Study: Africa Cybersecurity Improves but Lacks Cross-Border Frameworks

While cybersecurity expenditures in Africa are projected to grow to $3.7 billion by 2025 (up nearly 50% from $2.5 billion in 2020), any gains in prevention or productivity may be erased if there isn't more coordination and cooperation among the continent's emerging economies, according to a recent report from the Kearney consultancy. 

The region's growing strategic importance, economic development, and digital transformation make it a prime target for cyberattacks since cyber resilience remains low and varies widely by country, Kearney noted. "Countries in the region lack the strategic mindset, policy preparedness, and institutional oversight needed to address cybersecurity issues," Kearney wrote. "The absence of a unifying framework, even among the most prepared countries, makes regional efforts largely voluntary," which in turn leads to an underestimation of risk and significant underinvestment, the authors said.

But as Prashaen Reddy, partner at Kearney and one of the authors of the report, notes, Africa cannot be seen as homogeneous and varies from one country to another, mostly depending on network infrastructure investments. This is evident in developments from the past couple of months, as countries like Ghana and Angola make steps toward greater cyber preparedness.

Internet penetration has increased in the past decade, enabled by greater access to electricity, and the decreasing cost of devices. In particular, the growth of bring-your-own-device policies, (particularly since the COVID pandemic) and in Internet of Things (IoT) technology have increased the number of devices and applications being used, which in turn increases the attack surface.

Ready for Cyber Readiness?

In terms of cyber readiness, it is firstly important to understand what is determined by that term — is it about having the right technology, people, or culture in place? Kearney determined it to be a combination of: strategy; legislation; governance and operational entities; sector specific and international cooperation; and awareness and capacity building.

Taking an assessment of five countries (Nigeria, South Africa, Egypt, Morocco, and Kenya) on those five factors, Kearney's analysis determined that "Africa's cyber resilience is low, particularly around strategy, governance and operational entities, and cross-sector cooperation."

Throughout the white paper, the absence of a unifying governance framework is mentioned, in particular, an inability to collaborate and share threat intelligence across countries. The fracturing also complicated building frameworks, creating legislation, or developing budgets.  

Reddy says Africa is still seen as a continent with some of the highest growth potential in the world, but it also challenged by policy disagreements. While there is an African Union Convention on Cyber Security and Personal Data Protection legal framework, the date of the last signature was in 2020, and Kearney claims that only 16 of the 55 member countries had signed it. "Such a system, based on the loose collaboration of national agencies and voluntary exchanges, is unlikely to go far enough to safeguard Africa," he adds.

Reddy admits there are challenges when it comes to threat intelligence sharing, including existing economic, geopolitical, and security tensions between some nations in the continent, a lack of regulatory environment to share the information, as well as reduced resources to track events and human capabilities, and an existing dependency and/or cooperation with non-African nations.

Steps to Success?

What is the correct way forward toward harmonizing cybersecurity policies and development? Kearney cites a framework that includes established national agencies to drive the cybersecurity agenda, as well as sector-level dialog. Countries need to develop a coherent national strategy with an implementation road map and identify critical information infrastructure. They must adopt sector-level risk assessments, enact or update cybersecurity legislation, and develop laws to address cybercrime.

They should also establish threat reporting, international collaboration mechanisms, and threat response capabilities. Addressing the global skills gap in cybersecurity is also critical. 

Reddy says if the leading countries define and drive a plan of actions, followed by strong execution and success, other countries will be encouraged to follow. "Due to interconnectivity, it will become at some point mandatory to adhere to some common rules to continue operations as [a] cyber preparedness imbalance could seriously disrupt trade between countries." And because of continued technology use, it will become mandatory at some point to devise and adhere to some common rules of operation since the existing cyber preparedness imbalance could seriously disrupt commerce among African countries themselves.