For years, security experts warned Africa’s slumbering companies of cyberattacks. On May 12, many woke up. On this day cyberattacks struck 150 countries, infecting more than 200,000 computers and holding multi-billion-dollar businesses, like France’s Renault, Britain’s National Health Service, Spain’s Telefónica, the United States’ FedEx and Germany’s Deutsche Bahn, to ransom.
Behind it is WannaCry. This malicious software (malware) encrypts your computer files until a ransom of $300 is paid in the virtual currency, bitcoins. In simple words, it spreads like worms in a bag of rotten apples.
Experts say the reason why this malware squirmed easily into so many companies is that they see cybersecurity as a joke. Many hadn’t updated their security in over two months.
This made it easy for hackers to exploit Microsoft Windows XP operating systems by bypassing security checks. Once into the core, the malware can search for other files to exploit.
“Africa, in fact the whole world, is woefully unprepared. Traditional security measures aren’t keeping up with the emerging threats. And it’s becoming increasingly difficult, economically, to keep throwing money at the problem, when [top level management] doesn’t necessarily understand the difference between defending against attackers versus defending against auditors, all the while, tightening the purse strings and treating security as a grudge purchase or necessary evil,” says Tim Morty, Cyber Security Specialist at Information Security Architects (ISA).
When your computer is under attack, Morty is the kind of guy you want at you back. For 10 years he has battled cyberattacks on the frontline in Africa, from Botswana and Namibia to Mauritius, Tanzania, Uganda and South Africa.
“Until not too long ago, the prevalent opinion was that only the big corporate and financial institutions had a need to protect their data against corporate espionage, which many considered the main external threat over and above the usual defences against spam and malware. That has changed in recent times. Cybercriminals have not only expanded their reach, they have also found a ready market in our personal data,” says Morty.
Often it can be your employees and their cell phones that make you vulnerable.
“Careless posting on social media is a major concern, as is the use of corporate resources on non-corporate networks. Let’s face it, we all love free WiFi! However, do you really know who is behind the connection, and what are they doing with the information that you are transmitting or receiving?”
One reason why Africa is so vulnerable is many of its people are still learning how the internet works.
“We need to begin learning how to survive in the virtual worlds we have created. Cybercriminals have rapidly adapted to the virtual world and are using the advantages they have developed to thrive, while others are still taking their first tentative steps in this new frontier.”
It was not long ago that businesses, according to KPMG’s 2016 Global CEO Outlook study, considered cybersecurity as an afterthought. The study found cybersecurity has become a major concern for many CEOs. One in five business leaders now list information security as the risk they are most concerned about, while a third sees cybersecurity as the issue with the biggest impact on their company.
The study is made from the views of nearly 1,300 CEOs from companies across 11 industries in 10 countries. Cyberattacks loom larger in Africa when many businesses are on the cusp of the Fourth Industrial Revolution, the age of machine learning, cognitive computing and artificial intelligence, play over the internet.
“Cyberattack is like cancer, there is not one form of cancer and cybersecurity has a lot of different areas. It’s one thing for somebody to steal your Mastercard and cause you aggravation, but stealing a vaccine for something like a virus, could be worth billions,” says J. Patrick Michaels Jr, the founder at Communications Equity Associates (CEA).
Michaels founded CEA in 1973 as a US Cable TV brokerage firm. Nearly half a century later, it has investments of $1.3 billion in private equity wealth across 60 countries.
Known as a globetrotting investment banker, Michaels learned of cybersecurity in his days as Vice Chairman of the Board of Visitors of the U.S. Naval Academy. Michaels believes small businesses in Africa are prime targets for cyber blackmail.
“Hackers are starting to target the smaller companies to freeze up their businesses. A lion isn’t going to attack an elephant, when maybe a water buffalo or springbok is easier prey,” says Michaels.
“If you hijack the IT systems for a corporation, the impact on that company’s shares would be crippling. We could be sitting in Prague, sending a message to this company that to unfreeze their systems, the payment of $100 million to various bank accounts around the world would be appropriate. $100 million would be nothing compared to how much they would lose on the JSE stock markets if they were shut down for just 10 minutes.”
On the ground in Africa, Morty warns cyberattacks are on the rise because businesses can’t foot the bill.
“South Africa is, on average, ahead of the curve, in terms of Africa, although we’ve still got a lot of room for improvement… Economically, it is sometimes prohibitively expensive to keep up with the latest and greatest technologies. For those that can afford it, the next challenge is staff upskilling and, often, retention, in a market where skilled individuals are always sought after,” says Morty.
“There have been a few occasions when we have documented some major security concerns while working with a client; from open wireless access points and often basic networking flaws at one financial institution to simple lack of visibility and understanding of the client’s environment, with the security role being taken care of by networking staff with minimal training or understanding of the technologies in use.”
External threats are only part of the problem. Disgruntled employees or moles find it easy to expose weaknesses from within.
“The typical image, often conjured by media, of hooded figures hunched ominously over a laptop keyboard, is quite misleading. Threats from within are a reality; sometimes with intent, sometimes through neglect, often by accident, especially due to poor user education about a topic that isn’t always user friendly,” says Morty.
“Rapid adoption of social media has contributed to security woes, as its users willingly provide attackers with a wealth of information to use against both organizations and individuals alike, making reconnaissance, planning and execution of social engineering attacks that much easier.”
According to the 2017 Harvey Nash/KPMG CIO Survey, the world’s largest survey of IT leadership, cybersecurity vulnerability is at an all-time high, with a third of IT leaders (32%) reporting their organization had been subject to a major cyberattack in the past 24 months – a 45% increase on 2013.
Only one in five say they are very well prepared to respond to these attacks, down from 29% in 2014. Despite very visible headline-grabbing attacks, such as the recent WannaCry ransomware attack, the biggest jump in threats comes from insider attacks, increasing from 40% to 47% over the last year.
So should we be spending millions on encrypting our phones and protecting computers from hackers?
“Oddly enough, I’m inclined to say no. Throwing money at the problem will only help up to a point. What we need to do is change the way we work. Educate our users about what it means to be part of the connected world; illustrate what the risks are as well as what can be done to protect themselves, and teach good security practices rather than dictate an intimidating list of do’s and don’ts,” says Morty.
It will take a while yet for online security to become second nature. Until then Africa’s blind spot could be expensive.
Relentless rise of organizations being subject to major cyberattacks during past four years: