Egypt has seen a sharp rise in cybercrime and malware in recent years. Political unrest led the government to shut off internet access during protests in 2011. Egypt now ranks third globally for phishing attacks and had one of the highest malware infection rates in Africa in 2012. The government is working to establish comprehensive cybersecurity laws and regulations but currently has only piecemeal legislation across various bills. Reducing software piracy by 10% could generate $287 million and nearly 2,000 new IT jobs for Egypt.
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Cyber Security in Africa: Examining Threats Across Egypt, South Africa, Kenya and Nigeria/TITLE
1. CYBER-CRIME , HACKING
AND MALWARE
2013
AFRICA
As economies and technology thrive across Africa, IDG Connect investigates the
state of cyber threats across the four corners of the continent. With spotlights on
Egypt, South Africa, Kenya and Nigeria, this paper also presents local security
opinions from experts on the ground.
19th October 2012
2. Africa
Contents
African Overview 3
Introduction 3
The Security Conundrum 4
Malware and Piracy 4
Regulation 5
Expert Opinion - Contador Harrison 6
Software Director, Somocon Oy, Finland
Egypt : SP TLIGHT 7
Cyber-crime 7
Politics 8
Cyber-war 8
Expert Opinion - Pierluigi Paganini 9
Chief Security Information Officer, Bit4ld Group & Founder of
SecurityAffairs.co
South Africa : SP TLIGHT 10
Decline in Viruses 10
Pirates and Hackers 11
Overview 11
Kenya : SP TLIGHT 12
Open Season for Hackers 12
Fighting Back 13
Expert Opinion - Kostja Reim 14
Managing Director of Security Risk Solutions Ltd
Nigeria : SP TLIGHT 15
People Power 15
Positive Action 16
Conclusion 17
3. Africa
Introduction
In the first decade of this millennium, the Economist found that six of the world’s fastest growing economies were in
sub-Saharan Africa. This has only continued, and today the continent is renowned for its bourgeoning middle class,
mall culture and rapid adoption of mobile technology. In a recent report from HSBC that predicted the top 50 world
economies of 2050, there were substantial rises expected across Africa; Egypt is due to climb 15 places to 20th
position (putting it four places ahead of the Netherlands, which drops nine places); whilst Nigeria is anticipated to rise
nine places to 37th. It seems Africa is finally beginning to put its stamp on the global economic map.
The African Development Bank expects most of Africa to comprise of a solid middle-class by 2030, with consumer
spending power likely to hit $2.2 trillion. Not surprisingly, big businesses are starting to move in - IBM already has
operations in more than 20 African countries, and this August announced plans to open its first tech research hub on
the African continent, in Nairobi. News, research and economic reports all paint the same picture: Africa is on the up;
change, development and opportunity are firmly on the horizon. However, like every positive story there is always a
negative underbelly lurking beneath the surface.
In Africa, like everywhere else in the world, progress is indelibly linked with IT and technology. And like everywhere
else, technology has its downsides: malware, threats and cyber-crime. In the Western world the difficulty lies in
constantly upgrading and securing IT whilst simultaneously retiring legacy systems; many countries in Africa may
provide a virtually blank slate, but do they have the knowledge to maximise this potential? To give some global
context, the US has a 78% internet penetration (World Internet Stats), whilst Nigeria - which has the highest levels
in Africa - stands at only 29%. South Africa - which has the largest economy on the continent - is currently at 14%.
Mobility aside, with the African market so new, as IT levels improve is Africa really equipped to remain secure?
Nigeria Egypt
$235.92 Billion GDP $229.53 Billion GDP
29% Internet Penetration 26% Internet Penetration
Nigeria’s infamous for Egypt has seen a sharp rise
cybercrime and the notorious in malware and cyber-crime
‘Nigerian Prince’ emails still in recent years.
feature prominently.
Kenya
$33.62 Billion GDP
26% Internet Penetration
Kenya’s chronic hacking
problem and general lack
of internet security is
currently being addressed
South Africa by the government.
$408.24 Billion GDP
14% Internet Penetration
South Africa’s relatively
under-developed
infrastructure makes its high
rates of cybercrime all the
more alarming.
3
4. Africa
The Security Conundrum
As the IT sector continues to grow, concerns about security will only rise. Greater accessibility means more opportunities
for criminals to exploit naive users, and inexperience with technology increases the chance of encountering viruses and
malware. Ill-prepared governments and businesses can also suffer at the hands of hackers taking advantage of the
inadequate protection put in place. Each area of Africa is unique, however, there are some notable trends; skills shortages
and lack of education on potential cyber threats seems to be a recurring theme, and levels of viruses and malware are
significantly higher to other regions, such as Europe.
The aim of this report from IDG Connect is to investigate how Africa as a continent is coping with IT security. This is no
simple task; it is a very diverse region, with approximately 30 million square kilometres of land mass, 57 countries and (by
estimates) as many as 3000 languages. So, in order to make this as digestible as possible we decided to focus on four
pivotal countries, which tie together the four corners of Africa: Egypt, South Africa, Kenya and Nigeria. Throughout this
report we attempt to collate the wealth of information available in order to provide a cohesive snapshot of security across
the continent.
Malware and Piracy
Malware infection rates by country
According to Microsoft’s Security Intelligence Report for the (per thousand computers) - 2011
second half of 2011, malware infections in Africa are higher [Source Microsoft Security Intelligence Report]
than the worldwide average. The infection rate in Egypt
which has been on the increase over the past two years, is
now the highest in Africa and among the top five worldwide.
20+
Worms were also a common problem, and phishing sites
were much higher than the worldwide average in Algeria and 15-20
Tunisia in 2011.
10-15
Africa traditionally has a high rate of software piracy. 5-10
According to BSA’s 2011 study, the average in the region
is around 73%, and there has been little change in recent 0-5
years. In fact, parts of Northern Africa have seen a slight
rise between 2010-2011, possibly due to the Arab Spring
Morocco
Nigeria
France
Australia
Canada
Algeria
US
Egypt
Kenya
SA
uprisings. Aside from the financial loss (approx. $1,785M),
this high level of unauthorised software is likely to add to the
region’s virus and malware woes.
4
5. Africa
Regulation
In order to address security, governments are now looking to introduce wider-reaching cyber-security laws. Many African
countries currently have no laws, or have piecemeal legislation in other bills. To remedy this, much of the continent is
looking to pass regional cyber bills that allow countries to work together in preventing crimes.
All 15 countries in the Southern African Development Community (SADC) have, or are in the process of passing, a cyber-
bill. The East African Community (EAC) is on track to have a common cyber-crime bill for the region, while the Economic
Community of West African States (ECOWAS) has yet to adopt such a policy. As well as legislation, nine countries also
have their own Computer Emergency Response Teams (CERT).
SADC countries that have crafted cyber-crime
legislation to curb computer-related crimes
SADC countries that are crafting cyber-crime
legislation to curb computer-related crime
Will be involved with East African
Community (EAC) joint cyber-crime laws
Have a Computer Emergency
Response Team (CERT)
5
6. Africa
Expert Opinion
Contador Harrison,
Software Director,
Somocon Oy,
Finland
African Union must act to reduce cyber-crime
The current situation in Africa cannot be allowed to continue because internet crime, intellectual property,
and identity theft are thriving, and a good number of continent heavyweights have now begun to prepare for
cyber-warfare, yet close to half of their population are living on under a dollar per day. Criminal organizations
are making hundreds of millions of dollars and appear to be re-investing to develop new and more
sophisticated scams in the continent. African governments must act to reduce cyber-crime and to secure the
key systems and infrastructure in the continent.
African governments must not launch their e-government systems until security can be guaranteed. If
necessary, they should only be utilized on a separate network through a secure network for key national
systems and infrastructure. One of the most important services on the Internet today is still one of the most
insecure, and that’s email. The fastest way for a criminal organization to breach security is through the use
of email. It is fundamental that the use of SSL certificates for SMTP server to SMTP server communications
and the use of SSL certificates for SMTP server to client communications be implemented first.
I do also feel that most countries need new legislations that will set out a path towards Africa having two
separate networks. One would remain the public Internet and the other would be a secure network for key
national systems and infrastructure. Also, I feel it is important to make it clear how authorities disconnect
parts of the network and to disconnect countries from the African countries network should be detailed.
Protocols need to be put in place for these actions to occur and it must be decided who will carry out the
actions. Legislation should set out a timeline and framework whereby equipment and systems suppliers will
be required to improve their products with safety and security in mind because this has been a thorn to some
governments in East and Southern Africa.
Certain well-known security flaws in the way computers are made and sold must be identified in the
legislation and made illegal, especially in East and Southern Africa countries where rogue suppliers thrive
by selling substandard and refurbished computers which are sold at the same price as new ones. One of
the many cases I have witnessed in African countries I have visited - Operating Systems are sold without
adequate integrated anti-virus and anti-malware capability. I have always argued in the past that all
computers connected to the Internet should be registered and the computer operating system should report
the computers’ state, including the health of the anti-virus and anti-malware checks.
If you look at the automobile industry in the continent, which is also growing at a very fast rate, registration
is mandatory for any vehicle utilizing public roads in any country within the African Union member states. In
12 African countries I have visited, car roadworthy checks are carried out randomly and whenever a vehicle
is sold, valuers have to value it afresh before a new buyer acquires it. African Union, Africa’s governing body
should take the lead by working with its member states to identify and try to solve some of the issues with
the internet. But the pace of this continental effort is glacial and more needs to be done to reduce cyber-
crime in Africa.
6
7. Africa
EGYPT : SP TLIGHT
It’s hard to talk about IT security in Egypt without going into politics. The uprising and recent elections have had a big
impact on almost every aspect of life in Egypt, and the world of IT is no different. As one of the continent’s biggest
economies, and just coming out the other side of civil unrest, the new government has a lot of work ahead of it. While
cyber-security seems to have improved in recent years, since last year’s uprisings, things appear to have deteriorated.
Unlike many parts of Africa, Egypt has a relatively well-developed IT landscape. It has infrastructure, 3G in the cities, a
competitive and affordable telecomms sector, and a well-trained IT workforce of around 200,000. Mobile penetration
stands at 112% - over 90 million people - while the region's internet boasts 30 million users, of whom around 22%
shop using E-commerce, and many think Egypt is poised to emerge as a major player in the information economy.
112%
mobile penetration
26%
internet penetration
[Sources: World Internet Stats, Egypt Ministry of
Communications and Information Technology]
According to BSA’s most recent global software piracy study, Egypt’s levels of pirated software stands at around 60%,
slightly higher than the average in the region, and totalling a value of $172m. The government has said it has plans
to curb piracy and intellectual property abuses which, according to the IIPA, could “generate US$254 million in GDP,
US$33 million in additional tax revenues and 1,978 new IT jobs” if the piracy rate was reduced by 10% in four years.
Cyber-Crime
While there were relatively few targeted cyber-attacks originating out In 2010 Egypt was named by
of North Africa last year, Egypt isn’t crime free. Despite Damballa Labs Kaspersky Labs as one of
claiming “Egypt isn’t a global player in cyber-crime,” history seems to
disagree. In 2010 Egypt was named by Kaspersky Labs as one of the
the top sources of password-
top sources of password-stealing Trojans, and the year before, Egyptian stealing trojans, and the year
hackers were involved in one of the world’s largest cyber-crime criminal before, Egyptian hackers were
court cases. More recently, Websense named Egypt third for countries involved in one of the world’s
hosting phishing fraud in this year’s Threat Report. While it totalled 6.8% largest cyber-crime criminal
of worldwide phishing, the report noted it had experienced a large rise in
the last year. Whether this is related to the recent political turmoil is hard
court cases.
to tell.
This year’s Microsoft Malware Protection Center figures shows that last year Egypt had one of the highest malware
detection figures on the whole continent, which may be due to a high number of people using older versions of internet
browsers, which are always more vulnerable to attacks than up-to-date software.
7
8. Africa
Politics
Between 28th January and 2nd February 2011, Egypt was one
of, if not the, first users of an internet ‘Killswitch,’ where the Egypt ranking for worldwide phishing:
government essentially shut off the entire internet in the country
with aims to stop protestors communicating. The move wasn’t
3rd
popular, but did lead to other countries contemplating similar
ideas. Interestingly one of the earliest ways this shut-off was
discovered by those outside the country was through malware
monitoring. In retaliation, the hacktivist group Anonymous
launched ‘Operation Egypt’, bringing down four government
Egyptian computers infected by FLAME malware:
sites with DDoS attacks, while spammers used unrest to target
people looking for news on the subject.
5
Now that peace has returned to the country (though the internet
freedoms are said to be strict), the new government can get
on with addressing new cyber-crime bills. Currently there is no
comprehensive cyber-space law, though there are piecemeal
parts across other separate bills. An unregulated internet is
a breeding ground for hackers and criminals, and something Estimated savings from reducing software
concrete needs to be put in place as soon as possible. Despite piracy by 10%:
these problems, the government is moving towards better
cyber security. The Ministry of Communications 2011 round up
explains how the Egyptian Computer Emergency Response
$287million & 1978 jobs
Team (EG-CERT) is working internationally to help combat [Sources: Websense, Kaspersky Labs, IIPA]
cyber-crime, which is a good sign.
Cyber-War
The recent Flame attacks that struck Iran and other MENA countries (including Egypt) have brought state-led cyber-
attacks and the general idea of ‘cyber-war’ to the foreground, and it seems the Egyptian government had similar plans
of their own. Around April last year, it came to light that a UK firm offered custom-made malware to Egyptian Security
Services. Consisting of a “remote intrusion solution,” the total deal was projected to cost the government just over
$350,000. Meanwhile, a new Persian-born trojan was discovered spying on Egypt’s Middle Eastern neighbours only
recently. While these state-sponsored attacks may become a common occurrence in the coming years, Egypt would
do well to rise above the regional political quagmire and avoid trying their own versions of these attacks.
Though out of government hands, Egyptian hackers have been reported as going specifically for Israeli websites. Last
year Israeli Prime Minister Benjamin Netanyahu’s own site was hacked, placing an image of Egyptian soldiers raising
the Egyptian flag in Sinai, while in April, Barack Obama’s Israeli site was hacked by the group known as ‘TeaM HacKer
Egypt’.
Egypt is at a crossroads. The fledgling government needs to be careful in getting the balance right. They need a
new set of laws and policies that help tighten security and reduce problems with hackers and phishing, but without
oppressing the people and suffering the inevitable pushback from hackers and a vocal youth unafraid of showing their
grievances.
8
9. Africa
Expert Opinion
Pierluigi Paganini,
Chief Security Information Officer
Bit4ld Group & Founder of SecurityAffairs.co
The African challenge is one of the most interesting adventures in the cyber security landscape; despite
adverse political and economic events, the continent is demonstrating an impressive increase in
technological demand.
According to statistics, Africa has an internet penetration level of 13% with a relative growth of 2,988.4 %
in the period 2000-2011 - an unparalleled rise. With such numbers and growth, cyber security assumes a
fundamental importance. Egypt, for example, has a mobile penetration of 112%, and more than 20 million
internet users, but it’s clear that the level of exposure to cyber threats is really high, and is likely to increase.
The entire region of North Africa represents a valuable market in cyber security, an opportunity for both
African and also foreign businesses.
Looking deeper into cyber security in North Africa, it is worth noting that despite a low number of state-
sponsored attacks, the countries still suffers from cybercrime. In 2011 was discovered Operation Phish Phry,
which was conducted by Egyptian-based hackers who obtained bank account numbers and related personal
identification information from an unknown number of bank customers with a phishing campaign. Meanwhile,
according to the Websense Threat Report, Egypt is third for countries hosting phishing fraud with a total of
6.8% of worldwide phishing.
The African hacking underground is considered one of the most interesting; according to researchers of
Kaspersky Lab, Egypt is one of the primary users and designers for cyber espionage malware. Where this
is the case, the commitment of governments and mutual collaboration are important factors to successful
introduction of technology on a large scale. Good strategy will involve the creation and the strengthening of
Computer Emergency Response Teams (CERT) for the monitoring of cyberspace and of course, as usual, the
engagement of common people in the new digital experience.
The Middle East and North Africa (MENA) countries are at a delicate historic point where a suitable cyber
strategy could significantly influence their development in the mid- and long-term. Increased investment
in cyber security is an obligation, not a choice, in order to avoid disastrous consequences for everybody,
because cyber space has no borders.
9
10. Africa
SOUTH AFRICA : SP TLIGHT
Despite being the largest economy on the continent, making up 30% of the total income of the continent by some
estimates, South Africa is struggling with a range of issues typically associated with emerging markets. In 2009, a
carrier pigeon proved quicker than broadband at relaying information from one side of the country to the other. And
now, despite the addition of undersea broadband cables, rural areas lack proper communications infrastructure and
connection speeds are still incredibly slow. What is more, despite relatively low numbers of internet users, South Africa
ranks higher than it probably should on cyber-crime statistics.
Computers infected
8.1 with Malware in SA
7.1 World average
14%
internet penetration
Computers infected with malware per 1000
[sources: Microsoft Security Intelligence Report,
Internet World Stats]
Decline in Viruses
While the number of viruses in the country is relatively high, the good news is that the figures are declining, albeit slowly.
The number of worms decreased in the last quarter of 2011 by 0.9%, while trojans were also down. According to
Microsoft's Malicious Software Removal Tool (MSRT) there was malware detected on 8.1 of every 1,000 computers
scanned in SA in the fourth quarter of 2011, compared to the worldwide average of 7.1 for the same period. While still
unacceptably high, it has been declining all year, thanks to improving local security tools, so progress is being made.
A report on SA security by WolfPack provides some really useful insight into how businesses approach security.
This shows 93% of companies have tools to capture and report on risks, and around 60% expected a rise in their
security budget next year. However, some worrying stats show almost a third of companies have no defined cyber-
forensics process, and over half have problems with budgets, enforcing policy and security, data leakage and lack of
commitment from management. The most common incident on the rise is online fraud, with over 20% reporting an
increase in the last 12 months, while second was device theft (also rated as decreasing the most).
67% 46% 41% 84%
of SA companies expect didn’t spend anything won’t spend anything of South Africans have
a rise in their security on security awareness next year been a victim of cyber-
budget next year this year crime (Value $573M)
R150billion Estimated loss to insider
fraud per year
($18.3 billion)
[Sources: Wolfpack, Norton, Supervision]
10
11. Africa
Pirates & Hackers
While software piracy stands at around half the levels of its BRIC counterparts, according to BSA around a third of all
South African software is pirated, well above the likes of the US (21%), but lower than most of Africa. Using pirated
software always runs the risk of introducing viruses, and needs tackling if SA wants to improve its security standards.
Reducing piracy rates can be a difficult task however, and piracy rates have remained unchanged for several years.
Software Piracy [Source: BRICS] 2010 2011
78%
77%
65%
63%
64%
63%
54%
59%
58%
53%
35%
35%
Country: Brazil Russia India China SA BRICS Average
Value in 2011: $2,848M $2,659M $2,930M $8,902M $564M $3,581M
Despite the hacking of the ANC Youth League’s website last year, hacking in general hasn’t quite reached the same
levels as other countries (there’s no ‘Anonymous SA’ for example), with an average of one or two major stories hitting
the news each year. So far, this year’s big hacking story was a cyber-bank robbery on New Year’s Day, where the
thieves managed to steal $6.7m over 72 hours. Norton’s cyber-crime figures for SA are estimated to total $573M, with
84% of people having been a victim at some point. And although the number of phishing attacks on the country are
down by 11% year on year, they still run into the millions.
Overview
Although a decrease in attacks does sound like a good thing, it may be a result of South Africa’s low number of internet
users, who make up around 14% of the population (though growing quickly). To add to this, there is a skills shortage
in the IT sector, which could be slowing down the development of the country. The World Economic Forum’s Global IT
Report said of SA: “Important shortcomings in terms of basic skills availability in large segments of the population and
the high costs of accessing the insufficiently developed ICT infrastructure result in poor rates of ICT usage,” despite
efforts from businesses to integrate IT into the workplace.
According to iC3 figures,
Rural areas of the country are especially at risk, after one study from
SA ranks 7th in the
ResearchSpace.csir found “a large portion of the South African population that
has not had regular and sustained exposure to technology and broadband world for cyber-crime,
internet access [could] expose local communities to cyber threats.” According surprisingly high for a
to iC3 figures, SA ranks 7th in the world for cyber-crime, and has hovered country with relatively few
around the same position on the list for a good few years. These numbers are internet users.
surprisingly high for a country with relatively few internet users.
Despite some of the problems, back in Pretoria the government is taking steps to improve security. Its new cyber-
security policy aims to create a more secure digital environment through awareness programs aimed at both the public
and businesses, better research and skills, and establishing a National Cyber-Security Centre.
Overall South Africa has less trouble with hackers and both businesses and governments are taking steps to improve
education and protection. However problems with viruses and fraud do still remain.
11
12. Africa
KENYA : SP TLIGHT
Kenya is fast becoming a major player in the IT sector. East Africa's biggest economy has undergone something of
an IT revolution in recent years, with the sector outperforming other more traditional ventures such as agriculture and
manufacturing for a few years now. But lack of skills and protection is leaving computers extremely susceptible to
viruses and hacking.
KENYA SA
$71.4b $555.1b
$36m $573m
Crime cost as a % of economy = 0.05% Crime cost as a % of economy = 0.01%
US
$15.1tr
Size of economy
Estimated cost of cyber-crime each year
$32b
[Sources: Daily Nation, IMF, Norton]
Crime cost as a % of economy = 0.02%
According to World Bank data, mobile subscriptions actually outnumber adults in the country, and as with many
markets, the rise of Kenya’s Generation Y, combined with affordable smartphones, internet and social media have
all been a key influence on this rise. Of the 17 million people on the Internet, 6 million are mobile internet users,
and that number is rising steeply. Kenya seems to be going towards a wholly mobile internet set up. But perhaps
because so few people are hooked up at home (around 2% have home computers), this could be the reason Kenya
is vulnerable and open to attacks.
Open Season for Hackers
Recently, workers from the Kaspersky Lab said 20% of computers being used in Kenya are vulnerable to viruses,
and the number is rising. They attributed 17% of that to the use of free software downloaded from the internet,
saying ignoring updates left them vulnerable, and pointed to the government
to create proper regulations on cyber-crime. Less than half of SMBs
think staff are properly
Meanwhile a research paper from the Jomo Kenyatta University of Agriculture
and Technology on Kenyan SMBs found some very worrying statistics. Less
trained to secure their
than half felt they had documented information security policy, roughly the computers properly at
same amount thought staff were properly trained to secure their computers all times.
properly at all times, fewer than half had a business continuity plan in the
event of a disaster, while almost half weren’t aware of international information security standards available for
organisations to adopt. This level of negligence and ignorance is dangerous, especially when novice hackers are
targeting the country for fun and succeeding every time. Proper training and business strategies are key.
12
13. Africa
But it’s not just ignorance and possibility; Kenya’s security problems are very real. Forensic experts are claiming
cyber-crime poses the biggest challenge to organisations and the police, and already costs Kenya almost Sh3 billion
($36 million) every year. Organisations are being urged to employ Forensic Certified Public Accountants (FCPAs) to
try and counter the problem.
Aside from cyber-crime, your average ‘hacktivists’ are targeting Kenya
for fun and practice. Last year, an Indonesian student-hacker known 42.8%
as ‘direxer’, took down 103 government of Kenya web sites overnight. 20%
Part of an online Indonesian security forum known as Forum Code
Security, the hacker said he took down
Average ‘hacktivists’ the web sites following tutorials from
are targeting Kenya for the forum. That followed a year after Kenya
fun and practice. One another hacker attacked and disabled
hacker took down 103 the official police site, and two university
hacks, one to change exam results
government of Kenya and another to clear student fees.
web sites overnight by Clearly this should cause concern. If
following tutorials from government and academic institutional % of SMBs in Kenya who have
an online forum. sites are being hacked so easily, there’s not security trained their staff
nothing to say local businesses are in
any more of a secure position. Various blogs online offer some advice for % of computers in Kenya
basic security but there are some serious questions that need answering, vunerable to viruses
not by blogs, but by the government and the private sector to really
address what is a lack of adequate protection. [Source: Kaspersky, cscjournals]
Fighting Back
The business level responses so far have seen Techno Brain, an IT solutions company, starting to offer hacking
forensic courses to banks, government agencies and other corporates, while Kenya Methodist University (KeMU)
launched a string of professional courses in IT security, in an attempt to plug some of the holes these attacks have
highlighted. The government is moving in the right direction too. Last year they set up their own Computer Incident
Response Team (CIRT) to combat the problem, which aims to deal with incidents, promote security, issue warnings,
and generally try to address the issues the country has with security and bring it up to scratch with the rest of the
world.
However, the government is also making some not so great decisions. Its new Information Protection bill has been
labelled ‘flawed’ by the Kenyan chapter of the International Body for Professionals in Audit and Information Security
(ISACA), who said it was a step in the right direction but left holes open for misuse. New monitoring devices installed
by the Communication Commission of Kenya (CCK) are worryingly Big Brother, though they promise they are for
assisting in early detection and prevention of cyber-crime incidents, and have said, “It is a passive system and not
a tool for spying on users. The system cannot be used to block access to the internet at all.” This monitoring of the
public web traffic is very worrying for people.
Clearly Kenya has some serious security issues that need addressing. This isn’t to say they are the only victims, as
seen by the recent attacks on the likes of Sony and LinkedIn, but a major government site being brought down by a
lone student makes it clear security isn’t good enough by any stretch of the imagination. The lack of knowledge and
skilled workers also need to be tackled, otherwise East Africa’s biggest economy may become a hacker’s paradise.
13
14. Africa
Expert Opinion
Kostya Reim,
Managing Director of Security
Risk Solutions Ltd
In a country pained by poverty, famine, refugees, war on Somalia and terrorist attacks; one would not
believe that Information Security was an everyday topic.
Indeed, priorities are a little different and have been, understandably, for the last decade as the country
progresses on its Vision 2030 implementation. Kenya as the business and financial hub of Eastern Africa
is slowly gaining back its powerhouse reputation once gained in the 70s, and is a vastly growing center
in the region. Even though the cost of living keeps at par with the ever-increasing global trends, the
spending power of Kenyans is manifested by the mushrooming shopping malls and office buildings in the
cities and suburbs. Convenience is a regular requirement during the busy and traffic-affected days and
therefore the uptake of Internet (on Mobile), Mobile Banking (M-PESA), Internet Banking, Credit Cards
and eCommerce has been massive and overwhelming.
Information Security’s biggest driver is compliance and so it has been in Kenya. The regulators have
defined very clear guidelines and issued directives that are clear and implementable. This includes
PCI DSS controls, regular penetration testing, and guidelines for security in Internet Banking, as with
the recent changes of the Prudential Guidelines issued by the Central Bank of Kenya. Many banks,
merchants and payment processors are undertaking PCI remedial projects and placing controls where
previously have been none. Investigations into computer abuse and fraud have resulted in many more
convictions as the changes in telecoms and evidence acts have now reached the courts of law. The
media has become infosec aware and report on issues of breaches and developments regularly and with
depth. The government has recognized the risk and made information security a key requirement in their
e-government strategic plan.
So clearly, Kenya is on its way, development and infosec wise, thanks to a great number of technology
professionals making the lives of Kenyans more convenient and technology-enabled every day,
sometimes with mishaps that put them at risk...
14
15. Africa
NIGERIA : SP TLIGHT
Nigeria boasts a 29% internet penetration rate, the highest in Africa, yet has suffered for years with 419 scammers.
Though not as bad as it was once, the infamous Nigerian prince scams have certainly had an impact on the country’s
reputation.
2015 70m
2012 45m $200m
annual cost of cyber-crimes to
the Nigerian economy
0m 50m 100m
[source: IT News Africa]
Nigerian Internet Users,
[source: The Guardian Nigeria, Internetworldstats]
Like many African countries, Nigeria suffers from an underdeveloped and unreliable fixed-line infrastructure. However,
that hasn’t stopped it topping 45 million internet users, the highest number on the continent. But with such large
numbers come many dangers. Emerging markets across the world are suffering
at the hands of targeted hackers and malware due to insecure websites and “Nigeria, being a fast
poorly-trained staff. And on the whole Nigeria is no different. emerging market... risks
Though the country may be aiming to have 70 million internet users by 2015, higher foreign invasion of
Symantec has warned that the rise of internet users in Nigeria puts the country cyber-attacks because
at a greater risk from cyber-crime. Kelvin Isaac, Symantec’s Vice President of the glut in capacity
of Emerging Markets said, “Nigeria, being a fast emerging market, with huge utilisation.”
bandwidth deposits from the various submarine cables, risk higher foreign
invasion of cyber-attacks because of the glut in capacity utilization. [That is the] Reason why government, regulators
and operators must work in collaboration to ensure that every avenue to encourage is blocked completely in the
country and the risk mitigated.” Like many places around the world, SMBs are particularly at risk as they lack proper
security plans and trained in-house staff to counter or quickly recover from any attacks.
People Power
There are plenty of web 2.0-literate people in the country, but not necessarily using their skillset for legal purposes. Last
year a group of Nigerian hackers known as NaijaCyberHacktivists attacked government sites, including the National
Poverty Eradication Programme website and the Niger Delta Development Commission, posting a letter protesting
against the N1b ($6.6 million) cost for inauguration for President Goodluck Jonathan and the country’s Freedom
of Information Act. The author of the report pointed to the county’s rabid unemployment figures (currently hovering
around the 23% mark) and a country that is ‘rich in raw technology talent’. In a similar attack in January the Economic
and Financial Crime Commission (EFCC) was attacked in response to reports of corruption.
15
16. Africa
This pool of unemployed and angry talent has only recently started targeting its government. For years Nigeria has
been king of spam, with promises of Nigerian Princes offering millions for only a small advance fee. These 419 Scams
(in reference to the article it’s a crime under in the Nigerian Criminal Code) are so synonymous with the country they are
often called Nigerian scams. Back in 2005 Lagos was widely considered the world’s leading place for scam crimes.
Although they are still common, they have been on the decline of late (spam is at its lowest levels for years) and
Nigerian police have been more active in recent years in shutting down these kinds of operations.
Positive Action
Given that Nigeria’s IT sector is booming, programmes to equip more people for careers in the sector are coming
through, including World Bank’s ACCESS (Assessment of Core Competence for Employability in the Services Sector)
programme, which trains young people on a variety of aspects, from written English and basic numerical skills to
internet browsing, use of office software, and attention to detail. It’s not quite on the same level as Kenya’s various
forensic hacking courses, but it’s a start.
The government is trying to gain traction on developing a world class IT sector, with various ideas and policies to
improve accessibility. But a possible cyber-crime spree waiting to happen lies within the country’s move towards a
‘cashless society.’ This move to reduce the amount of cash used and increase electronic payments is a perfectly valid
one, but where money is involved there will always be criminals trying to abuse the system. And without adequate
protection, hackers could rob organisations of several millions, if not billions, of Naira.
A big stumbling block is the country’s lack of cyber security law. It is making it difficult to actually criminalise the
hacking of any websites in the country, governmental or otherwise. Dr. Emmanuel Ekuwem, chief executive of Teledom
International Group, lamented this lack of law, saying, “Do we have a cybercrime and cyber security law in place?
No! Have we designated our Critical National Information Infrastructure? No! There is no law yet that criminalises the
hacking any websites. Pity!” A bill is in the works, and has been promised sooner rather than later, but when that
actually will be is anyone’s guess.
Nigeria is a country with a tradition in cyber-fraud with 419, but as that slowly gets put to bed it will want to avoid the
rise of hackers, especially around its E-commerce ambitions. As with many emerging markets, proper training and
security measures will help immensely. But critically, getting a proper cyber-security bill in place is needed as a tangible
deterrent to would-be criminals. Without that, Nigerian Princes needing bank account details might be the least of
people’s worries.
16
17. Africa
Conclusion
The African landscape is changing rapidly. This can be seen across expanding economies, rising populations and
major technological developments. Over the last few years this has resulted in many improvements. However, due to
the pivotal nature of technology, one serious stumbling block to true progress could well be IT security.
There are so many granular differences across 57 diverse African countries that it is hard to assess the pan-African
situation in any meaningful way. To tackle this we split the continent into four and looked at one country across each
of the corners. Through this approach some core trends did surface. These are namely, a massive IT skills shortage,
a severe lack of education on potential cyber-threats, along with significantly higher levels of viruses and malware than
other regions, such as Europe.
These concerns do seem to be gradually reaching governments, and necessary legislation is slowly being put in place,
but security overall is clearly a big problem across the continent. This report has shown that malware and cyber-crime
have taken a sharp rise in Egypt in recent years; South Africa suffers from a profound lack of security awareness;
Kenya is subject to chronic hacking and Nigeria is still world famous for its ‘Nigerian Prince’ emails. With business
booming; numerous foreign companies moving in, and IT looking set to play an ever more crucial role in the continent’s
development, it is becoming more and more vital that IT security sits firmly on the African agenda.
About IDG Connect
IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media
company. Established in 2005, it utilises access to 35 million business decision makers’ details to unite technology
marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience
with truly localised messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its
clients, and produces research for B2B marketers worldwide.
For more information visit: http://www.idgconnect.com/
17