Why African companies need to get serious about cybersecurity

Africa’s thriving economies have an undeniable link to the success of technology on the continent. However, with these advancements comes the threat of hacking, cybercrimes and malware.

Cybersecurity is a growing concern for African organizations – as technology evolves, so will the nature and prevalence of cyberthreats. Much like taxes and death, cybersecurity has become a part of our day-to-day lives and it is something that can have a negative impact on both individuals and organizations.

With companies attempting to find more effective ways to connect with their consumers, cybersecurity is posing a huge risk, and has potential to compromise customer loyalty and trust.

A threat to customer retention

A survey conducted for the Global CEO Outlook 2015 from KPMG revealed that out of over 1,200 chief executives from some of the world’s biggest companies, 86% were concerned about the loyalty of their customers.

Security breaches can weaken customer confidence and at the same time damage a brand’s reputation. For this reason, organizations are under increasing pressure to build robust security into their products.

Consumers are starting to make direct decisions on whether or not to continue using or consider using a specific product or service based on the organization’s cybersecurity resilience.

If an organization has had a recent breach or is known to have a weak cybersecurity posture, consumers are consequently less likely to either continue using the product or service, or are unlikely to opt-in at all. This is because consumers are becoming more aware of the impact of a cyber-breach and have become increasingly cautious when it comes to sharing their personal or financial information.

Traditionally, cybersecurity is not viewed as a strategic issue, and though businesses predominantly use digital as their route to the customer, they are not always engaging with cyber experts. Many organizations have not interrogated the ways in which criminals could potentially exploit their systems and do not appreciate the level of technology present in their products.

From boardroom to basement

Historically, cybersecurity has been considered an IT issue and is perceived to only affect IT-related services. More recently, organizations are realizing that to adequately tackle cybersecurity, the entire business has a role to play, from boardroom to basement.

Over and above IT, cybersecurity can touch on human factors, legal and compliance, leadership and governance, information risk management and business continuity.

When it comes to cybersecurity, I see employees as the weakest link due to phishing and social engineering attacks. Cyber criminals are less inclined to take the more difficult, technically challenging approach to compromise an organization when it could potentially be as easy as an email or phone call to an employee. Social engineering through techniques such as phishing emails is a key and common element to all major cybercrime campaigns, which is why organizations need ongoing security awareness campaigns and must train their staff, so as to help minimize the success rate of these “human-based” attacks.

The most innovative companies have identified cybersecurity as a customer experience and revenue opportunity, with it not simply seen as an IT issue but strongly encouraged across the entire organization.

With the role of the chief information officer is becoming increasingly important, its effectiveness has been questioned because many CIOs are not part of the C-suite inner circle and are not respected as business partners. This consequently leads to the entire organization conceding their security responsibility to the IT department, instead of integrating it into their behaviour and processes.

Whether it is the CIO or the chief information security officer), the importance lies not necessarily with the title within the organization, but rather the influence they have on leadership and board members. Concerns surrounding cybersecurity are more than just an IT issue and need the buy-in of the C-suite in order to effectively address existing concerns.

Battle strategies

To combat the threat of cybersecurity, it’s been suggested that organizations should share information about their own security threats with their competitors, or alternatively, create collaborative networks where they offer rewards to white-hat hackers, for example.

In my view, collaborative efforts are undoubtedly going to be the most effective way of addressing cybersecurity in the near future. The concept, however, is still in an “incubation” phase as we have not yet seen an effective, central, trusted, implementation of cybersecurity collaboration on a big scale, even if there has been some research and discussion around what this should look like and how it should be managed.

White-hat hackers, or “ethical hackers”, are only one piece of the puzzle, although they are a very important piece as they assess the organization’s posture, resilience and susceptibility to cyberattacks by performing authorized attacks against the organization. The ultimate aim of this exercise is to assess for risks and make recommendations as to how an organization can better withstand these types of attacks. Organizations must bear in mind that these types of assessments are performed at a point-in-time and are therefore subject to the same challenges. The cybersecurity landscape, threat actors and attack surfaces are constantly changing, therefore the organization would need to ensure these assessments are performed regularly.

The complex part is that organizations are not inclined to share their risks, vulnerabilities and breaches with just anyone as this is highly sensitive information. Also, who would be independently trusted enough to share this information? Even worse, what happens when the “Central Cyber Collaborative Hub” gets breached or compromised?

The proactive option would be for organizations to constantly test for weak spots within their own systems, understand the threat landscape and get to know their enemy through security intelligence. This level of preparation makes the difference between organizations that recover quickly from an incident and those that suffer a lasting impact.

Work your plan

Organizations should ensure that they have a robust plan in place to adequately detect and respond to cyberattacks. The plan needs to take into account that the entire business has a role to play, including, but not limited to, the IT team, the legal team, public relations and human resources.

Secondly, this plan needs to be reviewed, tested and adapted regularly, as the cybersecurity landscape, threat actors and attack surfaces are constantly changing.

Despite increased media coverage of high-profile breaches, many top executives on the continent still believe their organization has no valuable data and will not be targeted, without the understanding that just being connected to the internet makes any organization interesting to cyber criminals.