Africa leads the world in mobile banking and so it is no surprise that banks are one of the biggest targets for cybercriminals
Internet growth in Africa has increased by more than 8,500 percent since 2000 and with it has come cybersecurity issues. In 2019, Africa had 55,809,480 Internet users, representing 11.5% of the total world Internet users and with a 39.6% penetration.[i] Also, the subscription and use of mobile devices grows at an astonishing rate in Africa. In 2019, the number of subscribers stood at 1,065,000, and this number will continue to increase. [ii] Accordingly, Sub-Saharan Africa’s (SSA) banking systems have evolved to include Internet-based transactions using mobile devices and online banking systems.
Although the adoption of Internet-based financial transactions gives customers and banks several benefits, including customer convenience and lower operating costs for banks, it also creates incredible opportunities for cybercriminals. Criminals exploit mobile devices and other online banking systems to intercept personal credentials and steal money.
The financial sector, including banks and other financial institutions, experiences 300 percent more cyber attacks than any other industry.[iii] It is not surprising considering[AG1] that banks store cash on location. Available cash is why, in response to why he robbed banks, Willie Sutton, a prolific American armed robber in the 1930s, answered that he did so “because that’s where the money is.”
Customers trust financial institutions to safeguard their money, records, and information. Unfortunately, cybercrime is on the rise, and the methods that cybercriminals use to attack the infrastructure of financial institutions are continually evolving. When a financial institution’s systems are breached, the institution faces reputational and economic costs, including refunds for the losses their customers incur following an attack on the institution’s networks.
Money stolen via cyber-attacks drives the financial sector to mitigate the risk of falling victim to cybercrime. They already spend hundreds of millions of dollars and hire the brightest minds to protect their customers and themselves. However, cybercrime continues to rise, and the methods cybercriminals use to attack the infrastructure of financial institutions constantly evolves.
In 2019 cyber-thieves successfully attacked major cities, governments, businesses, hospitals, and schools around the world. In the past few weeks alone, the city of Johannesburg, Africa was mulling over whether or not to pay $30,000 in Bitcoin – four coins – to hackers. In May, Hackers attacked the U.S. city, Baltimore in the State of Maryland, located less than an hour from Washington DC. The criminals froze thousands of city computers and demanded $76,000 in bitcoin as ransom. Even though the city did not pay the ransom, the attack cost the city $18 million and impacted many of their critical systems, including disrupting employees’ email service, halting water billing, and even suspending real estate transactions. In addition, in early October, the city signed up for a $20M cyber insurance policy. Texas was also a cybercrime target from a wave of ransomware attacks that targeted 23 local government entities.
What have we learned from these attacks on our banks, cities, schools, and hospitals? Cyber risk challenges cannot be solved solely within the boundaries of the financial sector. Complex and rapidly changing cyber threat environment means that no single entity alone can solve the cyber threat problem, and therefore, financial institutions must work together with other members of their cyber ecosystem.
In order to effectively mitigate cyber threats to the financial sector, we must:
- share timely cyber threat information across the financial sector, and with government agencies, ISPs, and other private entities to enable quick response to cyber threats;
- collaborate with other sectors and government agencies to effectively respond to and recover from cybersecurity incidents;
- develop common cybersecurity best practices across the financial sector in order to improve risk management capabilities.
The developed countries are awakening to the reality that old data models are not sufficient to protect digital assets. Safe and trusted data networks require implementing a variety of data models and data architecture. And, by adopting a “Strength in numbers” strategy by collaborating and sharing information to mitigate cyber threats. If well established countries and technology networks struggle tackling cyber threat issues, developing economies like Sub-Saharan Africa remain a monumental challenge.
Sub-Saharan Africa has been labelled “a new cybercrime harbor” because of inadequate protection of and increased cyber threats to its ICT infrastructure resulting from the availability of fast Internet access, a growing number of Internet users, and weak cybercrime laws. The implications reach far beyond geographical or political borders.
Just as air and water pollution impact our global ecology, in cyberspace, the whole is only as strong as its weakest link, and in Sub Sahara Africa, the majority of the region’s ICT infrastructures are frail and poorly protected from cyber threats and attacks. Cyber threats to Sub-Saharan Africa’s insecure ICT infrastructures not only pose great risk to the region’s ICT infrastructure and its economic interest but also weaken and threaten cyberspace.
When cybercriminals successfully penetrate and attack the more secure networks of governments and corporations in developed nations, then financial institutions in Sub-Saharan Africa face real cybersecurity risks and tremendous challenges with their increasing adoption of Internet-based platforms.
Mobile banking is a prime cyber target. In Nigeria, cybercriminals are using mobile devices to carry out advance-fee fraud, which involves communication via Short Message Service text messages, phone calls, or email messages to trick victims into sharing banking details and other personal information.
Africa leads the world in mobile financial services, with over half of the 282 mobile money services operating worldwide located in Sub-Saharan Africa.1 Banking advancements in Sub-Saharan Africa from traditional paper-based transactions to mobile banking in recent years has transformed the way consumers conduct their finances and interact with financial institutions; consumers are now able to send, receive, and store money using their mobile devices.
Cyber-threats must be addressed in order to increase consumer trust and confidence in the continued adoption and use of mobile financial services.
Recommendations for cybersecurity
Cyber threats to Sub-Saharan Africa ICT networks must be adequately and timely addressed to improve the security of cyberspace and mitigate cybercrime. Addressing the cyber threats should at a minimum include the following actions:
(1) Conduct Education and Awareness Campaigns
Malicious attacks often take advantage of unsuspecting individuals willing to accept information from or provide personal information over the Internet. Conducting aggressive cybersecurity education and public awareness activities in Sub-Saharan Africa will be necessary to achieve a shift in cybersecurity social and cultural norms among stakeholders, including government agencies, private entities, and individuals. This effort will involve providing education about cyber threats and mitigation measures, and encouraging responsible use of the Internet and awareness of fraud, identity theft, cyber predators, and cyber ethics.
Because ISPs are almost always the first stop for individuals attempting to traverse the Internet, they are in a unique position to monitor traffic flowing into and out of their networks and can “filter” any traffic suspected to be malicious. Upon observing potential malicious data traffic, ISPs should provide assistance in fixing the problem in affected users’ computers, or if that is not possible, block the users to protect the network. In addition, ISPs should also actively participate in educating their subscribers on the protection of their computers and consider offering antivirus software and instructions for installation.
(2) Forge Public Private Partnerships
Due to the complexity and interconnected nature of the Internet, the interests of Sub-Saharan Africa governments and private entities, including financial institutions and ISPs, are intertwined with a shared responsibility for ensuring a secure cyberspace. The private sector generally owns and operates most of the network infrastructures that support both governments and private entities. Therefore, neither governments nor private entities can successfully work alone and in isolation to secure Sub-Saharan Africa ’s ICT infrastructures. Governments and private entities must collaboratively work together in order to protect cyberspace from malicious attacks. These partnerships are essential to crafting and implementing appropriate and effective cybersecurity policies through regulations or voluntary public-private partnerships.
(3) Develop and Implement Cybersecurity Policies, Regulations, Best Practices, and Legislation
Sub-Saharan Africa government agencies with the involvement of relevant private entities should engage in the development, adoption, and implementation of robust and comprehensive cybersecurity policies, regulations, best practices, and legislation. The policies should at a minimum include the following:
- adopting and implementing a risk-based approach to cybersecurity that focuses on incidence response to cyber attacks as opposed a compliance based-approach that has not worked;
- deploying cyber threat mitigation technologies, including malware detection and filtering technologies, and domain name system security extensions;
- sharing threat information among private entities and with government agencies; and
- creating and implementing a code of conduct for ISPs that includes disinfecting its customers’ computers to mitigate malware spread.
Understandably, these policies will not be a one-size-fits-all. Any policies that are adopted and implemented must be tailored to each nation’s circumstances, such as a nation’s regulatory practices over ISPs, the state of the nation’s cybersecurity policy development, and the extent to which the nation is open and willing to adopt and implement appropriate cybersecurity policies.
About the mission
STPCD’s mission is to advance knowledge and assist in the development and implementation of robust, comprehensive science and technology policies —for example, in emerging technologies, cybersecurity, Internet, and patent rights — that address and achieve sustained economic growth in developing nations, particularly in Africa.
Our vision is to be the driving force in crafting and developing robust and comprehensive science and technology policies for sustainable economic growth in developing countries.
The Science and Technology Policy Center for Development (STPCD) is a 501(c)(3) nonprofit organisation that promotes science and technology policies in developing nations. Our mission is to help developing nations address and achieve sustained economic growth by providing:
- Education and awareness of science and technology policies—for example, in emerging technologies, cybersecurity, Internet, and patent rights—to relevant stakeholders in developing countries, including government agencies, private enterprises, research and nonprofit organisations, policymakers, and individuals;
- Practical guidance and assistance to relevant stakeholders in developing countries with crafting and implementing robust, comprehensive policies that promote science and technology innovation, deployment, and use; and
- Developing countries and stakeholders with accurate, relevant, and timely science and technology innovation policy advice based on independent and rigorous research and analysis.
To successfully accomplish its mission, STPCD offers a broad range of expertise, skills, and experience in different science and technology policy areas.
Dr. Nweke has a Ph.D. in Electrical Engineering from Johns Hopkins University and a law degree from the University of Maryland School of Law. He is a senior technology executive with extensive background in executing cutting-edge cybersecurity, risk management and other technology projects.
The Science and Technology Policy Center for Development (STPCD)
Nnake Nweke, Ph.D. (Engr.), J.D. and Marsali Hancock
Endnotes
[i] See, http://www.internetworldstats.com/stats.htm
[iii] See, http://www.websense.com/assets/reports/report-2015-industry-drill-down-finance-en.pdf.
[AG1].
- “Mobile financial services in Africa: Winning the … – McKinsey.” https://www.mckinsey.com/industries/financial-services/our-insights/mobile-financial-services-in-africa-winning-the-battle-for-the-customer. Accessed 21 Jan. 2020.
https://www.accenture.com/us-en/insights/financial-services/cost-cybercrime-study-financial-services
I agree that there is strength in joining forces with others in fighting cyber criminals. But in my experience, many businesses do not know where they are vulnerable to cyberattacks. After activating an antivirus, many assume that their work is done and are thus immune to cyberattacks. This business attitude made ransomware a global menance enriching the pockets of criminals thus affecting us all.