Botswana doesn’t name cyber- security as one of its national priorities. Nor does Mozambique. Zambia’s 2018 budget doesn’t mention it; nor does Namibia’s. Yet African countries are not immune to cybercrime, as reports from Botswana, Zimbabwe and Mozambique show.
South Africa appears to be especially vulnerable. The US Federal Bureau of Investigation ranks the country sixth and seventh on its different types of cybercrime predator list.
The global WannaCry malware attack of May 2017 hit South Africa harder than other African countries. It has been estimated that companies here on average lose R36 million when they fall victim to an attack.
Small businesses will often not be able to sustain such heavy losses, and could stop trading.
South Africa published a national cybersecurity policy framework in 2012. But it’s not obvious what measures have been put in place to help private individuals to become more resilient to cybercrime.
This is important, because as big businesses become more proficient in repelling cyber attacks, criminals are turning their attention to small businesses and individual home users.
When it comes to the individual citizen, whose responsibility is it to guard against cybercrime? Research we’ve conducted suggests that governments have a crucial role to play.
They need to support individual citizens, as well as businesses, in a more practical and proactive way.
For instance, they could provide individuals with free face-to-face assistance and cybersecurity support.
They could give clear guidelines and provide government-sanctioned security software for people to install, and ensure it’s easy to get.
New York has recently started providing this kind of support to its residents. Based on our research, we believe there’s scope for all governments, including those in Southern Africa, to do the same.
Managing risk: Governments have different approaches to helping their citizens manage risk. For some kinds, such as smoking in private, they issue advice and leave citizens to manage the risk themselves. These can be referred to as “solo risks”.
In other cases, governments create supportive systems so that the management of a particular risk is shared between citizen and state.
These can be referred to as “society risks”. Road safety is a good example of this: people have to pass tests to be permitted to drive; the authorities fine and prosecute those who drive badly.
A solo risk can generally be mitigated by disseminating advice to citizens. This approach is justified if only the person who does not follow the advice is harmed. But when a failure to manage a risk harms the community at large, advice, on its own, might be insufficient.
The cybersecurity risk is currently managed by governments in the same way as they treat private smoking - as if it were a solo risk. By and large, governments provide advice about cybersecurity risks and then leave citizens either to take security precautions, or not.
This seems to be based on the assumption that only the individual computer or device owner suffers loss or harm if they fall victim.
In reality, cybersecurity attacks are like fire and disease. They seldom affect only one individual. Data stolen from one person’s device is likely to include the personal details of many other people, potentially endangering the wider community. Malware and viruses also spread from one person’s device to another.
Moreover, this is not just about financial loss; it impacts privacy too. Privacy, once lost, can never be regained. South Africa has experienced two serious privacy violations recently because the data had seemingly not been secured properly. Those who steal leaked personal identification data can steal identities, a harrowing experience.
Cyber risk is manifestly not a solo risk, but rather a society risk. Leaving citizens alone and unaided to deal with cybersecurity threats is clearly not the best long-term strategy.
Helping home users: Every country needs to formulate a behavioural intervention programme.
This means interventions are formulated according to scientifically proven behavioural principles to maximise uptake. This would provide support so everyone - whether business owners or home users - is able to repel and resist attacks.
New York has made a good start, and other governments will hopefully follow suit.
Governments could work with cellphone providers so that security-related software updates can be batched and issued via their trusted channels. They could prompt people to install these by disseminating the need for the updates using carefully crafted text messages, and publicise this via other media outlets.
Community leaders can also be taught about cybersecurity risks and mitigations so that they can spread the word widely throughout rural and urban centres.
Cybercrime is not going to evaporate. It’s crucial for governments to help their citizens manage this social risk. This will protect incomes, reputations, personal and sensitive information and generally improve resilience across the board. - The Conversation
* Renaud is a professor of cybersecurity at Abertay University in Dundee, Scotland