Half a billion US dollars – that’s how much cyber-related incidents now cost organizations in Nigeria each year. The figures for many other African countries are similarly high, estimated at $50 million for Uganda and $250 million in Kenya. But even these figures are likely to understate the problem; most African countries don’t record such losses in a formalized, mandatory manner and most organizations don’t report any potential or actual losses to authorities.
Regulation and legislation related to information security and data protection also continue to lag behind other parts of the world. As such, while cyber security is considered an emerging threat in Africa, a lot more work is required in understanding the threat to organizations in specific countries and sectors.
In Control Risks’ conversations with clients, senior executives acknowledge that cyber risk is at the top of their agenda. However, according to African respondents in Control Risks’ latest ‘Cyber Security Landscape’ report, 62% do not have any cyber crisis management plan in place to help them respond to a breach (compared with 40% in Europe & Middle East and 31% in Asia).
This suggests that the threat of a breach remains abstract for many senior executives who have not yet worked out in detail how their organization would deal with one. Additionally, for most organizations in Africa, cyber risk is still primarily the responsibility of IT staff, who struggle to get buy-in from senior management for investment in cyber crisis planning.
Our survey also found that 62% of African respondents say their plans do not cover what their third parties need to do if they suffer a cyber breach. This is despite the fact that most organizations depend on third parties (such as web hosting and IT service providers, as well as clients) to operate their businesses and are connected to them in many ways – offering cyber threat actors potential points of entry to their own systems.
We spoke to a number of organizations in Africa who indicated that the third party risk is largely covered by their contracts with those third parties. A few organizations indicated that they also carry out independent reviews of third parties, which we encourage all organizations to do on a regular basis. One organization also indicated that they require their third party partners to obtain cyber insurance before they allow them to access the organization’s network. As the recent WannaCry ransomware attacks proved, cyber breaches are global in nature; Africa isn’t immune, with reports of attempted and successful attacks in more than 10 African countries. These types of attacks should also lead organizations to treat cyber threats as a matter for the whole business, rather than just the IT department. This means the board should set the right information security culture and risk appetite for the organization, which should then translate into actionable plans for senior management, led by the CEO.
Planning for a cyber crisis should also be the responsibility of senior management rather than just IT. Such planning should involve the whole organization and start with understanding the key threats an organization faces, and the key assets needed to continue operations in the event of a breach.
Source: Control Risks. We are an independent, global risk consultancy specializing in helping organizations manage political, integrity and security risks in complex and hostile environments. We provide strategic consultancy, expert analysis and in-depth investigations, handling sensitive political issues and providing practical on-the-ground protection and support. Visit us at www.controlrisks.com or follow us on Twitter @Control_Risks.
Patrick Matu is an Associate Director for East Africa at Control Risks, the leading international risk consultancy. He is based in the Nairobi office.
The statements made and views expressed are solely the responsibility of the author.