This piece is the first in a two-part series examining the heightened and largely overlooked threat of cyberattacks on African businesses. The second part, which offers recommendations for mitigating risk, protecting data, and managing breaches, can be found here.
With the Fourth Industrial Revolution, the undeniable reality is that the global business ecosystem is undergoing profound and rapid change, given the penetration of new technologies and the growing interconnection of systems. Though this evolution offers opportunities for innovation, diversification, agility, and cost optimization, it also carries with it an increased exposure to a new and jeopardizing risk: cyberattacks.
Senior Fellow - Global Economy and Development, Africa Growth Initiative
Professor and Executive Director - Thunderbird School of Global Management, Arizona State University
Distinguished Fellow - Stanford University
Information Security Fellow - The Global Network for Africa's Prosperity
The year 2017 highlighted the urgency for heightened cybersecurity around the globe: The average cost of cybercrime for businesses increased by 22.7 percent since 2016, reaching an average of $11.7 million globally. Data leaks increased by 27 percent, as did the frequency of ransomware attacks. Incidences are multiplying and escalating: The Wannacry ransomware attack in May 2017 hit more than 200,000 users in 150 countries (and more than 400,000 computers) in just a few days. The Equifax data breach in September 2017 may have impacted 147.9 million consumers. These attacks don’t discriminate, either. Companies of all sizes and in all sectors around the world comprise a large majority of cyberattack victims, and this trend is spreading at breakneck speed.
As cybercrimes are threatening companies all over the world, the risk is even higher for African businesses. Though Africa is relatively limited in terms of communications infrastructure, due to the high penetration rate of new technologies, it is increasingly a target for cybercriminals, as most African countries still have a low level of commitment to cybersecurity (see Figure 1 below).
Figure 1. Global Cybersecurity Index Heat Map
Businesses working on the continent must, more than ever before, strengthen their cyber-risk protection systems in order to sustain their activities in an increasingly connected world and avoid damaging effects on their finances and reputation, on their employees and customers, and more generally on the local and regional economies.
Risks of legal and regulatory noncompliance
Given the proliferation of cyberattacks, an increased number of African countries have adopted and implemented several laws to protect the privacy and personal information of their citizens. In Morocco, for example, companies are required to comply with a set of laws on cybercrime, electronic exchanges and the protection of personal data, as well as a national cybersecurity directive issued by the National Defense Administration for the protection of critical infrastructures all over the country.
Considering this evolving threat, the European Union’s General Data Protection Regulation (GDPR), which entered into force in early May 2018, is an additional obligation for African companies wishing to maintain their commercial relations with Europe. In these cases, companies that do not comply with the mandated standards are subject not only to proceedings, but also penalties, fines, loss of productivity and reputation, and intellectual theft, among other consequences discussed below.
Loss of productivity
Loss or theft of data through cyberattacks can hamper productivity. In addition, to recover from a cyberattack a company might have to delay daily activities essential to its profitability, thus worsening this loss of productivity. For example, the 2017 Wannacry attack forced companies around the world to shut down their systems to stop the spread of the malicious code. The attack “immobilized” banks, hospitals, and government agencies in dozens of countries, particularly hitting Kenya’s financial institutions. The Renault Tanger-Méditerranée automobile plant in Morocco closed for a full day, causing a loss of production of a thousand cars. Many other African companies may have been seriously impacted by the attack, but the extent is unknown due to failure to report these attacks to the national authorities in charge of computer security incident response.
The financial cost of cyberattacks for businesses has increased significantly over the years. African companies publish very few figures on cybercrime, but the highest estimated costs in 2013 stood at $47 million (26 billion FCFA) in Côte d’Ivoire and $27 million (15 billion FCFA) in Senegal. More recent figures on annual losses (2017) are estimated for Nigeria at $649 million, followed by Kenya at $210 million. And many sectors are concerned by these losses, with financial institutions, government, and e-commerce hitting the top three impacted industries in Africa (see Figure 2).
Figure 2. Cybercrime cost in Africa by industry
While many financial impacts are obvious, such as production stop costs, penalties, legal costs, and compensation, many are less direct, including increased operational costs, loss of customer confidence, cancellation of contracts, and stopped production. In the 2017 cybercrime case of BGFI in Gabon—the largest financial holding company known in the Central African region (CEMAC)—customers experienced a massive fraud of more than $2.8 million (1.5 billion FCFA) on its prepaid card service, which the company then reimbursed.
In the case of ransomware, beyond the loss of productivity, companies often pay the ransom demanded by the attackers to recover their data. Importantly, none of these companies was able to confirm they finally got all their data back after paying the ransom.
Prosecution, penalties, and associated fees
One of the least predictable risks of cyberattacks is the leakage of personal data. Privacy is a fundamental human right that must be protected, and its breach has significant personal consequences. Beyond that, data breaches carry financial costs as well. Many companies are increasingly facing lawsuits filed by their clients or employees for insufficient data protection. The impacts associated with these proceedings, like the possible compensation of millions of victims, or other legal and regulatory penalties, as in the case of the credit card payment industry, can quickly become insurmountable for a company. In South Africa, the Information Regulatory Authority is currently investigating the cause of the biggest data leak in 2017—during which the personal data of more than 60 million people was stolen—and has made formal requests for explanations from the companies concerned.
The theft of intellectual property and sensitive information
Companies involved in new technologies, advanced services, media, and software development are particularly targeted by cyberattacks that cause leakage or destruction of data and are often motivated by industrial espionage. A loss of classified data such as commercial plans, patents, data on state security, among other sensitive items, compromises years of labor and research. This problem is particularly acute in Africa, as the legal standards for curbing the theft of intellectual property are generally not aligned with international ones. In a 2016 study, the Business Software Alliance (BSA) announced that 57 percent of software installed in Africa and the Middle East is pirated, promoting cyberattacks and causing a potential loss of $3.7 billion to publishers.
Cyberattacks and their fallout expose companies to the media and public scrutiny, putting the top management at the frontline of critics who hold them accountable for such failures, causing damage to image with customers, employees, investors, and partners. Companies must therefore be prepared to proactively manage this type of crisis communication, informing all stakeholders on a timely basis in order to preserve their consumer relationships and their reputation. Indeed, in a 2016 VMware study, 25 percent of the leaders of the largest global companies consider the most serious impact that a cyberattack can have on their organization is the loss of reputation among their customers.
Given the current context marked by the Fourth Industrial Revolution, with the systematic digital transformation of entire systems of production, management, and governance, everything is now networked, and anything networked can be hacked. So it is just a matter of time before businesses get hacked, attacked, or notice they are—and the consequences could be dire. The next task, then, for African businesses is to implement strategies to protect their clients, their data, and themselves from a cyberattack. Given the regional context, this can be achieved by considering four key initiatives: implementing cyber resilience strategies, developing cybersecurity skills, protecting data integrity, and integrating cyber risk protection in the decisionmaking process throughout all levels of management.