South Africa needs to step up efforts in establishing a central cybersecurity unit under government oversight to co-ordinate all South African defences, according to a White Paper launched by global management firm Kearney yesterday.
This despite South Africa spending 0.19% of gross domestic product on cybersecurity threats - above most countries in Africa.
However, the paper pointed to Africa becoming an even bigger and more popular target for cybersecurity threats with current annual losses on the continent amounting to $3.5 billion (R64bn).
This was partly driven by the growth of internet access across Africa and how mobile penetration is forecast to exceed 90% this year.
“Investment in the region’s cybersecurity market is forecast to grow from $2.5bn in 2020 to $3.7bn in 2025. Despite this investment it is estimated the region loses more than $3.5bn annually due to direct cyberattacks, and billions more from missed business opportunities caused by the resulting reputational damage from the attack,” said Prashaen Reddy, a South African partner at Kearney.
Reddy called for a national cybersecurity body, under the oversight of say the Department of Public Enterprises (DPE), which would encompass all disciplines of security and defence as opposed to the current silo reactions of different entities as they come under attack.
He said the notion echoed on an African Union (AU) engineered initiative to increase collaboration on cybersecurity across the region by establishing the African Union Convention on Cyber Security and Personal Data Protection legal framework.
The framework has been signed by 16 out of 55 member countries but only ratified by 13.
Rob van Dale, partner at global management consultancy Kearney, said, “Africa needs a comprehensive agenda to address its low cyber resilience, deal with the scale of cyber threats, and ensure Africa’s unobstructed leap into the digital economy.”
Reddy said in the African context, though Nigeria had far developed defences against cybersecurity threats, South Africa's development made it a vulnerable target and that there needed to be more proactive strategy from the government at the battle point.
“Business responds to protect their own organisations in the events of threats, there is a need for leadership and collaboration to make the efforts a success,” Reddy said.
According to Kearney, countries in the region lacked the strategic mindset, policy preparedness and institutional oversight needed to address cybersecurity issues.
“The absence of a unifying framework, even among the most prepared countries, makes regional efforts largely voluntary. This leads to an underestimation of value at risk and significant underinvestment. In addition, because cyber risk is perceived to be an information technology (IT) problem rather than a business problem, regional businesses do not have a comprehensive approach to cybersecurity.
“The region’s nascent cybersecurity industry faces shortages of homegrown capabilities and expertise. Products and solutions are fragmented, and there are few comprehensive solution providers,” the paper said.
The paper identified four drivers that would increasingly expose Africa to outsized cyber risk
Firstly, the growing interconnectedness and flow of people, goods, and information across the region with the realisation of the African Continental Free Trade Area (AfCFTA), which would intensify systemic risk.
It also looked at widespread socio-economic difficulties — accelerated by the Covid-19 pandemic, food crises and inflation — which had led to diverging national priorities and a varying pace of digital evolution, which will continue to foster a sustained pattern of underinvestment.
“Countries’ hesitancy to share threat intelligence, often because of mistrust and a lack of transparency, will lead to even more porous cyber defence mechanismsm,” Kearney said.
The paper said concerted efforts were needed to elevate cybersecurity on the regional policy agenda, secure a sustained commitment to cybersecurity, fortify the ecosystem and build the next wave of cybersecurity capability.
“Cybersecurity programs often take a siloed approach to defending infrastructure, even though vulnerabilities extend across peer companies and vendors, and adversaries plan and execute sophisticated attacks across several targets at once,” said van Dale.