Africa is undergoing rapid economic transformation enabled by digitization, cloud migration, internet of things (IoT), artificial intelligence (AI), machine learning (ML), fintech, blockchain, mobile apps, smart devices and social media penetration. However, these aspirations and goals are also creating multiple cyber security challenges and risks.
Over 500 decision makers and key influencers such as Director Generals, CEOs, CIOs, CISOs and Business Unit Managers attended the Summit as representatives of regulatory bodies such as NITDA and Central Bank of Nigeria; national security agencies such as Nigerian Army and Nigerian Police; government entities and parastatals such as Nigerian National Petroleum Corporation and NIGCOMSAT; leading banks such as Stanbic and Guarantee Trust; renowned businesses such as Dangote and Chicason; and solution providers such as Microsoft, Uniken and Knowbe4.
I’m offering below 10 key take away from all the engaging presentations, panel discussions and fire-side chats that took place during the two days – and invite my peers who attended the summit to supplement their thoughts and key take away too.
One size does not fit all – so assess and choose what matters the most to you and what’s most relevant to you. There’s no copy paste in cyber security.
- Collaboration is key to cyber-crime mitigation: Fighting cyber-crimes is not a one-man or one-entity game. It’s not just the regulators’ ‘job’ and vendors don’t have magical wands. Therefore, its imperative for regulators, government entities, corporate / private organisations, businesses, academia, solution and service providers (consultants, local integrators, regional distributors and global vendors) to collaborate at different capacities to address cyber security collectively.
- Threat and attack information sharing must be real-time or ASAP: Getting attacked might be perceived as a matter of embarrassment. But the real damage is when companies fail to disclose such threats or attacks to their regulators and or industry peers. If one agrees collaboration is key, then they must agree to sharing threat and attack information either in real-time if they have the means to do so or ASAP so that others in the industry/country can be alerted. Cyber security is a collective responsibility.
- Capacity building at organisation level and national level is crucial: Like the physical space, the digital and cyber space too requires constant capacity building at both organisation and national level. Engaging local and international experts towards building capacity around strategic, tactical, technical, operational and human aspects of cyber security can go a very long way in defending threats and mitigating risks.
- Skills shortage must be addressed proactively: One of the biggest challenges of our time – not just in Africa but across the globe – is the huge shortage of skilled cyber security professionals. Adoption of latest technologies, drive for innovation and widespread penetration of internet is making our cyber space bigger and more vulnerable. The ‘bad team’ has always tried to stay ahead of the game and the ‘good team’ often falls short. Identifying and nurturing talent across different backgrounds (age, education etc) by partnering with educational institutions, industry bodies and associations
- Comprehensive and inclusive regulations can work wonders: Most regulators focus mainly on the sectors/industries under their purview. For ex. A Central Bank might not always think of the overall ICT regulation or regulations around telecommunications. A national ICT regulator may not necessarily focus much on SMEs and startups in the non-ICT space. Therefore, these regulators meeting on a common table, frequently, and encouraging each other to take the overall ecosystem into consideration before drafting or passing regulations would make wonders in addressing cyber security comprehensively.
- National platforms for breadth and depth: Companies with deep pockets might afford state of the art solutions and services to keep themselves relatively safe from cyber threats and attacks. But what about others within the same industry who cannot afford it? A solution to this could be for regulators, at least those governing industry verticals with critical infrastructure and crucial information, to build national security operations center (SOC), threat intelligence platform (TIP), orchestration and automation tools (SOAR), awareness platforms and more encompassing ALL companies under their purview. Funding might be driven by the industry consortium.
- Frequent, interactive and gamified awareness can increase preparedness: Another major challenge of our time is PEOPLE. Whether or not we like it, humans continue to be the weakest links of the cyber security ‘kill chain’. However, they can become the strongest links or ‘HumanFirewall’ with regular training and awareness on safe IT usage, cyber hygiene, threats and attacks they are prone to and their responsibilities towards ensuring or enhancing the organizational cyber security. Such programs need to be tailored, interactive and gamified where possible to engage the audience and prepare them to thwart possible attacks.
- Embrace solutions and technologies catering the changing threat landscape: If companies still think that having firewalls and antivirus is enough, they are adrenaline junkies (or sitting ducks) eager to experience cyber-attacks. Organisations need to study risks and threats within their industry, assess their security maturity and gear up to embrace basic, advance and niches cyber security strategies, solutions and services to enhance their internal and external security posture.
- Board level and executive involvement is a MUST: With more businesses claiming to be tech-enabled or digitally driven, cyber security is no longer an IT risk. It’s a business risk. Some boards and CEOs are wise enough to acknowledge this and are personally involved in their respective cyber security strategies and roadmaps at applicable capacities. However, most others are still lagging, or worse, not bothered at all. It’s the job of IT and security executives to educate their boards on why cyber security must top the boardroom agenda and the possible repercussions on the business if it doesn’t happen so.
- Business networking platforms are fundamental: business gatherings like #Cyfrica2020 as well as boot camps and community gigs are fundamental to knowledge sharing, bench marking, problem solving and collaboration. Depending on the nature of your organisation / business, support these platforms in any possible form – financial sponsorship, strategic partnership, content contribution, cyber activation etc – and make the most of the opportunity.
Cyber security is not a choice – it’s not ‘if’ you will be attacked but ‘when’ you will be attacked. So, be prepared, and start the preparation now!
On a related note, below are some of the solutions and services that seem to be in high demand or gaining traction in West Africa:
- Solutions: endpoints security / endpoint detection and response (EDR); email security; cloud security; threat hunting; privilege access management; multi factor authentication; security incident and event management (SIEM); incident detection and response (IDR); threat intelligence (TI) and platform (TIP); security orchestration, automation and response (SOAR); malware and ransomware prevention; 3rd party risk management; phishing protection; mobile application security; industrial control systems (ICS) security; operations technology (OT) security); IoT security; and network security and visibility, to name a few.
- Services: comprehensive security strategy and framework development; cyber policy creation; governance, risk and compliance management; vulnerability assessment and penetration testing (VAPT); security auditing; 3rd party risk assessment; security awareness and training; deep and dark web monitoring + analysis; digital risk protection; brand protection; and email authentication, to name a few.