Africa, Middle East Lead Peers in Cybersecurity, but Lag Globally

Both Africa and the Middle East lead their economic peers in cybersecurity, but the regions fall short of claiming strong scores for overall cyber resilience.

According to data published by SecurityScorecard on Jan. 15 at the World Economic Forum Annual Meeting, the Middle East scored a low 'B', but fares better than both the economically similar East Asian and Southern European regions in terms of cybersecurity. Meanwhile Africa, with a solid 'C' ranking, surpassed its peers in the Central Asian and Caucasian region and South Asia, the company stated.

However, both regions need to invest in replacing outdated technology and end-of-life systems, and create stronger workflows for identifying threats and patching systems, says Ryan Sherstobitoff, senior vice president at SecurityScorecard. 

"Not every country in Africa is equal — some have more prosperous economies than others, especially like South Africa — and the same goes for the Middle East," Sherstobitoff says. "Not every country is as robust as the other, so you'll see a multitude of reactive organizations — and those who are more proactive — based on whether they were attacked or their peers were attacked."

Taking Cyber Steps Forward

Cybersecurity has become an increasing priority for organizations in both the Middle East and Africa. Companies in the Middle East, for example, are increasingly adopting cloud services, leaving their security teams with the job of ensuring that digital transformation does not undermine security. Meanwhile, organizations in Africa are struggling to build more local and regional cybersecurity expertise, with efforts such as building a Virtual Cyber Hub in Nigeria and bolstering cross-border threat intelligence rolling out as major project targeting the shortfall.

Overall, the Middle East and Africa have a total cybersecurity workforce of about 402,000 people, but needs another 102,000 cybersecurity professionals, according to the ISC2 Cybersecurity Workforce Study 2023. The region needs to address the massive talent gap by training as many as four million workers and make cybersecurity solutions more affordable, says Margaret Olele, CEO of the American Business Council in Nigeria.

Initiatives such as the Virtual Cyber Hub are "ultimately directed towards addressing [the] critical talent deficit in Nigeria and development of [our] national economy through the growth of the talent pool in ... Africa's digital space," she says. "We [would] like to position Nigeria and ultimately the region, not only as consumers of digital technologies, but also play a role in being producers and contributors as well on a global scale."

Stronger Economies Have Better Cybersecurity

The regional cybersecurity indices were created by using the scores for every organization collected by SecurityScorecard in 189 countries across 17 regions worldwide, but the researchers randomly selected half of the organizations tracked in the United States. The scores for the organizations were aggregated for each region to determine an overall regional score, which was then compared to gross domestic product (GDP) per capita for the district, SecurityScorecard stated in its Cyber Resilience Scorecard report. 

Africa and the Middle East score better than their GDP-per-capita peers, but still lag in cybersecurity. Source: SecurityScorecard (red highlighting added)

The correlation between the strength of the regional economy and cyber readiness is not surprising, as economies that tend to have more capital invest more in cybersecurity and innovation, Sherstobitoff says. 

"Economies that have more maturity and knowledge and access to technology are more likely to be aware of cyberattacks, versus those developing countries that may not have access to the same level of technology or resources," he says. "Leading economies that stand out, they have very mature cybersecurity practices, the governments have cyber resilience programs, they have alerting just like our own CISA here, and all focus on providing alerting and information on various cyberattacks."

African nations regularly face a variety of attacks, including distributed denial-of-service (DDoS) campaigns and, increasingly, ransomware, according to a July 2023 report by Positive Technologies. Successful ransomware attacks typically use — in three-quarters of cases (74%) — exploits to compromise vulnerable computers and network equipment, highlighting the security gap in the network perimeter, the company stated. 

"On underground forums, cybercriminals actively buy and sell access to the networks of major African organizations, such as government and financial institutions, trade enterprises, and IT companies," the company stated in the report.

More Capital Needed for Better Cybersecurity

The SecurityScorecard report found that the regions with the strongest overall cyber-resilience scores included Northern, Western and Central Europe, Australia and New Zealand, and North America. The Middle East joined those regions in scoring overall 'B' rankings.

The main factors that hurt cyber resilience included lacking endpoint security, a slow patching cadence, and factors such as network security issues, domain reputation, and the pervasiveness of ransomware.

Many of the regions with lower GDP-per-capita rankings also have to deal with out-of-date and unpatched — or even, unpatchable — equipment, says SecurityScorecard's Sherstobitoff.

"Often what we see is a lot of out-of-date technology," he says. "It's littered with vulnerabilities, and sometimes they are 'end of life' and there isn't a security fix or a patch, because the device is no longer supported. Those developing economies don't have the tech and they don't have the capital resources to invest in technology that is less vulnerable."

Interestingly, cyberattacks tend to come from geographic regions that neither have large nor small GDP-per-capita rankings. The top-4 originators of cyberattacks — China, the Russia Federation, Turkey, and Japan — are the immediate source for 58% of attacks, according to the SecurityScorecard report.