As economies and technology thrive across Africa, IDG Connect investigates the state of cyber threats across the four corners of the continent. With spotlights on Egypt, South Africa, Kenya and Nigeria, this paper also presents local security opinions from experts on the ground.

19th October 2012

AFRICA 2013

CYBER-CRIME , HACKING AND MALWARE

Africa

Contents

4

4

7

5

8

7

3

6

8

3

9

10

10

11

11

12

12

13

14

15

15

16

17

SP

Africa

Introduction

In the first decade of this millennium, the Economist found that six of the world’s fastest growing economies were in sub-Saharan Africa. This has only continued, and today the continent is renowned for its bourgeoning middle class, mall culture and rapid adoption of mobile technology. In a recent report from HSBC that predicted the top 50 world economies of 2050, there were substantial rises expected across Africa; Egypt is due to climb 15 places to 20th position (putting it four places ahead of the Netherlands, which drops nine places); whilst Nigeria is anticipated to rise nine places to 37th. It seems Africa is finally beginning to put its stamp on the global economic map.

The African Development Bank expects most of Africa to comprise of a solid middle-class by 2030, with consumer spending power likely to hit $2.2 trillion. Not surprisingly, big businesses are starting to move in - IBM already has operations in more than 20 African countries, and this August announced plans to open its first tech research hub on the African continent, in Nairobi. News, research and economic reports all paint the same picture: Africa is on the up; change, development and opportunity are firmly on the horizon. However, like every positive story there is always a negative underbelly lurking beneath the surface.

In Africa, like everywhere else in the world, progress is indelibly linked with IT and technology. And like everywhere else, technology has its downsides: malware, threats and cyber-crime. In the Western world the difficulty lies in constantly upgrading and securing IT whilst simultaneously retiring legacy systems; many countries in Africa may provide a virtually blank slate, but do they have the knowledge to maximise this potential? To give some global context, the US has a 78% internet penetration (World Internet Stats), whilst Nigeria - which has the highest levels in Africa - stands at only 29%. South Africa - which has the largest economy on the continent - is currently at 14%. Mobility aside, with the African market so new, as IT levels improve is Africa really equipped to remain secure?

Egypt has seen a sharp rise in malware and cyber-crime in recent years.

South Africa’s relatively under-developed infrastructure makes its high rates of cybercrime all the more alarming.

Kenya’s chronic hacking problem and general lack of internet security is currently being addressed by the government.

Nigeria’s infamous for cybercrime and the notorious ‘Nigerian Prince’ emails still feature prominently.

$235.92 Billion GDP 29% Internet Penetration

Nigeria Egypt

South Africa

Kenya

$33.62 Billion GDP26% Internet Penetration

$229.53 Billion GDP 26% Internet Penetration

$408.24 Billion GDP14% Internet Penetration

3

Africa

The Security Conundrum

As the IT sector continues to grow, concerns about security will only rise. Greater accessibility means more opportunities for criminals to exploit naive users, and inexperience with technology increases the chance of encountering viruses and malware. Ill-prepared governments and businesses can also suffer at the hands of hackers taking advantage of the inadequate protection put in place. Each area of Africa is unique, however, there are some notable trends; skills shortages and lack of education on potential cyber threats seems to be a recurring theme, and levels of viruses and malware are significantly higher to other regions, such as Europe.

The aim of this report from IDG Connect is to investigate how Africa as a continent is coping with IT security. This is no simple task; it is a very diverse region, with approximately 30 million square kilometres of land mass, 57 countries and (by estimates) as many as 3000 languages. So, in order to make this as digestible as possible we decided to focus on four pivotal countries, which tie together the four corners of Africa: Egypt, South Africa, Kenya and Nigeria. Throughout this report we attempt to collate the wealth of information available in order to provide a cohesive snapshot of security across the continent.

Malware and Piracy

According to Microsoft’s Security Intelligence Report for the second half of 2011, malware infections in Africa are higher than the worldwide average. The infection rate in Egypt which has been on the increase over the past two years, is now the highest in Africa and among the top five worldwide. Worms were also a common problem, and phishing sites were much higher than the worldwide average in Algeria and Tunisia in 2011.

Africa traditionally has a high rate of software piracy. According to BSA’s 2011 study, the average in the region is around 73%, and there has been little change in recent years. In fact, parts of Northern Africa have seen a slight rise between 2010-2011, possibly due to the Arab Spring uprisings. Aside from the financial loss (approx. $1,785M), this high level of unauthorised software is likely to add to the region’s virus and malware woes.

Malware infection rates by country (per thousand computers) - 2011[Source Microsoft Security Intelligence Report]

Egy

ptSA

Ken

ya

Nig

eria

Mor

occo

Alg

eria

Can

ada

Aus

tral

ia

US

Fran

ce

0-5

5-10

10-15

15-20

20+

4

Africa

Regulation

In order to address security, governments are now looking to introduce wider-reaching cyber-security laws. Many African countries currently have no laws, or have piecemeal legislation in other bills. To remedy this, much of the continent is looking to pass regional cyber bills that allow countries to work together in preventing crimes.

All 15 countries in the Southern African Development Community (SADC) have, or are in the process of passing, a cyber-bill. The East African Community (EAC) is on track to have a common cyber-crime bill for the region, while the Economic Community of West African States (ECOWAS) has yet to adopt such a policy. As well as legislation, nine countries also have their own Computer Emergency Response Teams (CERT).

SADC countries that have crafted cyber-crime legislation to curb computer-related crimes

SADC countries that are crafting cyber-crime legislation to curb computer-related crime

Will be involved with East African Community (EAC) joint cyber-crime laws

Have a Computer Emergency Response Team (CERT)

5

Africa

African Union must act to reduce cyber-crime

Expert Opinion

Contador Harrison,Software Director,Somocon Oy, Finland 

The current situation in Africa cannot be allowed to continue because internet crime, intellectual property, and identity theft are thriving, and a good number of continent heavyweights have now begun to prepare for cyber-warfare, yet close to half of their population are living on under a dollar per day. Criminal organizations are making hundreds of millions of dollars and appear to be re-investing to develop new and more sophisticated scams in the continent. African governments must act to reduce cyber-crime and to secure the key systems and infrastructure in the continent.

African governments must not launch their e-government systems until security can be guaranteed. If necessary, they should only be utilized on a separate network through a secure network for key national systems and infrastructure. One of the most important services on the Internet today is still one of the most insecure, and that’s email. The fastest way for a criminal organization to breach security is through the use of email. It is fundamental that the use of SSL certificates for SMTP server to SMTP server communications and the use of SSL certificates for SMTP server to client communications be implemented first.

I do also feel that most countries need new legislations that will set out a path towards Africa having two separate networks. One would remain the public Internet and the other would be a secure network for key national systems and infrastructure. Also, I feel it is important to make it clear how authorities disconnect parts of the network and to disconnect countries from the African countries network should be detailed. Protocols need to be put in place for these actions to occur and it must be decided who will carry out the actions. Legislation should set out a timeline and framework whereby equipment and systems suppliers will be required to improve their products with safety and security in mind because this has been a thorn to some governments in East and Southern Africa.

Certain well-known security flaws in the way computers are made and sold must be identified in the legislation and made illegal, especially in East and Southern Africa countries where rogue suppliers thrive by selling substandard and refurbished computers which are sold at the same price as new ones. One of the many cases I have witnessed in African countries I have visited - Operating Systems are sold without adequate integrated anti-virus and anti-malware capability. I have always argued in the past that all computers connected to the Internet should be registered and the computer operating system should report the computers’ state, including the health of the anti-virus and anti-malware checks.

If you look at the automobile industry in the continent, which is also growing at a very fast rate, registration is mandatory for any vehicle utilizing public roads in any country within the African Union member states. In 12 African countries I have visited, car roadworthy checks are carried out randomly and whenever a vehicle is sold, valuers have to value it afresh before a new buyer acquires it. African Union, Africa’s governing body should take the lead by working with its member states to identify and try to solve some of the issues with the internet. But the pace of this continental effort is glacial and more needs to be done to reduce cyber-crime in Africa.

6

Africa

EGYPT : SP TLIGHTIt’s hard to talk about IT security in Egypt without going into politics. The uprising and recent elections have had a big impact on almost every aspect of life in Egypt, and the world of IT is no different. As one of the continent’s biggest economies, and just coming out the other side of civil unrest, the new government has a lot of work ahead of it. While cyber-security seems to have improved in recent years, since last year’s uprisings, things appear to have deteriorated.

Unlike many parts of Africa, Egypt has a relatively well-developed IT landscape. It has infrastructure, 3G in the cities, a competitive and affordable telecomms sector, and a well-trained IT workforce of around 200,000. Mobile penetration stands at 112% - over 90 million people - while the region's internet boasts 30 million users, of whom around 22% shop using E-commerce, and many think Egypt is poised to emerge as a major player in the information economy.

112%mobile penetration26%

internet penetration

According to BSA’s most recent global software piracy study, Egypt’s levels of pirated software stands at around 60%, slightly higher than the average in the region, and totalling a value of $172m. The government has said it has plans to curb piracy and intellectual property abuses which, according to the IIPA, could “generate US$254 million in GDP, US$33 million in additional tax revenues and 1,978 new IT jobs” if the piracy rate was reduced by 10% in four years.

Cyber-Crime

While there were relatively few targeted cyber-attacks originating out of North Africa last year, Egypt isn’t crime free. Despite Damballa Labs claiming “Egypt isn’t a global player in cyber-crime,” history seems to disagree. In 2010 Egypt was named by Kaspersky Labs as one of the top sources of password-stealing Trojans, and the year before, Egyptian hackers were involved in one of the world’s largest cyber-crime criminal court cases. More recently, Websense named Egypt third for countries hosting phishing fraud in this year’s Threat Report. While it totalled 6.8% of worldwide phishing, the report noted it had experienced a large rise in the last year. Whether this is related to the recent political turmoil is hard to tell.

This year’s Microsoft Malware Protection Center figures shows that last year Egypt had one of the highest malware detection figures on the whole continent, which may be due to a high number of people using older versions of internet browsers, which are always more vulnerable to attacks than up-to-date software.

In 2010 Egypt was named by Kaspersky Labs as one of the top sources of password-stealing trojans, and the year before, Egyptian hackers were involved in one of the world’s largest cyber-crime criminal court cases.

[Sources: World Internet Stats, Egypt Ministry of Communications and Information Technology]

7

Africa

Politics

Between 28th January and 2nd February 2011, Egypt was one of, if not the, first users of an internet ‘Killswitch,’ where the government essentially shut off the entire internet in the country with aims to stop protestors communicating. The move wasn’t popular, but did lead to other countries contemplating similar ideas. Interestingly one of the earliest ways this shut-off was discovered by those outside the country was through malware monitoring. In retaliation, the hacktivist group Anonymous launched ‘Operation Egypt’, bringing down four government sites with DDoS attacks, while spammers used unrest to target people looking for news on the subject.

Now that peace has returned to the country (though the internet freedoms are said to be strict), the new government can get on with addressing new cyber-crime bills. Currently there is no comprehensive cyber-space law, though there are piecemeal parts across other separate bills. An unregulated internet is a breeding ground for hackers and criminals, and something concrete needs to be put in place as soon as possible. Despite these problems, the government is moving towards better cyber security. The Ministry of Communications 2011 round up explains how the Egyptian Computer Emergency Response Team (EG-CERT) is working internationally to help combat cyber-crime, which is a good sign.

Cyber-War

The recent Flame attacks that struck Iran and other MENA countries (including Egypt) have brought state-led cyber-attacks and the general idea of ‘cyber-war’ to the foreground, and it seems the Egyptian government had similar plans of their own. Around April last year, it came to light that a UK firm offered custom-made malware to Egyptian Security Services. Consisting of a “remote intrusion solution,” the total deal was projected to cost the government just over $350,000. Meanwhile, a new Persian-born trojan was discovered spying on Egypt’s Middle Eastern neighbours only recently. While these state-sponsored attacks may become a common occurrence in the coming years, Egypt would do well to rise above the regional political quagmire and avoid trying their own versions of these attacks.

Though out of government hands, Egyptian hackers have been reported as going specifically for Israeli websites. Last year Israeli Prime Minister Benjamin Netanyahu’s own site was hacked, placing an image of Egyptian soldiers raising the Egyptian flag in Sinai, while in April, Barack Obama’s Israeli site was hacked by the group known as ‘TeaM HacKer Egypt’.

Egypt is at a crossroads. The fledgling government needs to be careful in getting the balance right. They need a new set of laws and policies that help tighten security and reduce problems with hackers and phishing, but without oppressing the people and suffering the inevitable pushback from hackers and a vocal youth unafraid of showing their grievances.

Egyptian computers infected by FLAME malware:

Egypt ranking for worldwide phishing:

Estimated savings from reducing software piracy by 10%:

$287million & 1978 jobs[Sources: Websense, Kaspersky Labs, IIPA]

5

3rd

8

Africa

Expert Opinion

Pierluigi Paganini,Chief Security Information OfficerBit4ld Group & Founder of SecurityAffairs.co

 

The African challenge is one of the most interesting adventures in the cyber security landscape; despite adverse political and economic events, the continent is demonstrating an impressive increase in technological demand.

According to statistics, Africa has an internet penetration level of 13% with a relative growth of 2,988.4 % in the period 2000-2011 - an unparalleled rise. With such numbers and growth, cyber security assumes a fundamental importance. Egypt, for example, has a mobile penetration of 112%, and more than 20 million internet users, but it’s clear that the level of exposure to cyber threats is really high, and is likely to increase. The entire region of North Africa represents a valuable market in cyber security, an opportunity for both African and also foreign businesses.

Looking deeper into cyber security in North Africa, it is worth noting that despite a low number of state-sponsored attacks, the countries still suffers from cybercrime. In 2011 was discovered Operation Phish Phry, which was conducted by Egyptian-based hackers who obtained bank account numbers and related personal identification information from an unknown number of bank customers with a phishing campaign. Meanwhile, according to the Websense Threat Report, Egypt is third for countries hosting phishing fraud with a total of 6.8% of worldwide phishing.

The African hacking underground is considered one of the most interesting; according to researchers of Kaspersky Lab, Egypt is one of the primary users and designers for cyber espionage malware. Where this is the case, the commitment of governments and mutual collaboration are important factors to successful introduction of technology on a large scale. Good strategy will involve the creation and the strengthening of Computer Emergency Response Teams (CERT) for the monitoring of cyberspace and of course, as usual, the engagement of common people in the new digital experience.

The Middle East and North Africa (MENA) countries are at a delicate historic point where a suitable cyber strategy could significantly influence their development in the mid- and long-term. Increased investment in cyber security is an obligation, not a choice, in order to avoid disastrous consequences for everybody, because cyber space has no borders.

9

Africa

SOUTH AFRICA : SP TLIGHTDespite being the largest economy on the continent, making up 30% of the total income of the continent by some estimates, South Africa is struggling with a range of issues typically associated with emerging markets. In 2009, a carrier pigeon proved quicker than broadband at relaying information from one side of the country to the other. And now, despite the addition of undersea broadband cables, rural areas lack proper communications infrastructure and connection speeds are still incredibly slow. What is more, despite relatively low numbers of internet users, South Africa ranks higher than it probably should on cyber-crime statistics.

14%internet penetration

Decline in Viruses

While the number of viruses in the country is relatively high, the good news is that the figures are declining, albeit slowly. The number of worms decreased in the last quarter of 2011 by 0.9%, while trojans were also down. According to Microsoft's Malicious Software Removal Tool (MSRT) there was malware detected on 8.1 of every 1,000 computers scanned in SA in the fourth quarter of 2011, compared to the worldwide average of 7.1 for the same period. While still unacceptably high, it has been declining all year, thanks to improving local security tools, so progress is being made.

A report on SA security by WolfPack provides some really useful insight into how businesses approach security. This shows 93% of companies have tools to capture and report on risks, and around 60% expected a rise in their security budget next year. However, some worrying stats show almost a third of companies have no defined cyber-forensics process, and over half have problems with budgets, enforcing policy and security, data leakage and lack of commitment from management. The most common incident on the rise is online fraud, with over 20% reporting an increase in the last 12 months, while second was device theft (also rated as decreasing the most).

67% 46% 84%41%

of SA companies expect a rise in their security budget next year

didn’t spend anything on security awareness this year

won’t spend anything next year

of South Africans have been a victim of cyber-crime (Value $573M)

R150billion

8.17.1

Computers infected with Malware in SA

World average

Computers infected with malware per 1000 [sources: Microsoft Security Intelligence Report, Internet World Stats]

Estimated loss to insider fraud per year

[Sources: Wolfpack, Norton, Supervision]

($18.3 billion)

10

Africa

Pirates & HackersWhile software piracy stands at around half the levels of its BRIC counterparts, according to BSA around a third of all South African software is pirated, well above the likes of the US (21%), but lower than most of Africa. Using pirated software always runs the risk of introducing viruses, and needs tackling if SA wants to improve its security standards. Reducing piracy rates can be a difficult task however, and piracy rates have remained unchanged for several years.

54%

2010 2011Software Piracy [Source: BRICS]53

% 65%

63%

64%

63%

77%

35%

78%

35%

59%

58%

$2,659M

Brazil Russia India China SA BRICS Average

Value in 2011: $2,848M $2,930M $8,902M $564M $3,581M

Country:

Despite the hacking of the ANC Youth League’s website last year, hacking in general hasn’t quite reached the same levels as other countries (there’s no ‘Anonymous SA’ for example), with an average of one or two major stories hitting the news each year. So far, this year’s big hacking story was a cyber-bank robbery on New Year’s Day, where the thieves managed to steal $6.7m over 72 hours. Norton’s cyber-crime figures for SA are estimated to total $573M, with 84% of people having been a victim at some point. And although the number of phishing attacks on the country are down by 11% year on year, they still run into the millions.

Overview

Although a decrease in attacks does sound like a good thing, it may be a result of South Africa’s low number of internet users, who make up around 14% of the population (though growing quickly). To add to this, there is a skills shortage in the IT sector, which could be slowing down the development of the country. The World Economic Forum’s Global IT Report said of SA: “Important shortcomings in terms of basic skills availability in large segments of the population and the high costs of accessing the insufficiently developed ICT infrastructure result in poor rates of ICT usage,” despite efforts from businesses to integrate IT into the workplace.

Rural areas of the country are especially at risk, after one study from ResearchSpace.csir found “a large portion of the South African population that has not had regular and sustained exposure to technology and broadband internet access [could] expose local communities to cyber threats.” According to iC3 figures, SA ranks 7th in the world for cyber-crime, and has hovered around the same position on the list for a good few years. These numbers are surprisingly high for a country with relatively few internet users.

Despite some of the problems, back in Pretoria the government is taking steps to improve security. Its new cyber-security policy aims to create a more secure digital environment through awareness programs aimed at both the public and businesses, better research and skills, and establishing a National Cyber-Security Centre.

Overall South Africa has less trouble with hackers and both businesses and governments are taking steps to improve education and protection. However problems with viruses and fraud do still remain.

According to iC3 figures, SA ranks 7th in the world for cyber-crime, surprisingly high for a country with relatively few internet users.

11

Africa

KENYA : SP TLIGHTKenya is fast becoming a major player in the IT sector. East Africa's biggest economy has undergone something of an IT revolution in recent years, with the sector outperforming other more traditional ventures such as agriculture and manufacturing for a few years now. But lack of skills and protection is leaving computers extremely susceptible to viruses and hacking.

According to World Bank data, mobile subscriptions actually outnumber adults in the country, and as with many markets, the rise of Kenya’s Generation Y, combined with affordable smartphones, internet and social media have all been a key influence on this rise. Of the 17 million people on the Internet, 6 million are mobile internet users, and that number is rising steeply. Kenya seems to be going towards a wholly mobile internet set up. But perhaps because so few people are hooked up at home (around 2% have home computers), this could be the reason Kenya is vulnerable and open to attacks.

Open Season for Hackers

Recently, workers from the Kaspersky Lab said 20% of computers being used in Kenya are vulnerable to viruses, and the number is rising. They attributed 17% of that to the use of free software downloaded from the internet, saying ignoring updates left them vulnerable, and pointed to the government to create proper regulations on cyber-crime.

Meanwhile a research paper from the Jomo Kenyatta University of Agriculture and Technology on Kenyan SMBs found some very worrying statistics. Less than half felt they had documented information security policy, roughly the same amount thought staff were properly trained to secure their computers properly at all times, fewer than half had a business continuity plan in the event of a disaster, while almost half weren’t aware of international information security standards available for organisations to adopt. This level of negligence and ignorance is dangerous, especially when novice hackers are targeting the country for fun and succeeding every time. Proper training and business strategies are key.

Less than half of SMBs think staff are properly trained to secure their computers properly at all times.

KENYA SA

US

$36m

$71.4b $555.1b

$573m

$15.1tr

$32b

Crime cost as a % of economy = 0.05% Crime cost as a % of economy = 0.01%

Crime cost as a % of economy = 0.02%

Estimated cost of cyber-crime each year

Size of economy

[Sources: Daily Nation, IMF, Norton]

12

Africa

Aside from cyber-crime, your average ‘hacktivists’ are targeting Kenya for fun and practice. Last year, an Indonesian student-hacker known as ‘direxer’, took down 103 government of Kenya web sites overnight. Part of an online Indonesian security forum known as Forum Code

Security, the hacker said he took down the web sites following tutorials from the forum. That followed a year after another hacker attacked and disabled the official police site, and two university hacks, one to change exam results and another to clear student fees. Clearly this should cause concern. If government and academic institutional sites are being hacked so easily, there’s nothing to say local businesses are in

any more of a secure position. Various blogs online offer some advice for basic security but there are some serious questions that need answering, not by blogs, but by the government and the private sector to really address what is a lack of adequate protection.

Kenya

20%42.8%

% of computers in Kenya vunerable to viruses

% of SMBs in Kenya who have not security trained their staff

Fighting Back

The business level responses so far have seen Techno Brain, an IT solutions company, starting to offer hacking forensic courses to banks, government agencies and other corporates, while Kenya Methodist University (KeMU)launched a string of professional courses in IT security, in an attempt to plug some of the holes these attacks have highlighted. The government is moving in the right direction too. Last year they set up their own Computer Incident Response Team (CIRT) to combat the problem, which aims to deal with incidents, promote security, issue warnings, and generally try to address the issues the country has with security and bring it up to scratch with the rest of the world.

However, the government is also making some not so great decisions. Its new Information Protection bill has been labelled ‘flawed’ by the Kenyan chapter of the International Body for Professionals in Audit and Information Security (ISACA), who said it was a step in the right direction but left holes open for misuse. New monitoring devices installed by the Communication Commission of Kenya (CCK) are worryingly Big Brother, though they promise they are for assisting in early detection and prevention of cyber-crime incidents, and have said, “It is a passive system and not a tool for spying on users. The system cannot be used to block access to the internet at all.” This monitoring of the public web traffic is very worrying for people.

Clearly Kenya has some serious security issues that need addressing. This isn’t to say they are the only victims, as seen by the recent attacks on the likes of Sony and LinkedIn, but a major government site being brought down by a lone student makes it clear security isn’t good enough by any stretch of the imagination. The lack of knowledge and skilled workers also need to be tackled, otherwise East Africa’s biggest economy may become a hacker’s paradise.

Average ‘hacktivists’ are targeting Kenya for fun and practice. One hacker took down 103 government of Kenya web sites overnight by following tutorials from an online forum.

[Source: Kaspersky, cscjournals]

But it’s not just ignorance and possibility; Kenya’s security problems are very real. Forensic experts are claiming cyber-crime poses the biggest challenge to organisations and the police, and already costs Kenya almost Sh3 billion ($36 million) every year. Organisations are being urged to employ Forensic Certified Public Accountants (FCPAs) to try and counter the problem.

13

Africa

Expert Opinion

Kostya Reim,Managing Director of Security Risk Solutions Ltd

In a country pained by poverty, famine, refugees, war on Somalia and terrorist attacks; one would not believe that Information Security was an everyday topic.

Indeed, priorities are a little different and have been, understandably, for the last decade as the country progresses on its Vision 2030 implementation. Kenya as the business and financial hub of Eastern Africa is slowly gaining back its powerhouse reputation once gained in the 70s, and is a vastly growing center in the region. Even though the cost of living keeps at par with the ever-increasing global trends, the spending power of Kenyans is manifested by the mushrooming shopping malls and office buildings in the cities and suburbs. Convenience is a regular requirement during the busy and traffic-affected days and therefore the uptake of Internet (on Mobile), Mobile Banking (M-PESA), Internet Banking, Credit Cards and eCommerce has been massive and overwhelming.

Information Security’s biggest driver is compliance and so it has been in Kenya. The regulators have defined very clear guidelines and issued directives that are clear and implementable. This includes PCI DSS controls, regular penetration testing, and guidelines for security in Internet Banking, as with the recent changes of the Prudential Guidelines issued by the Central Bank of Kenya. Many banks, merchants and payment processors are undertaking PCI remedial projects and placing controls where previously have been none. Investigations into computer abuse and fraud have resulted in many more convictions as the changes in telecoms and evidence acts have now reached the courts of law. The media has become infosec aware and report on issues of breaches and developments regularly and with depth. The government has recognized the risk and made information security a key requirement in their e-government strategic plan.

So clearly, Kenya is on its way, development and infosec wise, thanks to a great number of technology professionals making the lives of Kenyans more convenient and technology-enabled every day, sometimes with mishaps that put them at risk...

14

Africa

NIGERIA : SP TLIGHTNigeria boasts a 29% internet penetration rate, the highest in Africa, yet has suffered for years with 419 scammers. Though not as bad as it was once, the infamous Nigerian prince scams have certainly had an impact on the country’s reputation.

Nigerian Internet Users, [source: The Guardian Nigeria, Internetworldstats]

$200mannual cost of cyber-crimes to the Nigerian economy

[source: IT News Africa]

2012

2015

0m 50m 100m

“Nigeria, being a fast emerging market... risks higher foreign invasion of cyber-attacks because of the glut in capacity utilisation.”

Like many African countries, Nigeria suffers from an underdeveloped and unreliable fixed-line infrastructure. However, that hasn’t stopped it topping 45 million internet users, the highest number on the continent. But with such large numbers come many dangers. Emerging markets across the world are suffering at the hands of targeted hackers and malware due to insecure websites and poorly-trained staff. And on the whole Nigeria is no different.

Though the country may be aiming to have 70 million internet users by 2015, Symantec has warned that the rise of internet users in Nigeria puts the country at a greater risk from cyber-crime. Kelvin Isaac, Symantec’s Vice President of Emerging Markets said, “Nigeria, being a fast emerging market, with huge bandwidth deposits from the various submarine cables, risk higher foreign invasion of cyber-attacks because of the glut in capacity utilization. [That is the] Reason why government, regulators and operators must work in collaboration to ensure that every avenue to encourage is blocked completely in the country and the risk mitigated.” Like many places around the world, SMBs are particularly at risk as they lack proper security plans and trained in-house staff to counter or quickly recover from any attacks.

People Power

There are plenty of web 2.0-literate people in the country, but not necessarily using their skillset for legal purposes. Last year a group of Nigerian hackers known as NaijaCyberHacktivists attacked government sites, including the National Poverty Eradication Programme website and the Niger Delta Development Commission, posting a letter protesting against the N1b ($6.6 million) cost for inauguration for President Goodluck Jonathan and the country’s Freedom of Information Act. The author of the report pointed to the county’s rabid unemployment figures (currently hovering around the 23% mark) and a country that is ‘rich in raw technology talent’. In a similar attack in January the Economic and Financial Crime Commission (EFCC) was attacked in response to reports of corruption.

45m

70m

15

Africa

This pool of unemployed and angry talent has only recently started targeting its government. For years Nigeria has been king of spam, with promises of Nigerian Princes offering millions for only a small advance fee. These 419 Scams (in reference to the article it’s a crime under in the Nigerian Criminal Code) are so synonymous with the country they are often called Nigerian scams. Back in 2005 Lagos was widely considered the world’s leading place for scam crimes. Although they are still common, they have been on the decline of late (spam is at its lowest levels for years) and Nigerian police have been more active in recent years in shutting down these kinds of operations.

Positive Action

Given that Nigeria’s IT sector is booming, programmes to equip more people for careers in the sector are coming through, including World Bank’s ACCESS (Assessment of Core Competence for Employability in the Services Sector) programme, which trains young people on a variety of aspects, from written English and basic numerical skills to internet browsing, use of office software, and attention to detail. It’s not quite on the same level as Kenya’s various forensic hacking courses, but it’s a start.

The government is trying to gain traction on developing a world class IT sector, with various ideas and policies to improve accessibility. But a possible cyber-crime spree waiting to happen lies within the country’s move towards a ‘cashless society.’ This move to reduce the amount of cash used and increase electronic payments is a perfectly valid one, but where money is involved there will always be criminals trying to abuse the system. And without adequate protection, hackers could rob organisations of several millions, if not billions, of Naira.

A big stumbling block is the country’s lack of cyber security law. It is making it difficult to actually criminalise the hacking of any websites in the country, governmental or otherwise. Dr. Emmanuel Ekuwem, chief executive of Teledom International Group, lamented this lack of law, saying, “Do we have a cybercrime and cyber security law in place? No! Have we designated our Critical National Information Infrastructure? No! There is no law yet that criminalises the hacking any websites. Pity!” A bill is in the works, and has been promised sooner rather than later, but when that actually will be is anyone’s guess.

Nigeria is a country with a tradition in cyber-fraud with 419, but as that slowly gets put to bed it will want to avoid the rise of hackers, especially around its E-commerce ambitions. As with many emerging markets, proper training and security measures will help immensely. But critically, getting a proper cyber-security bill in place is needed as a tangible deterrent to would-be criminals. Without that, Nigerian Princes needing bank account details might be the least of people’s worries.

16

Africa

Conclusion

The African landscape is changing rapidly. This can be seen across expanding economies, rising populations and major technological developments. Over the last few years this has resulted in many improvements. However, due to the pivotal nature of technology, one serious stumbling block to true progress could well be IT security.

There are so many granular differences across 57 diverse African countries that it is hard to assess the pan-African situation in any meaningful way. To tackle this we split the continent into four and looked at one country across each of the corners. Through this approach some core trends did surface. These are namely, a massive IT skills shortage, a severe lack of education on potential cyber-threats, along with significantly higher levels of viruses and malware than other regions, such as Europe.

These concerns do seem to be gradually reaching governments, and necessary legislation is slowly being put in place, but security overall is clearly a big problem across the continent. This report has shown that malware and cyber-crime have taken a sharp rise in Egypt in recent years; South Africa suffers from a profound lack of security awareness; Kenya is subject to chronic hacking and Nigeria is still world famous for its ‘Nigerian Prince’ emails. With business booming; numerous foreign companies moving in, and IT looking set to play an ever more crucial role in the continent’s development, it is becoming more and more vital that IT security sits firmly on the African agenda.

About IDG Connect

IDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology media company. Established in 2005, it utilises access to 35 million business decision makers’ details to unite technology marketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audience with truly localised messaging, IDG Connect also publishes market specific thought leadership papers on behalf of its clients, and produces research for B2B marketers worldwide. For more information visit: http://www.idgconnect.com/

17