In this column called “The Indicator,” we will be taking an economic or financial statistic from East Africa and breaking it down into bite-sized nuggets of knowledge for investors.
This month’s indicator figure is 597,028,294
597,028,294 US dollars is the projected cumulative annual cost of cyber security attacks across East African Community (EAC) countries for 2020 as extrapolated from a 2017 study “Demystifying Africa’s Cyber Security Line”.
What is a cyber security attack?
A cyber security attack often called a “hack” is when a nefarious individual or group uses a computer to invade the computer or the computing network of a person or company.
Cyber attacks can come from external attackers such as cybercriminals seeking to steal money, damage the reputation, or block access to computing resources in order to extort ransom money from a company. Cyber attacks can also come from “insiders” — frustrated current or former employees who seek to steal a company’s accounts or damage the company’s reputation. In addition, employees unskilled in proper cyber security practices may unwittingly allow attackers into a network by clicking links, downloading movies or songs, or using easily crack–able passwords.
According to a global study by Accenture US$1.5 million is lost by companies for each cyber security incident across the nine most common types of cyber attacks.
What types of companies are most at risk?
Typically companies that are involved in finance and those involved with handling consumer data are most at risk. This includes companies in banking, fintech, telecommunications, health care, government services, manufacturing, ecommerce companies, and other companies that have significant assets such as intellectual property or value held in digital files or databases.
COVID-19 has exponentially increased the risk of cyber attacks due to a larger percentage of people working from home with their home networks being the weakest link in the chain for both internal and external attackers.
Companies with frustrated or disgruntled employees are especially at risk. Insider occurrences make up 53% of attacks according to a report from the Africa Cyber Security Conference with losses for African firms of US$100,000 to US$500,000 per successful insider attack. 24% of companies expect damages from insider attacks to exceed US$500,000.
Despite feeling that there is comfort from obscurity, a report from MTN Kenya suggests that 43% of all cyber attacks are aimed at small businesses.
Which EAC country is expected to suffer the greatest and which the least amount of losses from cyber attacks?
Organizations in Kenya are projected to suffer the greatest amount of annual losses both in total as well as a percent of GDP at US$307 million and 0.3% respectively. Tanzanian organizations are expected to lose US$144 million followed by Uganda at US$98 million, Rwanda at US$35 million and Burundi at US$12 million in losses.
Countries in the EAC have been losing approximately 0.26% of GDP from cyber crimes since 2017.
How do the number of cyber attacks in the EAC compare to elsewhere in the world?
As a percentage of GDP, EAC countries are unfortunately worse off than other African nations but better than some other developing countries. Nigeria loses approximately 0.16% of GDP to cyber attacks, Ghana loses 0.13%, and African countries cumulatively lose approximately 0.11% of GDP due to cyber attacks.
Outside of Africa, Brazil’s economy loses the most from cyber attacks at 1.20% of GDP followed by China losing 0.48% of GDP.
The most secure is New Zealand which reports losing the least from cyber attacks at approximately 0.05% of GDP.
Also Read: Fake Apps expose Kenyans to cyber fraud
Are cyber attacks against companies in the EAC likely to increase or decrease?
Cyber attacks are growing globally at approximately 13.5% cumulatively year on year and the EAC is likely to suffer the same or a greater challenge from cyber crimes due to a number of factors.
Most cyber security solutions are priced for European or North American markets; cyber security training is complex and requires dedicated staff; and there aren’t enough trained cyber security professionals available in the market.
According to a report on cyber security policy effectiveness in Africa, 83% of organizations lack systems to deal with cyber security breaches which means that African companies are likely soft or easier targets for external and internal attackers.
The Communications Authority of Kenya reported a 47.3% increase in cyber crimes in the past year reaching 37.1 million separate attacks officially reported in Kenya alone suggesting that cyber crimes are growing faster in East Africa than elsewhere. This elevated cyber crime growth rate is likely compounded as other reports from MTN in Kenya suggest that nearly 90% of cyber crimes are not being reported.
What is being done to prevent cyber attacks in the EAC?
The African Union has established a Convention on Cyber Security and Personal Data Protection which serves as East Africa’s overarching policy guideline on cybercrimes since 2014.
Each country has its own specific regulations and penalties to discourage cyber crimes perpetrated in their country through criminal penalties.
In addition, several EAC countries are following European General Data Protection Regulation (GDPR) lead and imposing significant monetary penalties on breaches of consumer information.
Uganda’s Data Protection and Privacy Act of 2019 requires immediate reporting to regulators of any breach with violations up to 2% of a company’s gross annual revenue for non-compliance. Kenya Data Protection act requires 72 hours’ notice or companies may experience a penalty of US$50,000 or a fine of 1% of revenues. Similar consumer protection laws and respective penalties are anticipated in Rwanda and Tanzania in the upcoming months.
What are some companies operating in East Africa that can help investors and firms mitigate cyber attack risk?
- Kaspersky (https://www.kaspersky.co.za/) is a cyber security product vendor headquartered in Moscow with its African headquarters in Johannesburg and sales team members in Nairobi.
- PwC (https://www.pwc.com/ke/en.html) PwC Kenya is a privately owned affiliate with the global professional services brand known for its audit, tax, and compliance divisions. PwC has partnerships with cyber security firms to provide risk assessments and recommendations to mitigate cyber security risks.
- Tabiri Analytics (www.tabirianalytics.com) – based in Kigali with presence in Kenya, Uganda, and Rwanda, Tabiri Analytics is the first graduate from the Industry Innovation Lab at Carnegie Mellon University Africa. Tabiri has a full suite of cyber security services “providing the first affordable automated managed cyber security as a service for East African enterprises” as 24/7 cyber security expert extensions to existing IT teams.
About the authors:
David L. Ross is Managing Director of Stratera Capital, Distinguished Professor and Practice of IT Entrepreneurship at Carnegie Mellon University Africa, and US Ambassador to the Open University of Tanzania. He is active in growing companies in Eastern and Southern Africa through primary
investment, investment advisory, strategic partnerships, and executive education. Connect on LinkedIn at http://www.linkedin.com/in/davidlross1 or at [email protected] Disclosure: David is an angel investor in Tabiri Analytics.
Catherine Mandler is a Senior Analyst at Stratera Capital. Connect on LinkedIn at http://www.linkedin.com/in/CatherineMandler or at [email protected]