- Delivering Growth and Opportunity
Africa Riskwatch - Issue 10 - July 2017
African organisations can’t afford to turn a blind eye to cyber security
Half a billion US dollars – that’s how much cyber-related incidents now cost organisations in Nigeria each year. The figures for many other African countries are similarly high, estimated at USD 50m for Uganda and USD 250m in Kenya. But even these figures are likely to understate the problem; most African countries don’t record such losses in a formalised, mandatory manner and most organisations don’t report any potential or actual losses to authorities.
Regulation and legislation related to information security and data protection also continue to lag behind other parts of the world. As such, while cyber security is considered an emerging threat in Africa, a lot more work is required in understanding the threat to organisations in specific countries and sectors.
In our conversations with clients, senior executives acknowledge that cyber risk is at the top of their agenda. However, according to African respondents in Control Risks’ latest ‘Cyber Security Landscape’ report, 62% do not have any cyber crisis management plan in place to help them respond to a breach (compared with 40% in Europe & Middle East and 31% in Asia).
This suggests that the threat of a breach remains abstract for many senior executives who have not yet worked out in detail how their organisation would deal with one. Additionally, for most organisations in Africa, cyber risk is still primarily the responsibility of IT staff, who struggle to get buy-in from senior management for investment in cyber crisis planning.
Our survey also found that 62% of African respondents say their plans do not cover what their third parties need to do if they suffer a cyber breach. This is despite the fact that most organisations depend on third parties (such as web hosting and IT service providers, as well as clients) to operate their businesses and are connected to them in many ways – offering cyber threat actors potential points of entry to their own systems.
We spoke to a number of organisations in Africa who indicated that the third party risk is largely covered by their contracts with those third parties. A few organisations indicated that they also carry out independent reviews of third parties, which we encourage all organisations to do on a regular basis. One organisation also indicated that they require their third party partners to obtain cyber insurance before they allow them to access the organisation’s network.
As the recent WannaCry ransomware attacks proved, cyber breaches are global in nature; Africa isn’t immune, with reports of attempted and successful attacks in more than 10 African countries. These types of attacks should also lead organisations to treat cyber threats as a matter for the whole business, rather than just the IT department. This means the board should set the right information security culture and risk appetite for the organisation, which should then translate into actionable plans for senior management, led by the CEO.
Planning for a cyber crisis should also be the responsibility of senior management rather than just IT. Such planning should involve the whole organisation and start with understanding the key threats an organisation faces, and the key assets needed to continue operations in the event of a breach.