Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Africa 2013: Cyber-Crime, Hacking & Malware


Published on

As economies and technology thrive across Africa, IDG Connect investigates the state of cyber threats across the four corners of the continent. With spotlights on Egypt, South Africa, Kenya and Nigeria, this paper also presents local security opinions from experts on the ground.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Africa 2013: Cyber-Crime, Hacking & Malware

  1. 1. CYBER-CRIME , HACKING AND MALWARE 2013 AFRICAAs economies and technology thrive across Africa, IDG Connect investigates thestate of cyber threats across the four corners of the continent. With spotlights onEgypt, South Africa, Kenya and Nigeria, this paper also presents local securityopinions from experts on the ground. 19th October 2012
  2. 2. AfricaContentsAfrican Overview 3Introduction 3The Security Conundrum 4Malware and Piracy 4Regulation 5 Expert Opinion - Contador Harrison 6 Software Director, Somocon Oy, FinlandEgypt : SP TLIGHT 7Cyber-crime 7Politics 8Cyber-war 8 Expert Opinion - Pierluigi Paganini 9 Chief Security Information Officer, Bit4ld Group & Founder of SecurityAffairs.coSouth Africa : SP TLIGHT 10Decline in Viruses 10Pirates and Hackers 11Overview 11Kenya : SP TLIGHT 12Open Season for Hackers 12Fighting Back 13 Expert Opinion - Kostja Reim 14 Managing Director of Security Risk Solutions LtdNigeria : SP TLIGHT 15People Power 15Positive Action 16Conclusion 17
  3. 3. AfricaIntroductionIn the first decade of this millennium, the Economist found that six of the world’s fastest growing economies were insub-Saharan Africa. This has only continued, and today the continent is renowned for its bourgeoning middle class,mall culture and rapid adoption of mobile technology. In a recent report from HSBC that predicted the top 50 worldeconomies of 2050, there were substantial rises expected across Africa; Egypt is due to climb 15 places to 20thposition (putting it four places ahead of the Netherlands, which drops nine places); whilst Nigeria is anticipated to risenine places to 37th. It seems Africa is finally beginning to put its stamp on the global economic map.The African Development Bank expects most of Africa to comprise of a solid middle-class by 2030, with consumerspending power likely to hit $2.2 trillion. Not surprisingly, big businesses are starting to move in - IBM already hasoperations in more than 20 African countries, and this August announced plans to open its first tech research hub onthe African continent, in Nairobi. News, research and economic reports all paint the same picture: Africa is on the up;change, development and opportunity are firmly on the horizon. However, like every positive story there is always anegative underbelly lurking beneath the surface.In Africa, like everywhere else in the world, progress is indelibly linked with IT and technology. And like everywhereelse, technology has its downsides: malware, threats and cyber-crime. In the Western world the difficulty lies inconstantly upgrading and securing IT whilst simultaneously retiring legacy systems; many countries in Africa mayprovide a virtually blank slate, but do they have the knowledge to maximise this potential? To give some globalcontext, the US has a 78% internet penetration (World Internet Stats), whilst Nigeria - which has the highest levelsin Africa - stands at only 29%. South Africa - which has the largest economy on the continent - is currently at 14%.Mobility aside, with the African market so new, as IT levels improve is Africa really equipped to remain secure? Nigeria Egypt $235.92 Billion GDP $229.53 Billion GDP 29% Internet Penetration 26% Internet Penetration Nigeria’s infamous for Egypt has seen a sharp rise cybercrime and the notorious in malware and cyber-crime ‘Nigerian Prince’ emails still in recent years. feature prominently. Kenya $33.62 Billion GDP 26% Internet Penetration Kenya’s chronic hacking problem and general lack of internet security is currently being addressed South Africa by the government. $408.24 Billion GDP 14% Internet Penetration South Africa’s relatively under-developed infrastructure makes its high rates of cybercrime all the more alarming. 3
  4. 4. AfricaThe Security ConundrumAs the IT sector continues to grow, concerns about security will only rise. Greater accessibility means more opportunitiesfor criminals to exploit naive users, and inexperience with technology increases the chance of encountering viruses andmalware. Ill-prepared governments and businesses can also suffer at the hands of hackers taking advantage of theinadequate protection put in place. Each area of Africa is unique, however, there are some notable trends; skills shortagesand lack of education on potential cyber threats seems to be a recurring theme, and levels of viruses and malware aresignificantly higher to other regions, such as Europe.The aim of this report from IDG Connect is to investigate how Africa as a continent is coping with IT security. This is nosimple task; it is a very diverse region, with approximately 30 million square kilometres of land mass, 57 countries and (byestimates) as many as 3000 languages. So, in order to make this as digestible as possible we decided to focus on fourpivotal countries, which tie together the four corners of Africa: Egypt, South Africa, Kenya and Nigeria. Throughout thisreport we attempt to collate the wealth of information available in order to provide a cohesive snapshot of security acrossthe continent.Malware and Piracy Malware infection rates by countryAccording to Microsoft’s Security Intelligence Report for the (per thousand computers) - 2011second half of 2011, malware infections in Africa are higher [Source Microsoft Security Intelligence Report]than the worldwide average. The infection rate in Egyptwhich has been on the increase over the past two years, isnow the highest in Africa and among the top five worldwide. 20+Worms were also a common problem, and phishing siteswere much higher than the worldwide average in Algeria and 15-20Tunisia in 2011. 10-15Africa traditionally has a high rate of software piracy. 5-10According to BSA’s 2011 study, the average in the regionis around 73%, and there has been little change in recent 0-5years. In fact, parts of Northern Africa have seen a slightrise between 2010-2011, possibly due to the Arab Spring Morocco Nigeria France Australia Canada Algeria US Egypt Kenya SAuprisings. Aside from the financial loss (approx. $1,785M),this high level of unauthorised software is likely to add to theregion’s virus and malware woes. 4
  5. 5. AfricaRegulationIn order to address security, governments are now looking to introduce wider-reaching cyber-security laws. Many Africancountries currently have no laws, or have piecemeal legislation in other bills. To remedy this, much of the continent islooking to pass regional cyber bills that allow countries to work together in preventing crimes.All 15 countries in the Southern African Development Community (SADC) have, or are in the process of passing, a cyber-bill. The East African Community (EAC) is on track to have a common cyber-crime bill for the region, while the EconomicCommunity of West African States (ECOWAS) has yet to adopt such a policy. As well as legislation, nine countries alsohave their own Computer Emergency Response Teams (CERT). SADC countries that have crafted cyber-crime legislation to curb computer-related crimes SADC countries that are crafting cyber-crime legislation to curb computer-related crime Will be involved with East African Community (EAC) joint cyber-crime laws Have a Computer Emergency Response Team (CERT) 5
  6. 6. AfricaExpert Opinion Contador Harrison, Software Director, Somocon Oy, Finland African Union must act to reduce cyber-crimeThe current situation in Africa cannot be allowed to continue because internet crime, intellectual property,and identity theft are thriving, and a good number of continent heavyweights have now begun to prepare forcyber-warfare, yet close to half of their population are living on under a dollar per day. Criminal organizationsare making hundreds of millions of dollars and appear to be re-investing to develop new and moresophisticated scams in the continent. African governments must act to reduce cyber-crime and to secure thekey systems and infrastructure in the continent.African governments must not launch their e-government systems until security can be guaranteed. Ifnecessary, they should only be utilized on a separate network through a secure network for key nationalsystems and infrastructure. One of the most important services on the Internet today is still one of the mostinsecure, and that’s email. The fastest way for a criminal organization to breach security is through the useof email. It is fundamental that the use of SSL certificates for SMTP server to SMTP server communicationsand the use of SSL certificates for SMTP server to client communications be implemented first.I do also feel that most countries need new legislations that will set out a path towards Africa having twoseparate networks. One would remain the public Internet and the other would be a secure network for keynational systems and infrastructure. Also, I feel it is important to make it clear how authorities disconnectparts of the network and to disconnect countries from the African countries network should be detailed.Protocols need to be put in place for these actions to occur and it must be decided who will carry out theactions. Legislation should set out a timeline and framework whereby equipment and systems suppliers willbe required to improve their products with safety and security in mind because this has been a thorn to somegovernments in East and Southern Africa.Certain well-known security flaws in the way computers are made and sold must be identified in thelegislation and made illegal, especially in East and Southern Africa countries where rogue suppliers thriveby selling substandard and refurbished computers which are sold at the same price as new ones. One ofthe many cases I have witnessed in African countries I have visited - Operating Systems are sold withoutadequate integrated anti-virus and anti-malware capability. I have always argued in the past that allcomputers connected to the Internet should be registered and the computer operating system should reportthe computers’ state, including the health of the anti-virus and anti-malware checks.If you look at the automobile industry in the continent, which is also growing at a very fast rate, registrationis mandatory for any vehicle utilizing public roads in any country within the African Union member states. In12 African countries I have visited, car roadworthy checks are carried out randomly and whenever a vehicleis sold, valuers have to value it afresh before a new buyer acquires it. African Union, Africa’s governing bodyshould take the lead by working with its member states to identify and try to solve some of the issues withthe internet. But the pace of this continental effort is glacial and more needs to be done to reduce cyber-crime in Africa. 6
  7. 7. AfricaEGYPT : SP TLIGHTIt’s hard to talk about IT security in Egypt without going into politics. The uprising and recent elections have had a bigimpact on almost every aspect of life in Egypt, and the world of IT is no different. As one of the continent’s biggesteconomies, and just coming out the other side of civil unrest, the new government has a lot of work ahead of it. Whilecyber-security seems to have improved in recent years, since last year’s uprisings, things appear to have deteriorated.Unlike many parts of Africa, Egypt has a relatively well-developed IT landscape. It has infrastructure, 3G in the cities, acompetitive and affordable telecomms sector, and a well-trained IT workforce of around 200,000. Mobile penetrationstands at 112% - over 90 million people - while the regions internet boasts 30 million users, of whom around 22%shop using E-commerce, and many think Egypt is poised to emerge as a major player in the information economy. 112% mobile penetration 26% internet penetration [Sources: World Internet Stats, Egypt Ministry of Communications and Information Technology]According to BSA’s most recent global software piracy study, Egypt’s levels of pirated software stands at around 60%,slightly higher than the average in the region, and totalling a value of $172m. The government has said it has plansto curb piracy and intellectual property abuses which, according to the IIPA, could “generate US$254 million in GDP,US$33 million in additional tax revenues and 1,978 new IT jobs” if the piracy rate was reduced by 10% in four years.Cyber-CrimeWhile there were relatively few targeted cyber-attacks originating out In 2010 Egypt was named byof North Africa last year, Egypt isn’t crime free. Despite Damballa Labs Kaspersky Labs as one ofclaiming “Egypt isn’t a global player in cyber-crime,” history seems todisagree. In 2010 Egypt was named by Kaspersky Labs as one of the the top sources of password-top sources of password-stealing Trojans, and the year before, Egyptian stealing trojans, and the yearhackers were involved in one of the world’s largest cyber-crime criminal before, Egyptian hackers werecourt cases. More recently, Websense named Egypt third for countries involved in one of the world’shosting phishing fraud in this year’s Threat Report. While it totalled 6.8% largest cyber-crime criminalof worldwide phishing, the report noted it had experienced a large rise inthe last year. Whether this is related to the recent political turmoil is hard court tell.This year’s Microsoft Malware Protection Center figures shows that last year Egypt had one of the highest malwaredetection figures on the whole continent, which may be due to a high number of people using older versions of internetbrowsers, which are always more vulnerable to attacks than up-to-date software. 7
  8. 8. AfricaPoliticsBetween 28th January and 2nd February 2011, Egypt was oneof, if not the, first users of an internet ‘Killswitch,’ where the Egypt ranking for worldwide phishing:government essentially shut off the entire internet in the countrywith aims to stop protestors communicating. The move wasn’t 3rdpopular, but did lead to other countries contemplating similarideas. Interestingly one of the earliest ways this shut-off wasdiscovered by those outside the country was through malwaremonitoring. In retaliation, the hacktivist group Anonymouslaunched ‘Operation Egypt’, bringing down four government Egyptian computers infected by FLAME malware:sites with DDoS attacks, while spammers used unrest to targetpeople looking for news on the subject. 5Now that peace has returned to the country (though the internetfreedoms are said to be strict), the new government can geton with addressing new cyber-crime bills. Currently there is nocomprehensive cyber-space law, though there are piecemealparts across other separate bills. An unregulated internet isa breeding ground for hackers and criminals, and something Estimated savings from reducing softwareconcrete needs to be put in place as soon as possible. Despite piracy by 10%:these problems, the government is moving towards bettercyber security. The Ministry of Communications 2011 round upexplains how the Egyptian Computer Emergency Response $287million & 1978 jobsTeam (EG-CERT) is working internationally to help combat [Sources: Websense, Kaspersky Labs, IIPA]cyber-crime, which is a good sign.Cyber-WarThe recent Flame attacks that struck Iran and other MENA countries (including Egypt) have brought state-led cyber-attacks and the general idea of ‘cyber-war’ to the foreground, and it seems the Egyptian government had similar plansof their own. Around April last year, it came to light that a UK firm offered custom-made malware to Egyptian SecurityServices. Consisting of a “remote intrusion solution,” the total deal was projected to cost the government just over$350,000. Meanwhile, a new Persian-born trojan was discovered spying on Egypt’s Middle Eastern neighbours onlyrecently. While these state-sponsored attacks may become a common occurrence in the coming years, Egypt woulddo well to rise above the regional political quagmire and avoid trying their own versions of these attacks.Though out of government hands, Egyptian hackers have been reported as going specifically for Israeli websites. Lastyear Israeli Prime Minister Benjamin Netanyahu’s own site was hacked, placing an image of Egyptian soldiers raisingthe Egyptian flag in Sinai, while in April, Barack Obama’s Israeli site was hacked by the group known as ‘TeaM HacKerEgypt’.Egypt is at a crossroads. The fledgling government needs to be careful in getting the balance right. They need anew set of laws and policies that help tighten security and reduce problems with hackers and phishing, but withoutoppressing the people and suffering the inevitable pushback from hackers and a vocal youth unafraid of showing theirgrievances. 8
  9. 9. AfricaExpert Opinion   Pierluigi Paganini, Chief Security Information Officer Bit4ld Group & Founder of SecurityAffairs.coThe African challenge is one of the most interesting adventures in the cyber security landscape; despiteadverse political and economic events, the continent is demonstrating an impressive increase intechnological demand.According to statistics, Africa has an internet penetration level of 13% with a relative growth of 2,988.4 %in the period 2000-2011 - an unparalleled rise. With such numbers and growth, cyber security assumes afundamental importance. Egypt, for example, has a mobile penetration of 112%, and more than 20 millioninternet users, but it’s clear that the level of exposure to cyber threats is really high, and is likely to increase.The entire region of North Africa represents a valuable market in cyber security, an opportunity for bothAfrican and also foreign businesses.Looking deeper into cyber security in North Africa, it is worth noting that despite a low number of state-sponsored attacks, the countries still suffers from cybercrime. In 2011 was discovered Operation Phish Phry,which was conducted by Egyptian-based hackers who obtained bank account numbers and related personalidentification information from an unknown number of bank customers with a phishing campaign. Meanwhile,according to the Websense Threat Report, Egypt is third for countries hosting phishing fraud with a total of6.8% of worldwide phishing.The African hacking underground is considered one of the most interesting; according to researchers ofKaspersky Lab, Egypt is one of the primary users and designers for cyber espionage malware. Where thisis the case, the commitment of governments and mutual collaboration are important factors to successfulintroduction of technology on a large scale. Good strategy will involve the creation and the strengthening ofComputer Emergency Response Teams (CERT) for the monitoring of cyberspace and of course, as usual, theengagement of common people in the new digital experience.The Middle East and North Africa (MENA) countries are at a delicate historic point where a suitable cyberstrategy could significantly influence their development in the mid- and long-term. Increased investmentin cyber security is an obligation, not a choice, in order to avoid disastrous consequences for everybody,because cyber space has no borders. 9
  10. 10. AfricaSOUTH AFRICA : SP TLIGHTDespite being the largest economy on the continent, making up 30% of the total income of the continent by someestimates, South Africa is struggling with a range of issues typically associated with emerging markets. In 2009, acarrier pigeon proved quicker than broadband at relaying information from one side of the country to the other. Andnow, despite the addition of undersea broadband cables, rural areas lack proper communications infrastructure andconnection speeds are still incredibly slow. What is more, despite relatively low numbers of internet users, South Africaranks higher than it probably should on cyber-crime statistics. Computers infected 8.1 with Malware in SA 7.1 World average 14% internet penetration Computers infected with malware per 1000 [sources: Microsoft Security Intelligence Report, Internet World Stats]Decline in VirusesWhile the number of viruses in the country is relatively high, the good news is that the figures are declining, albeit slowly.The number of worms decreased in the last quarter of 2011 by 0.9%, while trojans were also down. According toMicrosofts Malicious Software Removal Tool (MSRT) there was malware detected on 8.1 of every 1,000 computersscanned in SA in the fourth quarter of 2011, compared to the worldwide average of 7.1 for the same period. While stillunacceptably high, it has been declining all year, thanks to improving local security tools, so progress is being made.A report on SA security by WolfPack provides some really useful insight into how businesses approach security.This shows 93% of companies have tools to capture and report on risks, and around 60% expected a rise in theirsecurity budget next year. However, some worrying stats show almost a third of companies have no defined cyber-forensics process, and over half have problems with budgets, enforcing policy and security, data leakage and lack ofcommitment from management. The most common incident on the rise is online fraud, with over 20% reporting anincrease in the last 12 months, while second was device theft (also rated as decreasing the most). 67% 46% 41% 84% of SA companies expect didn’t spend anything won’t spend anything of South Africans have a rise in their security on security awareness next year been a victim of cyber- budget next year this year crime (Value $573M) R150billion Estimated loss to insider fraud per year ($18.3 billion) [Sources: Wolfpack, Norton, Supervision] 10
  11. 11. AfricaPirates & HackersWhile software piracy stands at around half the levels of its BRIC counterparts, according to BSA around a third of allSouth African software is pirated, well above the likes of the US (21%), but lower than most of Africa. Using piratedsoftware always runs the risk of introducing viruses, and needs tackling if SA wants to improve its security standards.Reducing piracy rates can be a difficult task however, and piracy rates have remained unchanged for several years. Software Piracy [Source: BRICS] 2010 2011 78% 77% 65% 63% 64% 63% 54% 59% 58% 53% 35% 35% Country: Brazil Russia India China SA BRICS Average Value in 2011: $2,848M $2,659M $2,930M $8,902M $564M $3,581MDespite the hacking of the ANC Youth League’s website last year, hacking in general hasn’t quite reached the samelevels as other countries (there’s no ‘Anonymous SA’ for example), with an average of one or two major stories hittingthe news each year. So far, this year’s big hacking story was a cyber-bank robbery on New Year’s Day, where thethieves managed to steal $6.7m over 72 hours. Norton’s cyber-crime figures for SA are estimated to total $573M, with84% of people having been a victim at some point. And although the number of phishing attacks on the country aredown by 11% year on year, they still run into the millions.OverviewAlthough a decrease in attacks does sound like a good thing, it may be a result of South Africa’s low number of internetusers, who make up around 14% of the population (though growing quickly). To add to this, there is a skills shortagein the IT sector, which could be slowing down the development of the country. The World Economic Forum’s Global ITReport said of SA: “Important shortcomings in terms of basic skills availability in large segments of the population andthe high costs of accessing the insufficiently developed ICT infrastructure result in poor rates of ICT usage,” despiteefforts from businesses to integrate IT into the workplace. According to iC3 figures,Rural areas of the country are especially at risk, after one study from SA ranks 7th in theResearchSpace.csir found “a large portion of the South African population thathas not had regular and sustained exposure to technology and broadband world for cyber-crime,internet access [could] expose local communities to cyber threats.” According surprisingly high for ato iC3 figures, SA ranks 7th in the world for cyber-crime, and has hovered country with relatively fewaround the same position on the list for a good few years. These numbers are internet users.surprisingly high for a country with relatively few internet users.Despite some of the problems, back in Pretoria the government is taking steps to improve security. Its new cyber-security policy aims to create a more secure digital environment through awareness programs aimed at both the publicand businesses, better research and skills, and establishing a National Cyber-Security Centre.Overall South Africa has less trouble with hackers and both businesses and governments are taking steps to improveeducation and protection. However problems with viruses and fraud do still remain. 11
  12. 12. AfricaKENYA : SP TLIGHTKenya is fast becoming a major player in the IT sector. East Africas biggest economy has undergone something ofan IT revolution in recent years, with the sector outperforming other more traditional ventures such as agriculture andmanufacturing for a few years now. But lack of skills and protection is leaving computers extremely susceptible toviruses and hacking. KENYA SA $71.4b $555.1b $36m $573m Crime cost as a % of economy = 0.05% Crime cost as a % of economy = 0.01% US $15.1tr Size of economy Estimated cost of cyber-crime each year $32b [Sources: Daily Nation, IMF, Norton] Crime cost as a % of economy = 0.02%According to World Bank data, mobile subscriptions actually outnumber adults in the country, and as with manymarkets, the rise of Kenya’s Generation Y, combined with affordable smartphones, internet and social media haveall been a key influence on this rise. Of the 17 million people on the Internet, 6 million are mobile internet users,and that number is rising steeply. Kenya seems to be going towards a wholly mobile internet set up. But perhapsbecause so few people are hooked up at home (around 2% have home computers), this could be the reason Kenyais vulnerable and open to attacks.Open Season for HackersRecently, workers from the Kaspersky Lab said 20% of computers being used in Kenya are vulnerable to viruses,and the number is rising. They attributed 17% of that to the use of free software downloaded from the internet,saying ignoring updates left them vulnerable, and pointed to the governmentto create proper regulations on cyber-crime. Less than half of SMBs think staff are properlyMeanwhile a research paper from the Jomo Kenyatta University of Agricultureand Technology on Kenyan SMBs found some very worrying statistics. Less trained to secure theirthan half felt they had documented information security policy, roughly the computers properly atsame amount thought staff were properly trained to secure their computers all times.properly at all times, fewer than half had a business continuity plan in theevent of a disaster, while almost half weren’t aware of international information security standards available fororganisations to adopt. This level of negligence and ignorance is dangerous, especially when novice hackers aretargeting the country for fun and succeeding every time. Proper training and business strategies are key. 12
  13. 13. AfricaBut it’s not just ignorance and possibility; Kenya’s security problems are very real. Forensic experts are claimingcyber-crime poses the biggest challenge to organisations and the police, and already costs Kenya almost Sh3 billion($36 million) every year. Organisations are being urged to employ Forensic Certified Public Accountants (FCPAs) totry and counter the problem.Aside from cyber-crime, your average ‘hacktivists’ are targeting Kenyafor fun and practice. Last year, an Indonesian student-hacker known 42.8%as ‘direxer’, took down 103 government of Kenya web sites overnight. 20%Part of an online Indonesian security forum known as Forum Code Security, the hacker said he took down Average ‘hacktivists’ the web sites following tutorials from are targeting Kenya for the forum. That followed a year after Kenya fun and practice. One another hacker attacked and disabled hacker took down 103 the official police site, and two university hacks, one to change exam results government of Kenya and another to clear student fees. web sites overnight by Clearly this should cause concern. If following tutorials from government and academic institutional % of SMBs in Kenya who have an online forum. sites are being hacked so easily, there’s not security trained their staff nothing to say local businesses are inany more of a secure position. Various blogs online offer some advice for % of computers in Kenyabasic security but there are some serious questions that need answering, vunerable to virusesnot by blogs, but by the government and the private sector to reallyaddress what is a lack of adequate protection. [Source: Kaspersky, cscjournals]Fighting BackThe business level responses so far have seen Techno Brain, an IT solutions company, starting to offer hackingforensic courses to banks, government agencies and other corporates, while Kenya Methodist University (KeMU)launched a string of professional courses in IT security, in an attempt to plug some of the holes these attacks havehighlighted. The government is moving in the right direction too. Last year they set up their own Computer IncidentResponse Team (CIRT) to combat the problem, which aims to deal with incidents, promote security, issue warnings,and generally try to address the issues the country has with security and bring it up to scratch with the rest of theworld.However, the government is also making some not so great decisions. Its new Information Protection bill has beenlabelled ‘flawed’ by the Kenyan chapter of the International Body for Professionals in Audit and Information Security(ISACA), who said it was a step in the right direction but left holes open for misuse. New monitoring devices installedby the Communication Commission of Kenya (CCK) are worryingly Big Brother, though they promise they are forassisting in early detection and prevention of cyber-crime incidents, and have said, “It is a passive system and nota tool for spying on users. The system cannot be used to block access to the internet at all.” This monitoring of thepublic web traffic is very worrying for people.Clearly Kenya has some serious security issues that need addressing. This isn’t to say they are the only victims, asseen by the recent attacks on the likes of Sony and LinkedIn, but a major government site being brought down by alone student makes it clear security isn’t good enough by any stretch of the imagination. The lack of knowledge andskilled workers also need to be tackled, otherwise East Africa’s biggest economy may become a hacker’s paradise. 13
  14. 14. AfricaExpert Opinion Kostya Reim, Managing Director of Security Risk Solutions LtdIn a country pained by poverty, famine, refugees, war on Somalia and terrorist attacks; one would notbelieve that Information Security was an everyday topic.Indeed, priorities are a little different and have been, understandably, for the last decade as the countryprogresses on its Vision 2030 implementation. Kenya as the business and financial hub of Eastern Africais slowly gaining back its powerhouse reputation once gained in the 70s, and is a vastly growing centerin the region. Even though the cost of living keeps at par with the ever-increasing global trends, thespending power of Kenyans is manifested by the mushrooming shopping malls and office buildings in thecities and suburbs. Convenience is a regular requirement during the busy and traffic-affected days andtherefore the uptake of Internet (on Mobile), Mobile Banking (M-PESA), Internet Banking, Credit Cardsand eCommerce has been massive and overwhelming.Information Security’s biggest driver is compliance and so it has been in Kenya. The regulators havedefined very clear guidelines and issued directives that are clear and implementable. This includesPCI DSS controls, regular penetration testing, and guidelines for security in Internet Banking, as withthe recent changes of the Prudential Guidelines issued by the Central Bank of Kenya. Many banks,merchants and payment processors are undertaking PCI remedial projects and placing controls wherepreviously have been none. Investigations into computer abuse and fraud have resulted in many moreconvictions as the changes in telecoms and evidence acts have now reached the courts of law. Themedia has become infosec aware and report on issues of breaches and developments regularly and withdepth. The government has recognized the risk and made information security a key requirement in theire-government strategic plan.So clearly, Kenya is on its way, development and infosec wise, thanks to a great number of technologyprofessionals making the lives of Kenyans more convenient and technology-enabled every day,sometimes with mishaps that put them at risk... 14
  15. 15. AfricaNIGERIA : SP TLIGHTNigeria boasts a 29% internet penetration rate, the highest in Africa, yet has suffered for years with 419 scammers.Though not as bad as it was once, the infamous Nigerian prince scams have certainly had an impact on the country’sreputation. 2015 70m 2012 45m $200m annual cost of cyber-crimes to the Nigerian economy 0m 50m 100m [source: IT News Africa] Nigerian Internet Users, [source: The Guardian Nigeria, Internetworldstats]Like many African countries, Nigeria suffers from an underdeveloped and unreliable fixed-line infrastructure. However,that hasn’t stopped it topping 45 million internet users, the highest number on the continent. But with such largenumbers come many dangers. Emerging markets across the world are sufferingat the hands of targeted hackers and malware due to insecure websites and “Nigeria, being a fastpoorly-trained staff. And on the whole Nigeria is no different. emerging market... risksThough the country may be aiming to have 70 million internet users by 2015, higher foreign invasion ofSymantec has warned that the rise of internet users in Nigeria puts the country cyber-attacks becauseat a greater risk from cyber-crime. Kelvin Isaac, Symantec’s Vice President of the glut in capacityof Emerging Markets said, “Nigeria, being a fast emerging market, with huge utilisation.”bandwidth deposits from the various submarine cables, risk higher foreigninvasion of cyber-attacks because of the glut in capacity utilization. [That is the] Reason why government, regulatorsand operators must work in collaboration to ensure that every avenue to encourage is blocked completely in thecountry and the risk mitigated.” Like many places around the world, SMBs are particularly at risk as they lack propersecurity plans and trained in-house staff to counter or quickly recover from any attacks.People PowerThere are plenty of web 2.0-literate people in the country, but not necessarily using their skillset for legal purposes. Lastyear a group of Nigerian hackers known as NaijaCyberHacktivists attacked government sites, including the NationalPoverty Eradication Programme website and the Niger Delta Development Commission, posting a letter protestingagainst the N1b ($6.6 million) cost for inauguration for President Goodluck Jonathan and the country’s Freedomof Information Act. The author of the report pointed to the county’s rabid unemployment figures (currently hoveringaround the 23% mark) and a country that is ‘rich in raw technology talent’. In a similar attack in January the Economicand Financial Crime Commission (EFCC) was attacked in response to reports of corruption. 15
  16. 16. AfricaThis pool of unemployed and angry talent has only recently started targeting its government. For years Nigeria hasbeen king of spam, with promises of Nigerian Princes offering millions for only a small advance fee. These 419 Scams(in reference to the article it’s a crime under in the Nigerian Criminal Code) are so synonymous with the country they areoften called Nigerian scams. Back in 2005 Lagos was widely considered the world’s leading place for scam crimes.Although they are still common, they have been on the decline of late (spam is at its lowest levels for years) andNigerian police have been more active in recent years in shutting down these kinds of operations.Positive ActionGiven that Nigeria’s IT sector is booming, programmes to equip more people for careers in the sector are comingthrough, including World Bank’s ACCESS (Assessment of Core Competence for Employability in the Services Sector)programme, which trains young people on a variety of aspects, from written English and basic numerical skills tointernet browsing, use of office software, and attention to detail. It’s not quite on the same level as Kenya’s variousforensic hacking courses, but it’s a start.The government is trying to gain traction on developing a world class IT sector, with various ideas and policies toimprove accessibility. But a possible cyber-crime spree waiting to happen lies within the country’s move towards a‘cashless society.’ This move to reduce the amount of cash used and increase electronic payments is a perfectly validone, but where money is involved there will always be criminals trying to abuse the system. And without adequateprotection, hackers could rob organisations of several millions, if not billions, of Naira.A big stumbling block is the country’s lack of cyber security law. It is making it difficult to actually criminalise thehacking of any websites in the country, governmental or otherwise. Dr. Emmanuel Ekuwem, chief executive of TeledomInternational Group, lamented this lack of law, saying, “Do we have a cybercrime and cyber security law in place?No! Have we designated our Critical National Information Infrastructure? No! There is no law yet that criminalises thehacking any websites. Pity!” A bill is in the works, and has been promised sooner rather than later, but when thatactually will be is anyone’s guess.Nigeria is a country with a tradition in cyber-fraud with 419, but as that slowly gets put to bed it will want to avoid therise of hackers, especially around its E-commerce ambitions. As with many emerging markets, proper training andsecurity measures will help immensely. But critically, getting a proper cyber-security bill in place is needed as a tangibledeterrent to would-be criminals. Without that, Nigerian Princes needing bank account details might be the least ofpeople’s worries. 16
  17. 17. AfricaConclusionThe African landscape is changing rapidly. This can be seen across expanding economies, rising populations andmajor technological developments. Over the last few years this has resulted in many improvements. However, due tothe pivotal nature of technology, one serious stumbling block to true progress could well be IT security.There are so many granular differences across 57 diverse African countries that it is hard to assess the pan-Africansituation in any meaningful way. To tackle this we split the continent into four and looked at one country across eachof the corners. Through this approach some core trends did surface. These are namely, a massive IT skills shortage,a severe lack of education on potential cyber-threats, along with significantly higher levels of viruses and malware thanother regions, such as Europe.These concerns do seem to be gradually reaching governments, and necessary legislation is slowly being put in place,but security overall is clearly a big problem across the continent. This report has shown that malware and cyber-crimehave taken a sharp rise in Egypt in recent years; South Africa suffers from a profound lack of security awareness;Kenya is subject to chronic hacking and Nigeria is still world famous for its ‘Nigerian Prince’ emails. With businessbooming; numerous foreign companies moving in, and IT looking set to play an ever more crucial role in the continent’sdevelopment, it is becoming more and more vital that IT security sits firmly on the African agenda.About IDG ConnectIDG Connect is the demand generation division of International Data Group (IDG), the world’s largest technology mediacompany. Established in 2005, it utilises access to 35 million business decision makers’ details to unite technologymarketers with relevant targets from any country in the world. Committed to engaging a disparate global IT audiencewith truly localised messaging, IDG Connect also publishes market specific thought leadership papers on behalf of itsclients, and produces research for B2B marketers worldwide.For more information visit: 17