Guinea Bissau, Mauritania,
Sierra Leone, Sao Tome & Principe and
processing directly
Zambia. At a regional level in Africa there (controllers) or indirectly
are also several initiatives, notably the
ECOWAS Cybersecurity guidelines and (processors) the personal
the SADC Model Law on data protection,
e-transactions and cybercrime. There is also
data or EU residents - by
the HIPSSA initiative (Harmonization of the May 2018.
ICT Policies in Sub-Saharan Africa) which
covers 30 countries across the continent.
Latest estimates show that 16 African

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 75

The GDPR has potentially wide- In the case of the United Kingdom Controllers. Some of the chapters of
ranging implications for companies (UK), there were strong indications the GDPR are really only of interest
based outside the EU (increasingly at the time of writing this article that to the supervisory and regulatory
often in Africa) trading with the EU the UK would fully align itself with the authorities (such as chapters 6, 7, 10
member states. Of particular interest GDPR even post “BREXIT” (the exit of and 11), whilst others discuss important
is the following extract from the the UK from the EU). The GDPR has issues such as remedies, liability and
GDPR document: “The [European] 173 introductory clauses (sometimes penalties (Chapter 8) which can have
Commission may decide with effect for referred to as the recitals, a form of serious consequences for Controllers
the entire Union that a third country, explanatory pre-amble), with the main or Processors who do not meet the
a territory or specified sector within regulation body comprising 11 chapters requirements of the GDPR.
a third country, or an international made up of 99 Articles which come
organisation, offers an adequate level to over 400 numbered paragraphs. Key changes in the GDPR
of data protection, thus providing legal It is important to remember that the
certainty and uniformity throughout GDPR works in conjunction with other Compared to the earlier EU-wide
the Union as regards the third country EU directives and regulations at an EU directive of 1995, the GDPR contains a
or international organisation which is level, and may be complemented by number of key changes. These include
considered to provide such level of local legislation, whether in EU member the increased territorial scope of the
protection. In such cases, transfers of states or in African countries that are GDPR (extra-territorial or non-EU
personal data to that third country or seeking to align themselves to the member state applicability; significant
international organisation may take GDPR. increases in potential penalties (rising
place without the need to obtain any to up to 2% to 4% of global turnover
further authorisation. The Commission After chapter 1 which contains a series of either or both of the Controller
may also decide, having given notice and of general provisions and definitions, or Processor found at fault by the
a full statement setting out the reasons chapter 2 covers the principles of data supervisory authorities). There have also
to the third country or international processing, which have been refined been changes to the nature of consent
organisation, to revoke such a decision.” since the previous EU personal data which can be used as a justification of
This opens the door to leading practice protection directive of 1995. Chapter lawful processing, including expanded
nations and sectors stealing a march 3 addresses the “Rights of the Data requirements in terms of the record
over their competitors in the global Subject”, those EU-resident individuals keeping for consent given, refused
marketplace for information services whose personal data may be processed or withdrawn. Whilst some countries
provision where personal data is by one of more the main parties who have already implemented strict rules
processed. need to comply with the GDPR: the around data breach notification, the
Controller (typically an organisation such GDPR emphasises to requirement
So what, briefly, is the GDPR (www. as a business or arm of government) to normally notify the supervisory
eugdpr.org)? that determines and controls the authorities within 72 hours of a data
processing of the personal data and breach being confirmed (perhaps
the Processor, a service provider which after an initial check that the data
The GDPR is a renders personal data processing
services to one or more Controllers.
breach is real and not imagined or only
suspected). Data subject rights have
single regulation There are other Third Parties that may
be involved, such as those organisations
also been clarified and expanded to
include the much-discussed “right to be
that automatically where the Controller shares personal
data for a variety of legitimate reasons.
forgotten” (erasure of personal data)
as well as the right to data portability,
applies to all Chapter 4 looks at the duties of the
Controller and Processor.
such as when moving between service
providers. “Privacy by design and
current and future Chapter 5 addresses the Transfer
default” also represents not only a new
requirement but one which addresses
European Union of Personal Data to 3rd Countries
or International Organisations, an
the approach to personal data privacy
as “built-in” not just “added-on”. The last

members states important consideration when dealing


with countries in Africa that, for
major change highlighted by the EU is
the enhanced and expanded (broader
example, host outsourced personal
from May 2018. data processing services for EU-based
and deeper) role of the Data Protection
Officer (DPO).

Demystifying Africa’s Cyber Security Poverty Line


76 Industry Players Perspectives

Beyond the vanilla GDPR 4. You have provided all necessary authority? (Article 33: Notification
information at point of collection? of a personal data breach to the
It is important to be aware that the (Article 13: Information to be supervisory authority)
GDPR in its basic format has already provided)
been complemented by a number 12. You have a policy, process and
publications by the group that will 5. You have a policy, process and procedures for data breach
over time become the collective body procedures to ensure a) right notification to the data subject?
for supervisory authorities in the EU of access; b) to rectification; c) (Article 34: Communication of a
(European Data Protection Board, to erasure; d) to restriction of personal data breach to the data
established under Article 68 of the processing; by the data subject? subject)
GDPR), although operating at the (Article 15 - 18: Right of access;
time of writing under the “Article 29 to rectification; to erasure; to 13. You have conducted data
DPWP” branding (perhaps somewhat
restriction of processing) protection impact assessments
confusingly, that’s Article 29 under the
where necessary according to the
1995 directive and not under the GDPR).
Further guidance is already planned in 6. You are meeting all the screening rules? (Article 35: Data
areas such as consent, transparency, responsibilities of the controller? protection impact assessment)
profiling, high risk processing, (Article 24: Responsibility of the
certification, administrative fines, breach controller) 14. You have, where necessary,
notification and data transfers. appointed an appropriate data
7. You have data protection by protection officer following the EU
So how is your compliance status? design and by default? requirements? (Article 39: Tasks
(Article 25: Data protection by of the data protection officer)
Here’s a quick review of some of the key design and by default)
considerations when preparing for (or 15. You have appropriate safeguards
maintaining) compliance with the GDPR. 8. You have a representative in the for cross-border transfers?
Can you prove that: EU? (Article 27: Representatives (Article 46: Transfers subject to
of controllers not established in appropriate safeguards)
1. You comply with the 6 principles the Union)
relating to personal data 16. You have trained your staff in all
processing? (Article 5: Principles 9. You have adequate records of of the above aspects and more
relating to personal data processing? (Article 30: Records (Article 39: Tasks of the data
processing) of processing activities) protection officer)

2. You comply with the lawfulness 10. You have adequate security of
of processing rules? (Article 6: processing? (Article 32: Security
Lawfulness of processing) of processing)

3. You have records of consent that 11. You have a policy, process and
meet the required conditions? procedures for data breach
(Article 7: Conditions for consent) notification to the supervisory

So maybe you didn’t score full marks and are beginning to hate the idea of all the effort it might
take to climb the GDPR mountain if you need to. But perhaps it’s also time to look on the bright
side, and learn to love the GDPR. It might just be that the next big contract you land with a client
in Europe or service work you perform for an organisation outside the EU but with clients in the
EU, provides the bonus you have been promising yourself all year.

One way or the other, love it or hate it, the GDPR is here to stay!

Demystifying Africa’s Cyber Security Poverty Line


77

Africa Cyber Security


Framework
Cybercrime in the African With the increasing business
continent particularly within the requirements of the 21st century
Small Medium Enterprises (SMEs) businesses and the inadequate
setting is a growing concern. SMEs budget allocated to IT, it has
are especially expanding the use become expensive especially for
of cloud, mobile devices, smart small and medium sized companies
technologies and work force to adopt complex and international
mobility techniques. This reliance cyber security frameworks. As
has however unlocked the doors such, cybercrime prevention is
to vulnerabilities and cybercrime. often neglected within SMEs. This
Attackers are now launching has resulted in a situation whereby
increasingly sophisticated attacks SMEs are now one of the popular
on everything from business targets of cyber criminals. While
critical infrastructure to everyday at the same time, the SMEs lack
devices such as mobile phones. a comprehensive framework that
Malware threats, Insider threats, will help them determine their risk
data breaches resulting from exposure and provide visibility to
poor access controls and system their security landscape without
misconfigurations are some of the necessarily adding to the strained
ways that attackers are now using costs.
to deploy coordinated attacks
against these organisations.

Solution
In order to assist businesses in Africa particularly SMEs, we developed
the Serianu Cyber Security Framework. The Framework serves to help
businesses in Africa particularly SMEs to identify and prioritize specific risks
and steps that can be taken to address them in a cost effective manner.
The baseline controls developed within the framework, when implemented,
will help to significantly reduce cyber related security incidences, enable IT
security to proactively monitor activities on their key ICT infrastructure and
provide assurance that business operations will resume in the appropriate
time in case of an attack or disruption.

Demystifying Africa’s Cyber Security Poverty Line


78 Domains of the
Africa Cyber Security
Framework
security Risk
yber Ma
1: C na
g
in
Anticipate Risks -
a

em
m

Assess Risks and Implement


Do

en
Controls

t
This requires an organisation to
know exactly what it needs to
protect (the ‘crown jewels’) and
rehearse appropriate responses to
likely attack/ incident scenarios
(including accidents. This provides
confidence in an organisation’s its
ability to handle more predictable
threats and unexpected attacks;
i.e., ‘anticipate’ cyber-attacks.

ity Vulnera
ecur bil
rs Detect it
e

y
Vulnerabilities –
b

M
Cy

Track and Correct

an
Domain 2:

Vulnerabilities

agem t
The average lag time
before a breach is

en
detected is between 205 –
urity Incide to – 265 days. Early
rsec nt detection of vulnerabilities
be M can prevent escalation to
Respond
y

an incident.
C

an

to Incidents –
3:

age

Identify and Mitigate


Domain

Incidents
ment

Continuous management of
risks, remediation and root
cause analysis is what enables
organisations to effectively
manage threats within curity Visibilit
the network. erse yM
yb a
C
Contain –
na
4:

ge

Communicate and
ain

me

Enhance Cyber Resilience


Dom

nt

Detection cannot fully protect


an organisation from
malicious threat actors. This
must be complemented by a
resilient response capability.
Quick response to cyber
threat minimizes the cost of
breach.

Demystifying Africa’s Cyber Security Poverty Line


80 Industry Players Perspectives

Kindly highlight some of the top cyber With the advent of social media and
security issues of 2017 and how these increased internet penetration year on year
I only see fake news increasing.
issues impacted you personally, your
organisation or country?
Any entity should be free to create
and distribute news, but not fake news.
One of the major cyber issues related to Regulators should not force influential
leaking personal information of millions of platforms only, but all platforms to remove
people. This raises the question of whether fake news. But to do that, the regulators
there are adequate systems and laws to must first define what fake news is in their
safeguard personal data. jurisdictions, according to their laws.

WannaCry ransomware was another top We need the main stream media houses
Fredrick M. Bobo issue in the year. Luckily my organisation and journalists to rise to the occasion and
or myself were not hit by it but numerous be a true north when it comes to news
IT Audit Manager organisations in South Africa were hit. reporting. It is disheartening when fake news
is disseminated by an established news
African Organisation of From an overall perspective, the top cyber house.
English-speaking Supreme security issue anywhere probably remains
Audit Institutions human gullibility. Very few attacks are
Many governments in Africa are
based on technological weakness but social
engineering. What is needed, is education, investing in e-services (e-government,
South Africa e-voting, e-tax systems and many
training and awareness of cyber security.
other portals.) Do you think the African
Do you think fake news is a major citizenry is ready to consume and
problem in Your Country/Africa? utilize these systems without the worry
of privacy, security and fraud?
If yes, who should be responsible for
controlling the creation and distribution What are some of the risks we face
of fake news (government, end users, with the introduction of government
Telcos/ISPs or content owners)? driven e-services and do you have any
examples of these cases in your country?
Should regulators force influential
platforms like Google and Facebook to I believe the citizenry is ready to consume
remove fake news and other extreme these systems owing to the efficiency
forms of content from their platforms? brought about by them. Additionally, I
think going that direction is inevitable.
What I think needs to be importantly
What can be done to improve the
worked on is matching legal frameworks
general user awareness on the detection and fundamentals to support e-service
of fake news in the country? provision. These fundamentals include such
things as internet access, computing devices
Certainly, fake news is a problem etc.
everywhere. What even makes it worse is
that corrected positions are never publicized The threat of privacy security and fraud will
as much as the fake news. What is required, always be there, and the level will differ on
is for people to understand that news is not the platform as well as services provided,
beyond reasonable doubt just because it is e.g. e-voting with our current African
online. politics will be a serious challenge. The right
thing to do is implement it properly and
Fake news really is something that does not ensuring feasibility before the projects are
have an immediate solution. implemented.

Demystifying Africa’s Cyber Security Poverty Line


Industry Players Perspectives 81

In 2017, we had several cases of What can be done to encourage commercially viable cyber security
cyber security attacks including more spending on cyber security product/solution.
ransomware attacks across the issues?
world– were you impacted by In your opinion, what should African
these attacks? Working in a public space across Africa, countries/universities focus on
it is clear the public sector is not treating to encourage innovation in the
Cyber crime with the seriousness it development of cyber security
If yes, how did you (company or
deserves. We have seen a few countries solutions?
country) respond to these cases?
change legislation and put in structures,
but I think most governments are
Considering the shortage of skilled I am biased to think that a lot of work
waiting to be hit hard before they put in
resources in Africa, how can we limit needs to be done on cyber security in
mitigating measures.
the impact of ransomware cases? public sector
One way we can encourage appropriate
Not affected by it spending on cyber security issues is to
What role can the private sector
increase awareness. There is currently and consumers of imported cyber
A good way that we can limit impact is very little focus on cyber security in security products play to ensure
going back to basics, awareness and governments of Africa. We lack proper we can encourage local players
training. This is so often underrated but public statistics on cybercrimes and to start developing African grown
very cardinal in limiting ransomware losses. I suspect a good number may cyber security products/solutions
cases. As ransomware is based on be going unnoticed and it pains me or even services?
cryptography algorithms, stopping it in to think of how much money our poor
advance like a basic virus is not possible. governments may have lost.
In your opinion and from an African
context, what are the top 2018
Do you think organisations are Based on our research the Africa cyber security priorities for African
spending enough money on cyber security market will be countries and organisations?
combating cyber-crime? worth USD2 billion dollars by
2020. Despite this opportunity, • Legislative reform
• Structures & processes to combat
Africa has not produced a single
cyber crimes

Demystifying Africa’s Cyber Security Poverty Line


82

Appendix
List of Remote Access Tools for Database

PostgreSQL
 Mac OS X
Windows

MS SQL
Product

License

MySQL

Server

SQLite
Oracle

ODBC

JDBC
 Linux
Adminer Apache License or GPL Yes Yes Yes Yes Yes Yes Yes     Yes
Advanced Query Tool (AQT) Proprietary Yes No No Yes Yes Yes Yes Yes    
DaDaBIK Proprietary Yes Yes Yes Yes Yes Yes Yes No No Yes
Database Deployment Manager LGPL Yes No Yes   Yes          
DatabaseSpy Proprietary Yes No No Yes Yes Yes Yes Yes Yes  
Database Tour Pro[4] Proprietary Yes No No Yes Yes Yes Yes Yes No Yes
Database Workbench Proprietary Yes Yes Yes   Yes Yes    
DataGrip Proprietary Yes Yes Yes Yes Yes Yes Yes No Yes Yes
DBeaver Apache License Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
DBEdit GPL Yes Yes Yes Yes Yes Yes Yes No Yes Yes
Epictetus Proprietary Yes Yes Yes Yes   Yes Yes      
HeidiSQL GPL Yes   Yes Yes Yes      
Jailer Relational Data Browser[5] Apache License Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Maatkit GPL Yes Yes Yes   Yes          
Microsoft SQL Server Management
Proprietary Yes No No       Yes      
Studio
ModelRight Proprietary Yes No No Yes Yes   Yes Yes    
Community Ed: GPL
MySQL Workbench Standard Ed: Commercial Yes Yes Yes   Yes          
Proprietary
Navicat Proprietary Yes Yes Yes Yes Yes Yes Yes   Yes
Navicat Data Modeler Proprietary Yes Yes Yes Yes Yes Yes Yes Yes   Yes
Oracle Enterprise Manager Proprietary Yes No Yes Yes Yes   Yes      
Oracle SQL Developer Proprietary Yes Yes Yes Yes Yes No Yes Yes Yes  
Orbada GPL Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
pgAdmin III PostgreSQL License Yes Yes Yes              
pgAdmin4 PostgreSQL License           Yes        
phpLiteAdmin GPL Yes Yes Yes No No No No No No Yes
phpMyAdmin GPL Yes Yes Yes   Yes          
SQL Database Studio Proprietary Yes No No No No No Yes      
SQLyog GPLv2 Yes   Yes          
SQuirreL SQL GPLv2 & LGPLv2 Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
TablePlus Proprietary No Yes No No Yes Yes Yes No No Yes
Toad Proprietary Yes No No Yes Yes   Yes Yes    
Toad Data Modeler Proprietary Yes No No Yes Yes Yes Yes      
TOra GPL Yes Yes Yes Yes Yes Yes        

Demystifying Africa’s Cyber Security Poverty Line


83

Remote Access tools for Endpoints


Software Protocols License Free for Free for
personal use commercial use
AetherPal Proprietary Proprietary No No

Ammyy Admin Proprietary Proprietary Yes No

AnyDesk Proprietary Proprietary Yes No

Anyplace Control Proprietary Proprietary No No

AnywhereTS RDP, ICA Proprietary Yes Yes

Apple Remote Desktop RFB (VNC) Proprietary No No

Apple Screen Sharing (iChat) Proprietary, RFB (VNC) Proprietary Yes Yes

AppliDis RDP Proprietary No No

BeAnywhere Support Express Proprietary Proprietary No No

Bomgar Proprietary Proprietary No No

Cendio ThinLinc RFB (VNC) Proprietary Yes[a] Yes[a]

Chicken of the VNC RFB (VNC) GPL Yes Yes

Chrome Remote Desktop Chromoting BSD Client, Proprietary Yes Yes


Server
CloudBerry Lab (CloudBerry Remote Assistant) Proprietary Proprietary Yes Yes

Citrix XenApp/Presentation Server/MetaFrame/ RDP, ICA Proprietary No No


WinFrame
Fog Creek Copilot RFB (VNC) Proprietary No No

GO-Global Proprietary Proprietary No No

GoToMyPC Proprietary Proprietary No No

HP Remote Graphics Software (RGS) HP RGS Proprietary Yes[b] Yes[b]

HOB HOBLink JWT RDP Proprietary No No

HOB HOB MacGate RDP Proprietary No No

IBM Director Remote Control Proprietary Proprietary No No

I'm InTouch Proprietary Proprietary No No

iTALC RFB (VNC) GPL Yes Yes

KDE RFB (VNC), RDP GPL Yes Yes

LiteManager Proprietary Proprietary Yes[d] Yes[d]

LogMeIn Proprietary Proprietary No No

Mikogo Proprietary Proprietary Yes No

Netop Remote Control Proprietary Proprietary No No

NetSupport Manager Proprietary Proprietary No No

Netviewer Proprietary Proprietary No No

NoMachine NX Proprietary Yes Yes[e]

OpenText Exceed onDemand Proprietary Proprietary No No

Open Virtual Desktop RDP GPL Client, Proprietary No No


Server

Demystifying Africa’s Cyber Security Poverty Line


84

Software Protocols License Free for Free for


personal use commercial use
Oracle Secure Global Desktop Software/Sun VDI AIP Proprietary No No

Proxy Networks Proprietary Proprietary No No

Pilixo Remote Access Proprietary Proprietary No No

QVD NX and HTTP GPL Yes Yes

rdesktop RDP GPL Yes Yes

RealVNC Open RFB (VNC) GPL Yes Yes

RealVNC RFB (VNC) Proprietary Yes[e] No

Remmina RDP, RFB GPL Yes Yes


(VNC), SPICE, XDMCP, SSH
Remote Desktop Services/Terminal Services RDP Proprietary Yes Yes[g]

ScreenConnect Proprietary Proprietary No No

Splashtop Remote Proprietary Proprietary Yes No

SSH with X forwarding X11 BSD Yes Yes

Sun Ray/SRSS ALP Proprietary ? ?

Symantec pcAnywhere Proprietary Proprietary No No

TeamViewer Proprietary Proprietary Yes No

Techinline RDP Proprietary No No

Teradici PCoIP Proprietary No No

Thinc Thinc GPL Yes Yes

TigerVNC RFB (VNC) GPL Yes Yes

TightVNC RFB (VNC) GPL Yes Yes

Timbuktu Proprietary Proprietary ? ?

TurboVNC RFB (VNC) GPL Yes Yes

Ulterius RFB (VNC) GPL Yes Yes

UltraVNC RFB (VNC) GPL Yes Yes

Vinagre RFB (VNC), SPICE, RDP, SSH GPL Yes Yes

XDMCP X11 MIT Yes Yes

xpra Bencode-based, rencode- GPL Yes Yes


based, YAML-based, RFB
(VNC) for desktop mode
X11vnc RFB (VNC) GPL Yes Yes

X2Go NX GPL Yes Yes

x2vnc RFB (VNC) BSD Yes Yes

x2vnc Ulterius (VNC) BSD Yes Yes

x2x X11 BSD Yes Yes

Software Protocol License Free for personal Free for


use commercial use

Demystifying Africa’s Cyber Security Poverty Line


85

List of Open Source Tools


Vulnerability Scanners
1. OpenVAS

OpenVAS isn’t the easiest and quickest scanner to install and use, but it’s one of the most feature-rich, broad IT security
scanners that you can find for free. It scans for thousands of vulnerabilities, supports concurrent scan tasks, and
scheduled scans. It also offers note and false positive management of the scan results. However, it does require Linux at
least for the main component.

2. Retina CS Community

Retina CS Community provides vulnerability scanning and patching for Microsoft and common third-party applications,
such as Adobe and Firefox, for up to 256 IPs free.

3. Microsoft Baseline Security Analyzer (MBSA)

Microsoft Baseline Security Analyzer (MBSA) can perform local or remote scans on Windows desktops and servers,
identifying any missing service packs, security patches, and common security misconfigurations.

4. Nexpose Community Edition

Nexpose Community Edition can scan networks, operating systems, web applications, databases, and virtual
environments. The Community Edition, however, limits you to scanning up to 32 IPs at a time.

5. SecureCheq

SecureCheq can perform local scans on Windows desktops and servers, identifying various insecure advanced Windows
settings like defined by CIS, ISO or COBIT standards.

6. Qualys FreeScan

Qualys FreeScan provides up to 10 free scans of URLs or IPs of Internet facing or local servers or machines.  

Demystifying Africa’s Cyber Security Poverty Line


86

References
Top Issues
https://securityintelligence.com/the-enemy-within-identifying-insider-threats-in-your-organisation/

https://portland-communications.com/pdf/The-Reality-of-Fake-News-in-Kenya.pdf

The Computer and Cybercrimes Bill, 2017 - Kenya Law

http://www.ke-cirt.go.ke

CYBERCRIMES (PROHIBITION, PREVENTION, ETC) ACT, 2015 ...

https://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx

339_The Cybercrimes Acts, 2015-1

Attacks
https://www.standardmedia.co.ke/business/article/2000228978/shame-as-kenya-s-internet-regulator-website-
hacked

https://www.standardmedia.co.ke/business/article/2001249724/how-kenyans-were-lured-into-sh2-trillion-public-likes-
scam

https://www.vanguardngr.com/2017/06/maersk-apm-terminal-systems-hacked-operations-grounded/

https://www.hackread.com/nigeria-man-hacked-global-oil-gas-and-energy-firms/

Cyber Intelligence
https://www.google.com/search?q=heartbleed+vulnerability&oq=heartbleed+vulnerability&aqs=chrome..69i57j0l5.6115j0j9
&sourceid=chrome&ie=UTF-8

https://www.projecthoneypot.org/list_of_ips.php?t=h

Demystifying Africa’s Cyber Security Poverty Line


Hands on Cyber Security Training for Professionals

Cyber Immersion is Serianu’s premier training program


that aims to arm private and public organisations with the
necessary know-how to counter cyber threats in a holistic
manner, helping them mitigate the risks and costs
associated with cyber disruptions.

info@serianu.com | www.serianu.com

© Serianu Ltd © Cyber Immersion


Botswana