Cyber-crime is Africa's 'next big threat', experts warn

Government and commercial online services could
become the next frontier for illegal activity in
Africa, security experts are warning.
As more people get access to the internet across
Africa, governments and businesses are increasing
their online presence but there are questions about
how secure these websites are.
The email scam using a message from someone
pretending to be a relative of a dead African leader
asking for bank details is well known, but now
tactics have changed.
Today's cyber-criminals do not need users' approval
or awareness to access valuable data, which could
lead to the theft of a large amount of money.
For example, a recent cybersecurity report on Kenya
says businesses are losing about $146m (£96m) every
year to cyber-crime.
Kenyan cybersecurity analyst Freddy (not his real
name) showed me how the average Kenyan website
lacks adequate protection.
Working on a dummy site with a typical level of
security, he showed me how it was possible to hack
into it.
"This will take me about 15 minutes," he said as he
typed away, writing code.
As predicted, in just a quarter of an hour, he had
full access to the database and was able to change
the administrator password and upload his own
material.
Freddy is one of the good hackers who advises
companies and defends them from attacks rather
than exploits the problems, but he feels the response
to the online risks is inadequate.
This situation is replicated across the continent.
South Africa's Sunday Times newspaper reported
that hackers launched 6,000 cyber-attacks against
South African infrastructure , internet service
providers (ISPs) and businesses in October alone.
Bright Mawudor, a Ghanaian cybersecurity expert at
Pukyong National University in South Korea, says
that most African banks, government agencies and
ISPs, in the face of competition, prioritise what
their website can do and how fast new features can
be released to the public.
Security is an afterthought, he argues.
"These websites are usually outsourced to software
development companies who get pressured to deliver
quickly," he says.
"Something that should take about a month has to
be delivered in a week and is thus sub-standard.
They always make a mistake and the hacker just
has to find one."
Government website threat
Rather than creating their own systems from
scratch, there is a tendency to take a shortcut and
use existing popular templates, which Mr Mawudor
says can easily be breached.
He says he knows of several African governments
that use these for their websites that can contain
sensitive information including individuals' personal
details, which can be used for identity theft.
According to the recent Kenyan cybersecurity report,
most African-based businesses, particularly small
and medium-sized enterprises, are unable to
withstand cyber-attacks.
"If there was the threat of a physical attack you
would see a lot of fences and guards," says William
Makatiani of Serianu Limited which was behind the
report.
"Unfortunately with cyber-attacks, very few people
can detect them and you can go for up to a year
without knowing you've been attacked."
At the Serianu offices in the Kenyan capital,
Nairobi, big screens show world maps with yellow
spots appearing in different countries representing
cyber-attacks happening in real time.
As these continue, Mr Makatiani suggests the main
reason some companies are waking up to the threat
is because they are losing money, but he says they
are only disclosing these incidents discreetly.
The types of crimes are also becoming more
sophisticated - moving from password theft, to
stealing credit card details to attacks on computer
networks.
Even if the worst-affected businesses like banks and
insurance companies improved their security, the
ISPs are accused of not doing enough to create
sufficient security for the small businesses they
serve.
South Africa recently opened a virtual cybersecurity
hub in its capital, Pretoria, to help business,
government and civil society work together on
responses to these incidents.
Research firm Columinate suggests that South
Africa is one of the world's cybercrime hotspots.
State Security Minister David Mahlobo pointed out
that for the country to be adequately protected, there
needs to be more awareness of the threats.
Challenging hackers
This situation is mirrored across the continent and
has led Mr Mawudor to help found Africahackon, a
forum bringing together cyber-security experts, from
university to corporate level, to discuss how to take
the initiative on these issues, rather than wait for
the security gaps to be exploited.
The group works with a lot of young people with
newly-acquired computer skills who might otherwise
be tempted to use them for illegal activity online.
"You can never stop cyber-attacks but you can
employ the best practices to curb them," says Mr
Mawudor.
"This will be a process over time and not a one-day
event."