By Kathy Gibson, IT-Online – Africa is rapidly becoming more connected, more mobile and more tech-savvy – but this is opening the continent up to more cybercrime than ever before.
“When you look at cyber-security in an African context, it is a ticking time bomb,” says Anna Collard, MD of KnowBe4 Africa. A massive 525-million Africans are connected to the Internet – and that number will double in the next two years.
“Of this half a billion new users who will come online, most of them will be first-time users; and many won’t speak English as a first language,” Collard says.
In Africa, many people use tools like WhatsApp as their primary communications medium, with email used much less than in the developed world.
Today, 100-million Africans use mobile money or banking accounts. In fact, in sub-Saharan Africa, 10% of the GDP goes through mobile money transactions. By 2025, mobile broadband will account for 87% of total connections, with 690-million smartphones deployed. “This makes Africa a low-hanging fruit for criminals,” Collard says.
Because there is a high degree of digitisation, with many people connected via mobile and to online banking, the continent is an attractive target In addition, only 20% of countries have a legal framework for combatting cybercrime. Also, there is high youth unemployment, low prioritisation by governments and business, a skills shortage when it comes to security professionals. Plus, a massive 57% of software used in Africa is pirated, which adds to the risks.
The typical cybercriminal is part of a business operation, Collard adds, so they are not easy to spot. They are global, organised, work together and even have service levels for criminal activities. The cost of cybercrime in Africa is $3,5-billion in 2017. In Nigeria, it was $649-million; in Kenya $210-million; and in South Africa $157-million.
The top targets, says Collard, are the banks and financial institutions at 25%. But governments, e-commerce and telecommunications are also at risk. The top threats are cryptojacking, ransomware, breaches and business email compromise. We are also seeing an increase in blackmailing, mobile malware and ransom-extortion.
In Africa, 88% of companies have experiences phishing attacks, 80% have had impersonation attacks, 63% report in increase in such attacks, and 42% have been hit by ransomware attacks.,
Expect to see more attacks hitting critical infrastructure, Collard says. “This is important when you think about things like hospitals that might have to shut down because of something like that.”
This is not impossible: the NHS in the UK was hit by attack that resulted in people being turned away from hospitals, she points out. Phishing is still the top threat action, involved in 32% of confirmed breaches, according to Verizon research. Other causes of breaches were malware infections (28%) and use of stolen credentials (29%).
In fact, cybercriminals know that is actually easier to attack humans than trying to break through sophisticated technology. In 2020 we can expect more sophisticated, targeted phishing attacks. Automation will be employed more in so-called laser phishing attack.
Deep fakes in vishing will also be seen more. This has already become well-documented in 2019, Collard adds, and is expected to grow. We will also see more extortion schemes like sextortion and ransomware attacks.
KnowBe4 Africa carried out a security awareness study in November 2019, interviewing employed people in nine African countries.
A massive 28% of them reported that they had felled for phishing, 27^% for a scam or con artist, and 50% had a malware infection. In addition, 65% are concerned about cybercrime but 28% don’t know how to protect themselves.
Most of them felt their companies do educate them on security – but more than 60% had no idea what ransomware is. “There is the issue on unconscious incompetence, where people don’t know what they don’t know.”
There is a serious need for cyber security awareness training and education, Collard says, with 30% of users connecting via public hotspots; 46% trusting emails form people they know; 20% just looking for spelling mistakes to determine if mails are face; and 23% easily handing out personal information.
The biggest real causes of security breaches, Collard adds, is lack of patching and poor awareness training. The good news, she adds, is that companies can do something about this. For instance, awareness training can reduce the number of employees responding to phishing attacks from 30% to 15% in three months and 2% in a year.
Collard’s top tips for businesses are to start with a risk assessment. “Also, go back to basics: patch management, user awareness and education, and sound password practices.” They should also consistently apply best practices, she adds. Consumers should educate themselves and their families, don’t trust anything unexpected; and limit what they share about themselves online. Collard urges users to also use strong passwords.