Developing Africa’s Cyber-Infrastructure
Analysts at PricewaterhouseCoopers say the cyber threat landscape is bigger than ever in 2015, CNBC Africa’s Godfrey Mutizwa explored the best ways to develop Africa’s cyberinfrastructure with Mohammed Amin Hasbini, Senior Information Security Researcher at Kaspersky Lab, Ayotunde Coker, Managing Director of Rack Centre and Yemi Saka, Partner Advisory Service, EY West Africa.
MUTIZWA: Mohammed, a headline suggested that the issue of cyber security and threat is bigger in Africa than in other jurisdictions, is this true? And what are we doing about it?
AMIN HASBINI: We actually see that the world as a whole is moving from having IT and infrastructure related to information systems as a small entity within each organisation all serving specific purposes to actually serving all businesses and where the business even runs. We are moving towards smart cities now, where every business will have full ownership of ICT infrastructure and that definitely brings us to new threats and we are seeing a lot of increase in cyber threats especially in the South African Region and this is because of multiple reasons; firstly, the option of information systems- we are all now becoming more connected than ever and as we move to smart cities we also need to become smarter people because we have to carefully handle our devices as we have a lot of private information and they can be also used to deliver other attacks.
MUTIZWA: Ayo, tell us your contribution to the problem at hand and tell us who most is at risk here, is it the individual, organisations or the Government?
COKER: It is a significant issue across the board because there is increase in take- up of technology to access services by consumers, be it banking services, other payment services and so on, so this is now becoming a general issue. The problem with cyber security is, it is not just localised in one country, it is a cross country issue so people are mobile, people will use services wherever they are, so it’s an increasing issue, it’s important that consumers are made aware by companies that deliver services in a digital fashion, you can only secure services to a point if the end consumers are not aware of the dangers as related to cyber security, then you tend to find out that unscrupulous criminals will use tricks like phishing to get round technical solutions to the problem, it’s not also just down to the governments, it’s a joint collaboration between government and business to make sure there is end customer awareness on the dangers of cyber-crime and how to make sure that they actually do not become victims of cyber-crimes. It is a wide-spread issue across many countries.
MUTIZWA: Yemi, I would imagine working with the private sector as well as with governments, you probably would have seen the collaboration between the two.
SAKA: There is actually a lot more transparency now in the sense that this whole notion of cyber security or cyber threats is now being more in the open. We are still challenged with the degree of openness especially in the financial services sector with regards to actual threats. In the private and public sector, cyber security is actually a challenge that is ever going to increase and seeing more increased threats. If we look at how digitised our economy will become, how digital it is, compared to five or ten years ago, the threat from cyber-security will certainly increase. In terms of the collaboration, a lot of that has started but there is still a lot more work that has to be done but it is more from a perspective of how to make open conversations around some of the cyber threats that we are seeing, some of the advanced threats and how do we enable our people to start being more proactive rather than reactive.
MUTIZWA: How big is this threat?
SAKA: I believe Cyber threat is a global issue. From an African perspective, One could argue why the perception around threat level or how susceptible we are to threats, it is really because being proactive certainly gets you further in terms of strengthening your infrastructure and there needs to be a greater push to accepting that these threats are real, more importantly, being able to take the step of making the right investments. Being proactive is not just from a technical or cyber perspective, it is also from a Financial investment perspective, make the right investments by protecting what you can’t see today because as an organisation, you have individuals you need to protect, you have become a data custodian, it’s really being bold to make the right investments to protect and strengthen infrastructure of a lot of the organisations.
MUTIZWA: Ayo, do we have the infrastructure? And do we have the platforms where we can be able to collaborate across National, regional, pan-African and Global platforms as well.
COKER: Infrastructure here is referred to as understanding what needs to be done and implementing it. The key thing about cyber-crime is; it never stops. People will always find a way to get around the infrastructure you put in place so it is a continuous issue. Capacity building is a very important thing for us to put in place in Africa. The adoption of technology in Africa is taking off, if you look at mobile penetration, mobile continues to be a mass adoption platform to access the internet and services, so you have adoption racing ahead, you have the issue of cyber security which you can’t just fix and believe its’s done, it is an ongoing thing. Capacity development that is required to make sure you have the right solutions in place to ensure that you continue to secure the infrastructure that end consumers use. In terms of collaborating across different countries, it has to be done, it is not just a single country issue, it is actually a global issue but from a regional point of view, you have to have racial blocks come together to ensure that the right policies are put in place to drive cyber awareness. We are now talking about the internet of things where you have other devices even cars now using internet technology for access to data, those can be hacked. If you have a situation like that, you therefore need to make sure that you have the right controls and minimum standards in place and checks to ensure that you have minimum levels of cyber security protection and an ongoing process for monitoring that this continues to be effective.
MUTIZWA: Mohammed, do you see any evidence that the collaboration is happening and that we have the platforms?
AMIN HASBINI: The attacks that are happening are raising a lot of concerns among the organisations and in Africa. We see a lot of initiatives being launched but we need better maturity into discussing what is happening and we need a platform for not only investigating what is happening but also in defining the framework and platform for sharing such information because the same attack is happening in multiple organisations at the same time and only one experience could help us all get better in fighting and defending our organisations we see that as we move to a smarter world, we also need to raise more awareness among everyone because it is not only about the organisation, it is about the people and implementing the culture of defence and cyber security and the dangers of the internet. One of the recent trends that we are currently seeing even in Kaspersky in the last few years is a lot of digital information being stolen, cyber-attacks and threats, we see that attacks are coming back into the real world, people being blackmailed for money because someone stole their pictures or someone activated their camera, we see some organisations and government entities having their intelligence information and core databases stolen and being sold to be used by other foreign intelligence agencies and that is extremely dangerous. We need specifically long term planning for best results and to lower the costs also on the long term. If we don’t do that we would have a lot of difficulties.
MUTIZWA: Yemi, How do we ensure this balance to the protection as well as the other side ensuring the security of our phones and the security of our bank accounts and the security of our national borders as well as just been demonstrated by those terrible attacks in France.
SAKA: How do you protect the information that you have, but also on the flip side how do you prevent people from running their everyday life exchanging information freely as most of us do actually. That’s a huge tension that we are seeing specifically and when we start talking about cyber security issues. If you look at some of the mature markets in terms of what they have done from a standards perspective there is a lot of strong rigour on how to protect information and how you move information across borders. And I think for us here in Africa and even more specifically in Nigeria the sense of data privacy is one that is increasingly maturing and so it is not where it needs to be yet but there is a greater sense of personally identifying with the Nation needs to be held with the right security control required. For clients in the financial services sector there is this sort of great need for protecting financial data and actual information. We just did a recent survey alongside the security which EY does on a yearly bases and one of the survey reports actually suggests that 90 percent of organizations may not even know if they are attacked at all. Not knowing if you are attacked is a huge problem and that’s because when you look at cyber security threats, most times they come in slow and undetected. I think that’s the current tension we are seeing and I think we are still going to see it more and more of those tensions.
MUTIZWA: So Ayo would u like to contribute on that?
COKER: Just to build on that business leaders need to understand the onus that’s on them with respect to understanding broadly the implications on security, other issues such as identity theft and so on that can occur if you don’t have the right solutions in place. Why do they need to be aware? Investment decisions have to be made so that you put in place the right solutions to make sure you do not get attached or have the right levels of security or the right level of monitoring to know even if you are getting the wrong kind of attention with people trying to penetrate your systems. I think that’s improving and increasingly you see banks for instance implementing international standards such as a 27001 international standard and other standard for payment systems that protect PCIDs that’s payment systems protection and you see investments in that and you see banks are increasingly being certified to that. Basically they say you have got minimum levels of security now for example; Sony, Target and all, it is the CEOs that have to stand up and probably sometimes lose their jobs and there has been penetration of their IT systems. At the highest levels of organization they need to be aware of what the implication of the businesses are with respect to cyber security. Most CEOs feel they need to understand the financial dynamism of their business and the legal implication of the businesses they are working. They need start to understand the cyber and technology implications of the businesses they run so they can make the right investment decisions to protect the data of consumers, ensure they protect their systems and also educate their end consumers.
MUTIZWA: Mohammed, the issue of the hackers there is an often repeated line that airports would actually employ some of the hackers if they are able to breakdown their systems, how do we use them as testers of the system in a good way?
AMIN HASBINI: It is actually not a good idea to use hackers in the testing of your organization because they could also bring with them a lot of new threats and they could maybe have access to information that they shouldn’t , so security assessment should be done in all organizations and help in identifying vulnerability and could be done by international organizations and they could be done in a very professional manner that will help in identifying the weakest link in each organization and dealing with that as you mentioned the example of the airport itself we are seeing an increasing trend of having people hired maliciously within an organization , we have multiple recent examples and underground which is the forum websites where criminals get hired, we are seeing people putting money in bit coin which is anonymous currency and for everyone who can give a certain access to certain fines and permissions in certain organizations and this is becoming an increasing trend that we definitely also need to consider.
Mutizwa: Mohammed, what about the issue of skills and also innovation as well as technological developments, are we deploying enough resources to those two things?
AMIN HASBINI: There is a lack of information security resources whether it is in terms of investments or actual skilled people. This is an international issue that everyone is trying to deal with at the moment you see we rely more and more on its infrastructure and we definitely need better protection but better protection is not the result of just developing the skills within people but we also need international agreements on developing secure protocols and secure standards and secured technologies that is also an issue that we definitely need to take care of. We have seen multiple protocols been in recent revelations and the leaks we have heard of been just developed in a weak manner so some organizations can benefit from this, it is something we need to address immediately international agreement on. Sometimes governing the cyber world is critical not only to the development of cyber world but humanity itself.
MUTIZWA: Ayo, can you comment on the private sector side, are they deploying enough resources? Yemi, you can comment on the government side .
COKER: You continue to get technology innovation, In Nigeria, there are biometrics, the bank verification numbers that ties the identity to the biometrics. They have other technologies now they don’t just use finger prints, finger vein they are technologies that very well identify people for authentication for services . So you continue to have technology advances that will assist businesses in dealing with this issue and the key thing is to ensure that the awareness is there so these technologies can be properly implemented not just for the sake of it you also have to think of the human factors locking down and giving access to people and data, so you need to pick these technologies carefully and implement them in the right way and this bank verification number that has been used in Nigeria which is based on biometrics is a good example of that.
SAKA: From my perspective, I look at it slightly differently, there is a paradox and this paradox says there are actually not enough information security specialists but if you look on the darker side some of these individuals that are proponents of cyber-attacks are actually here so it’s a global phenomenon with people that are out of the country and it is people that are everywhere so you have smart people that are causing a lot of cyber-attacks and when you start looking at the industry there are challenges of finding the right skills. I’ve seen more and more people build more of these skills, as I have more conversations with clients I see them staff the organization correctly and building strong teams that understand cyber security and are very committed to actually building and further enhancing these skills so I think as we lay more emphasis in cyber security, we are going to see this grow as a profession. you look at kids coming out of schools these days there is a strong focus on technology but I think over the next 5 years it is going to slightly shift and you are going to see more of information security specialists and people building careers along the information security lines.