There are several trends that have dominated the African cybersecurity landscape in 2021. The continent remains a point of investment interest as connectivity and mobility continue to grow – with only 38% of the population connected, there is massive opportunity compared with developed markets. This situation has seen a subsequent surge in investor attention, particularly in the FinTech and telco spaces, and an equally high, but concerning surge in cybercriminal activity.
“Cybercriminals see the opportunity in this new and formative market too,” says Anna Collard, SVP Content Strategy&Evangelist at KnowBe4 Africa. “Considering that nearly half of the world’s 1.2 billion people registered for mobile money are based in Sub-Saharan Africa, and that 63% of the mobile dollar value is spent in this region, it makes sense that it has become a hot zone for investors and cybercriminals alike.”
This trend towards Africa as the lucrative shores upon which these modern-day pirates beach their ships is one that will likely continue into 2022. Most countries in the region do not have adequate cybercrime regulations in place and face significant skills shortages. A low level of general awareness means most consumers do not know how to ensure that their online behaviour is secure and smart.
“Another issue is that a significant number of African businesses operate without basic cybersecurity controls in place” says Collard. “This makes them all ripe for the picking. A recent study undertaken by Sophos (https://bit.ly/3x9n84j) found that 58% of South African organisations experienced an increase in cyberattacks since the pandemic and KnowBe4’s September 21 survey (https://bit.ly/3cuXsWd) showed that 32% suffered a ransomware attack. What is also a concern is that identity fraud has seen a 337% increase (https://bit.ly/3kNkBaT) over the past two years.”
Add to this the recent SABRIC survey (https://bit.ly/3Fs6r7a) that underscored the growing threats of social engineering across online and mobile banking, and a complex and worrying picture emerges. The statistics, across the board, point to a consistent increase in attack numbers and sophistication. They also draw a red line under Africa – 2022 needs to be the year when the continent ramps up its cybersecurity efforts to protect citizens and economies.
“Another trend is public awareness,” says Collard. “This has remained consistent for many years, but it is becoming increasingly clear that educating people about the risks, and giving them the tools they need to combat the risks, is critical. If you look at mobile banking fraud, in most cases, the successful crimes were because of phishing and social engineering tactics.”
“Cyber extortion crime is another major trend. If you look at the ransomware events that dominated local headlines in 2021 the message is not just that ransomware can be lucrative, but that cybercriminals are combining various methods to make their cyber extortion more effective,” says Collard. “Demands are getting bigger and the impact more pernicious to our economy and society as a whole.”
In 2022, these attacks are going to worsen and their impact will become increasingly expensive as criminals up the ante. The groups that perpetrate the attacks know that this is a lucrative gig, so why would they stop? For the organisation, it could cost them money and reputation. For the public sector, it could cost citizens access to critical infrastructure, and worryingly, the public sector is extremely vulnerable.
“Only 30% of the South African public sector feels prepared for the cyber extortion onslaught,” says Collard. “The fact that the sector admits it is not prepared for this, and the fact it is an attractive target, means that its security has to become a priority. There also needs to be more of a focus on mobile malware and cryptocurrency attacks. These are set to become more targeted and capable over the next year, so users need to be aware of the risks and the scams.”
Finally, 2022 will very likely come with more deep fake technology in social engineering attacks such as phone phishing. Likewise, the increased use of IoT devices, often implemented with default passwords and gaping vulnerabilities, will put organisations at risk.
“What this means for the future is that individuals and organisations need to expect more high-impact extortion attacks and more data breaches,” concludes Collard. “It is critical that there is more investment into upskilling and focus on collaboration between public and private sectors. Initiatives such as South Africa’s cybersecurity alliance (https://bit.ly/3oL7msy) aim to achieve exactly that.