Building Cyber Security Strategies for Emerging Industries in Sub Saharan Africa

Presented at Black Hat USA 2020 Virtual, Aug. 6, 2020, 11 a.m. (40 minutes)

The increase in cyber attacks in sub-Saharan Africa has become an issue of major concern for the region and its people. With the increase in use of digital technology, cyber security is becoming a critical aspect of the day-to-day lives of individuals and organisations. A 2019 report by The World Economic Forum placed cybercrime as one of the three greatest threats in Africa.<br><br>Sub-Saharan Africa is well connected to the global economy with regard to commerce and finance. This means that the cyber threats affecting the regions with both local and international origins should be put into consideration with the onset of every new technology. Globally, Africa has been geographically segmented with the Middle East in the cyber security market. However, there is a big divide in the adaptation of technology and cyber security between sub-Saharan Africa and North Africa/The Middle East.<br><br>A report based on IDC's Sub-Saharan Africa CIO survey of 2019 estimates the total sub-Saharan ICT market to grow from $95.4bn in 2020 to $104.2bn by 2023. According to the same report, technologies such as cloud, social media and big data are some of the key areas of growth in 2020.<br><br>As the use of technology has become widespread across the region, Sub-Saharan Africa experiences a great many cyber attacks annually, both attacks that are seen in other parts of the world but also attacks that are specific to the region.<br><br>A study conducted by the International Data Group connect shows that sub-Saharan Africa's economy has been hard hit by cybercrime. The data shows that cybercrime costs South Africa an estimated $573m annually with Nigeria and Kenya losing $500m and $36m respectively. Seen in proportion to GDP of the countries, this represents tremendous sums lost to cybercrime. While these figures show the size of the problem in this part of the world, 96% of African organizations set an average annual budget of $5,000 for cyber security. Pan-African Cybersecurity and Business consulting firm Serianu ranked banking sectors and government as the most targeted by cyber criminals.<br><br>Cyber crime in Africa has been on a rapid increase compared to the rest of the world with an estimate of 80% of personal computers being infected with some kind of malicious software. One of the most affected industries in sub-Saharan Africa is the financial sector. Globally, Africa leads in the use of mobile money transfers with an estimated 14% citizens receiving money through mobile money transfer like Kenya's MPesa. With sub-Saharan Africa hosting some of the biggest mobile money transfer services, mobile money has over the years been a primary target for criminals. Some of the threats that have affected the mobile banking industry are social engineering and reverse engineering of mobile money apps for malicious purposes. A lot of mobile money users and providers have been immensely affected by criminal activities targeting the platform.<br><br>With cybercrime on the rise, Sub-Saharan countries lack proper legislation, such as cyber laws, to govern the cyber space thus creating a permissive environment for cyber criminals. Most countries in the region struggle to implement cyber security measures due to budgetary concerns and the small number of skilled cyber security practitioners.<br><br>Some of the common challenges faced in the cyber security industry in sub-Saharan Africa include:<br><ul><li>High cost of cyber security tools</li><li>Limited security budgets</li><li>Use of pirated versions of cyber-security solutions</li><li>Absence of adequate tools to provide accurate data</li><li>Growing cyber threat owing to 5G deployment</li><li>Over-dependence on cloud</li></ul><br>In order for sub-Saharan Africa to realize its full potential in cyber security, effective policies have to be implemented. Solutions designed must be geared toward the distinct operating environment of the sub-Saharan region. The question of cost is an inescapable facet of any technology implementation, even more so in the African context. Local currency values tend to be volatile thus depending on foreign solutions might be costly compared to the amount local companies can afford to budget for cyber security.<br><br>Encouraging local security practitioners to develop open source or affordable tools that will work for the local market. Tools such as the mth3l3m3nt for web app pentesting and MARA framework for reverse engineering which were both designed by Kenyan cyber security practitioners can strengthen the security stature of the sub-Saharan region.<br><br>As the technology grows complex and diverse by the day, so does the surface for malevolent exploitation. Sub-Saharan countries however, continue to emulate technologies, policies and strategies implemented by more developed countries. These fall short in addressing needs specific to the threat landscape in the region thus creating a need to adapt available resources and formulate comprehensive regulatory policies that would better govern the cyber security ecosystem in the region. A more sophisticated and organized cybersecurity system is required in order to curb existing and emerging threats. Our goal is to examine how sub-Saharan Africa can exploit existing skill sets and resources to create a system that works for the region.

Presenters:

• Evelyn Kilel - Security Researcher, Shehacks_KE
  Evelyn Kilel is an Information security specialist with expertise in web, mobile, network applications vulnerability assessment, penetration testing, and Security Intelligence and implementation of ISO 27001 security framework. Eve is also the founder of SheHacks_KE, a community of women in security in Kenya. Eve is keen in managing communities that give members a platform to learn.
• Laura Tich - Cyber security consultant, Shehacks_KE
  Laura Tich is an information security practitioner focusing on open source intelligence and network security. Tich is passionate about sharing knowledge with the growing community in Kenya and she helps to develop information security curriculum in different areas and facilitate trainings for different groups in Kenya. Tich began pursuing her interest in Cyber Security in 2016, as a 3rd year Computer Science at Daystar University. Since then, she has actively taken part in a number of cyber security and tech events and workshops by either organizing or presenting at the events. Some of the notable events include AkiraChix African Women in Technology Conference (AWTC), African Women In Technology Conference (AWIT), Mozilla Festival, DevFest and the first ever HackFest in Kenya which was organized by SheHacks_KE. Tich is the co-founder of SheHacks_KE, a group of over 300 women cyber security professionals and enthusiasts in Kenya. Shehacks_KE was founded in 2016 by Laura Tich and Evelyn Kilel with the aim of providing a platform for women in security in Kenya to learn and share information. SheHacks_KE facilitates monthly workshops and trainings either through webinars or bootcamps. The community's biggest event was #HackFest2019, a 2 day event which attracted over 400 security practitioners in Kenya. Tich is also an advocate for Internet Freedom and have worked on various projects around digital security for journalists and civil society organizations across Africa. Being an OSINT and OSIJ enthusiast, she has worked on Open Source Investigations with Investigative Journalists in Nairobi.

Links:

• https://www.blackhat.com/us-20/briefings/schedule/#building-cyber-security-strategies-for-emerging-industries-in-sub-saharan-africa-20648

Similar Presentations:

• VB2017 / The state of cybersecurity in Africa: Kenya
• Black Hat USA 2019 / Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)
• Black Hat USA 2019 / Death to the IOC: What's Next in Threat Intelligence