Small, medium and micro enterprises (SMMEs) in sub-Saharan Africa have faced a range of cybersecurity issues in the wake of the COVID-19 pandemic, with scaling digital capacity exposing SMMEs to threats like ransomware, phishing and supply chain attacks. A recent cybersecurity webinar hosted by the Cybersecurity Capacity Centre for Southern Africa (C3SA) at the University of Cape Town (UCT) shared some insights.

Established in January 2020, C3SA is a cybersecurity research and capacity centre hosted at UCT to increase cybersecurity awareness in the region and implement the University of Oxford’s Cybersecurity Capacity Maturity Model for Nations (CMM) assessment toolkit. The centre is a consortium comprising Research ICT Africa, the Department of Information Systems at UCT, the Global Cyber Security Capacity Centre at the University of Oxford and the Norwegian Institute of International Affairs.

Zainab Ruhwanya, a lecturer in UCT’s School of Information Technology, shared her research during “The sub-Saharan African cybersecurity ‘para bellum’: User data protection and privacy” webinar on 16 February 2021.

Ruhwanya’s presentation focused on the approaches taken by SMMEs in the region to deliver better cybersecurity for users’ data and reflected on what has happened in the sector since the onset of the COVID-19 pandemic.

She noted that when many SMMEs moved to cloud-based services in response to restrictions brought on by the pandemic, cybercriminals responded with a 630% increase in cloud services attacks between January and April 2020. Other attacks included spear phishing (the act of sending emails to specific and well-researched targets while purporting to be a trusted sender), ransomware, smishing (a form of phishing that involves a text message or phone number) and supply chain attacks.

In explaining why SMMEs are left vulnerable to these attacks, Ruhwanya listed the numerous challenges they face, including a lack of financial and technical resources, poor information system security policies, a lack of plans for defence and incident response, shortage of skilled employees, and a lack of supportive government initiatives.

However, she did have recommendations about how the region’s SMMEs can deliver better cybersecurity for users’ data. This includes cultivating a cybersecurity culture (backups, training, awareness and policies for information security and risk assessment); assessing compliance with data protection laws existing in their jurisdictions of operation; and leveraging external support through national, regional and international cybersecurity initiatives.

Data protection

Ruhwanya was one of four expert speakers on the day. She was joined by the Commonwealth Telecommunications Organisation’s Dr Martin Koyabe, who discussed the status of data protection for the region’s users in light of the European Union’s General Data Protection Regulation and other international regulations; Teki Akuetteh Falconer from Nsiah Akuetteh & Co in Ghana, who discussed the state of enforcement of data protection regulations in the region; and the University of Johannesburg’s (UJ) Professor Basie von Solms, who spoke about the maturity of awareness, training and education regarding the security of users’ data in sub-Saharan Africa.

UCT senior research fellow and postdoctoral researcher Dr Laban Bagui served as the moderator, and C3SA’s co-director, Dr Enrico Calandro, delivered the opening address.

 cybersecurity
C3SA aims to provide a single entry point for cybersecurity capacity building and research activities in the Southern Africa region and beyond. Photo Pexels.

In his presentation, Dr Koyabe highlighted that nearly 52% of African and Asian countries have established legislation for data protection, which mirrors investments in the sector. Africa has 28 countries with legislation, nine in the draft stage, 13 with no legislation and four countries for which there is no data.

Koyabe defined data protection, stating that it relates to avoiding harm against individuals through their personal data, and discussed the regulations that govern operations on personal data. He also listed the 12 minimum tenets for data protection and privacy law, which include more control to subjects, more accountability for controllers and processors, more transparency in processing personal data, reducing vulnerabilities and enhancing security, and cross-border cooperation for processing.

He also listed numerous challenges that are holding up the ratification and enforcement of the Council of Europe’s data protection convention 108/108+ and other related conventions. These challenges include the lack of comprehensive data protection regulation, challenges of implementation, lack of adequate resources, lack of harmonisation across initiatives, the balance between individual data subject rights and public interest or national security, and the lack of political will. The latter has affected most regulatory efforts to protect user data in the region.

Regulations enforcement

In her presentation, Akuetteh Falconer emphasised positive factors that have impacted the state of enforcement of data protection regulations in the region.

This includes the extraterritorial effects of regulations such as the European Union’s General Data Protection Regulation, the awakening of jurisdictional courts to the necessities and realities of data protection enforcement, laws requiring registration of data processors and controllers, laws requiring regulatory authorisation before cross-border data transfers, and practice directives issued by data protection laws.

She also listed negative factors, such as the slow pace of enforcing regulations, reactive rather than proactive approaches and non-punitive implications of non-compliance, all of which continue to hinder the progress of enforcement of data protection regulations in sub-Saharan Africa.

Cybersecurity maturity

In the final presentation, Professor Von Solms, who is the director of UJ’s Centre for Cyber Security, discussed the status of capacity maturity of awareness, training and education regarding the security of users’ data in the region. He referred to three documents: Accenture’s Insight into the Cyberthreat Landscape in South Africa (2019), the CMM reviews and the 2020 KnowBe4 African Cybersecurity Research Report.

The Accenture report uncovered poor knowledge of cybersecurity among internet users and found that South Africa has the third-highest number of cybercrime victims worldwide while the CMM reviews highlighted the remarkable progress made in cybersecurity capacity maturity in Uganda across multiple assessment exercises. The third document reported an increase in the number of people concerned about cybercrimes, indicative of growing awareness about these crimes and cybersecurity in the region.

This, said Von Solms, indicated a general growth in cybersecurity awareness in Africa, which is largely driven by the knowledge of cybercrimes. Both governments and the private sector are responsible for driving this momentum.

He added that the three documents emphasise the importance of education and awareness in speeding up the momentum of engagement with risks, threats and attacks in the cybersecurity domain.