On Sunday, May 3, Côte d’Ivoire’s official government website published an interview with Stéphane Kounandi Coulibaly, Director of Innovation, Startups and the Private Sector at the Ministry of Digital Transition. In the interview, he outlined the country’s ambition to become a regional innovation hub. Yet significant challenges remain, particularly in cybersecurity. In that context, We Are Tech Africa spoke with Babel Balsomi (pictured), an ethical hacker, AI researcher and CEO of Hiero Digital, to examine some of the key issues.

We Are Tech Africa: Ivorian authorities have stepped up their cybersecurity ambitions with the creation of the National Agency for Information Systems Security (ANSSI) and the launch of a Security Operations Center (SOC). On the ground, do these ambitions match the scale of the vulnerabilities being observed?

Babel Balsomi: The creation of ANSSI is a real structural step forward. Bringing the National Computer Security Incident Response Center (CI-CERT), the Cybercrime Fighting Platform (PLCC), and the Directorate of IT and Digital Forensics (DITT) under a single authority helps address the fragmentation that had weakened the government's ability to respond quickly to incidents. The political will is clearly there, and that matters.

But there is still a major gap between these institutional ambitions and the reality experienced by businesses and ordinary users. The situation on the ground looks very different.

WAT: How would you assess the cybersecurity posture of SMEs in Côte d’Ivoire today — in terms of infrastructure, practices and awareness among business leaders?

BB: Starting with infrastructure, a large share of the systems supporting Côte d’Ivoire’s digital economy — corporate networks, servers and network equipment — is outdated. During audits at SMEs, including accounting firms, logistics companies and private clinics, I still regularly find servers running Windows Server 2008 or 2012, even though Microsoft stopped supporting those systems years ago.

Yet these machines remain connected to the internet and continue handling client data, including financial information, often without properly configured firewalls, network segmentation or isolated backups. Expanding digital services on top of that kind of infrastructure simply increases the attack surface without improving security.

A large share of the systems supporting Côte d’Ivoire’s digital economy — corporate networks, servers and network equipment — is outdated.

As for practices and awareness, the lack of cybersecurity culture is often profound, but not deliberate. I frequently meet business owners who discover during our first discussion that cybersecurity is a field in its own right. Yet these companies process payments through mobile money platforms, store customer data and form the backbone of the Ivorian economy. They are real targets — they just do not realize it yet.

WAT: In large companies, why is cybersecurity still struggling to become a strategic priority at the executive level?

BB: In large companies, the problem is different from what we see in SMEs. Operational teams are often aware of the risks, but that awareness usually runs into the same obstacle at management level: cybersecurity is still treated as a cost rather than a strategic issue.

I have seen technical teams identify critical vulnerabilities, produce detailed remediation plans, and then watch those plans get pushed aside because executives considered them non-essential. In some cases, incidents followed a few months later.

A lot of infrastructure today is effectively surviving on luck. Some companies have exposed systems accessible from outside networks with inadequate protection.

WAT: Beyond technical weaknesses, what human and organizational barriers are slowing cybersecurity progress in Côte d’Ivoire?

BB: The first is internal protectionism. Some teams see outside expertise as a threat and resist initiatives that could improve security because they fear losing influence or exposing internal weaknesses.

The second is the lack of continuous training. Cybersecurity evolves constantly, yet many teams are not investing enough in keeping their skills up to date. Over time, they lose touch with how threats are changing.

The third barrier is the failure to integrate young talent. There are highly capable and motivated cybersecurity professionals in Côte d’Ivoire, but organizations still struggle to recruit and retain them. The problem is not necessarily deliberate exclusion. Hiring structures, salary policies and management culture are simply not designed to attract these profiles.

We developed the Cybermétéo — a bulletin designed to assess a company’s vulnerabilities and identify leaked data — precisely to provide organizations with an objective view of their security posture. One in three companies refuses the exercise. Not because of cost, since it is free and confidential, but because many organizations still see transparency about vulnerabilities as a threat in itself. That says a lot about the gap between institutional ambition and operational reality.

WAT: You often speak about the lack of a cybersecurity culture within organizations. How can employee behavior become a major vulnerability?

BB: Beyond budgets and infrastructure, cybersecurity is also a cultural issue. It is still not seen as a shared responsibility.

An employee clicking on a phishing link, coworkers sharing passwords, or confidential documents being sent through personal messaging apps — these are the kinds of everyday behaviors that create openings for attackers.

I have conducted phishing simulations in Ivorian companies where between 70% and 80% of employees clicked on malicious links. That is not a question of intelligence. It is a question of awareness and exposure to the right information.

An employee clicking on a phishing link, coworkers sharing passwords, or confidential documents being sent through personal messaging apps — these are the kinds of everyday behaviors that create openings for attackers.

This kind of culture has to be built over time through training, leadership and clear internal policies. Right now, it remains largely absent.

WAT: Ordinary citizens are also increasingly exposed. Why do you describe connected users as the weakest link in the digital chain?

BB: More and more people are using fintech services every day as mobile adoption expands rapidly across the country. But most users are operating without any real protection.

WhatsApp scams, fake giveaways, identity theft on social media and fraudulent applications collecting personal data affect thousands of people every day. Most users simply do not have the tools or instincts needed to detect these threats.

Today, ordinary citizens are the most exposed and least protected part of the chain. At a time when mobile payments are becoming mainstream, public services are moving online and health and identity data are being collected at scale, the lack of cybersecurity awareness among users is no longer a secondary issue. It is a systemic risk.

WAT: Before artificial intelligence even enters the picture, what are the most common and effective cyberattacks targeting organizations in Côte d’Ivoire today?

BB: The threat landscape can broadly be divided into three levels, each reflecting a different degree of inadequate preparedness.

The first is phishing, and it is causing serious damage. Large companies, mid-sized firms and SMEs are targeted daily by phishing campaigns. What makes these attacks successful is not necessarily technical sophistication, but the absence of basic cybersecurity habits.

It can be a fake Treasury Department email requesting updated banking information, a WhatsApp message impersonating a CEO to request an urgent transfer, a fraudulent link imitating the CNPS portal or a local bank, or a fake telecom invoice with altered banking details. These situations occur every week.

In the simulations I have conducted, click rates on malicious links regularly exceed 70% to 80% of employees tested. In Europe, those figures would trigger serious concern. Here, they are often treated as normal.

Many companies have no business continuity plans, no reliable backups and no incident response contracts.

The second category is Business Email Compromise, or BEC, and these incidents are becoming increasingly common. A company receives what appears to be a legitimate email from a supplier announcing new banking details, and the accounting department sends money to a fraudulent account.

This technique has existed for more than a decade and does not rely on advanced technology. It works because many organizations still lack basic verification procedures, dual approval systems for transfers and sufficient staff awareness. This is not primarily a technology problem. It is a culture problem.

There is also the issue of data encryption. I have audited private clinics where patient records were stored on unencrypted local drives with no offsite backup, on Wi-Fi networks shared by doctors, administrative staff and visitors.

The third category is ransomware. Given the weaknesses we have discussed, even relatively simple ransomware attacks could paralyze a large number of organizations. Many companies have no business continuity plans, no reliable backups and no incident response contracts.

Hospitals, corporations and critical infrastructure operators in Europe and the United States have already been crippled by ransomware attacks for weeks at a time. Organizations in Côte d’Ivoire face the same threats with far fewer resources to respond and recover.

WAT: Is Côte d’Ivoire prepared for the new threats associated with artificial intelligence?

BB: No. And the threats linked to AI are fundamentally different.

One of the first risks is prompt injection. AI agents are autonomous systems capable of carrying out tasks with limited human intervention — accessing databases, sending emails, interacting with third-party systems and making certain decisions.

A prompt injection attack works by inserting malicious instructions into the data processed by the AI system, whether through a document, a form or an email. The objective is to hijack the system and make it perform unauthorized actions without operators realizing it.

For example, if a government agency deploys an AI agent to process citizen requests, a compromised form could instruct that system to quietly exfiltrate entire databases. The danger lies in the same qualities that make AI agents useful: autonomy, speed and operational capacity.

The danger lies in the same qualities that make AI agents useful: autonomy, speed and operational capacity.

The second category is training data poisoning. If an AI model is trained on compromised data, its outputs and decisions can gradually become distorted without anyone immediately detecting the manipulation. The model continues operating normally, but its reasoning has been compromised at the source. Since Côte d’Ivoire aims to develop models adapted to local realities, this risk is particularly important.

The third category involves mutating AI-driven attacks and prompt flux. Today, attackers can use large language models to generate hundreds of malware variants automatically. Each version differs slightly from the previous one, allowing it to evade antivirus systems based on known signatures. It works like a fast-mutating virus that changes more quickly than defenses can adapt.

Prompt flux pushes this even further. Malicious instructions change continuously and unpredictably in real time, making conventional filtering systems far less effective because every attack appears differently. These attacks can also destabilize AI models themselves and turn them into attack surfaces.

What is important to understand is that even the most advanced countries are still struggling to defend against these threats. Standards are still evolving, tools remain under development and expertise is limited.

If a prompt flux attack targeted a bank, telecom operator or government agency in Côte d’Ivoire today, the consequences could be severe. Many organizations still lack reliable backups, incident response teams, behavioral detection systems and crisis management procedures. In some cases, there is also deep distrust toward external cybersecurity experts. The result is that systems could remain compromised long before anyone realizes what happened.

Africa has the chance to avoid some of the mistakes made elsewhere, where digital ecosystems were built without integrating security from the beginning. But this opportunity will not remain open indefinitely.

The talent needed to build these capabilities exists in Côte d’Ivoire. I see it during cybersecurity competitions and within technical communities. But organizations still struggle to integrate and retain these profiles. That represents a direct loss for national resilience.

WAT: The country wants to deploy AI in sectors such as healthcare, agriculture and education. Can these initiatives scale safely without stronger digital foundations?

BB: Let me be very clear: deploying artificial intelligence across Africa is a historic opportunity, and the continent needs to move now, not in five years.

Africa has the chance to avoid some of the mistakes made elsewhere, where digital ecosystems were built without integrating security from the beginning. But this opportunity will not remain open indefinitely. Global technology firms, investors and regional competitors are already moving quickly.

So the real issue is not choosing between AI and cybersecurity. The challenge is advancing both simultaneously. Right now, however, that is not what I see in practice.

Take the example of AI systems used in public hospitals to manage patient records or assist with diagnosis. These systems must connect to hospital networks, databases and multiple staff workstations.

Yet in many environments, I still find unsegmented networks where doctors, administrative staff and visitors share the same infrastructure, login credentials shared between users, and sensitive data left unencrypted both during transmission and storage.

In that environment, AI does not simply increase the value of the system. It also increases its exposure to attacks.

An attacker who compromises such a system could block access to medical records during an emergency, alter patient data or steal information belonging to thousands of people. Similar attacks have already severely disrupted hospitals in France, the United Kingdom and the United States. Africa will not remain immune indefinitely.

Karen Diallo said it clearly during the Cyber Africa Forum: many organizations still do not see the need to invest in digital security until it is too late.

An AI system that is secure by design can be deployed faster and adopted more broadly because users trust it. Conversely, a major incident involving an insecure system could damage confidence for years among users, investors and institutional partners.

The Safe AI Label was launched with positive intentions, but it still raises a key question: what technical standards actually support it? A label without independent audits, enforceable requirements or penalties for non-compliance is not a security guarantee. At this stage, it is mainly a statement of intent.

I am not arguing against AI deployment. Quite the opposite. Security should be treated as a condition for acceleration, not as an obstacle.

An AI system that is secure by design can be deployed faster and adopted more broadly because users trust it. Conversely, a major incident involving an insecure system could damage confidence for years among users, investors and institutional partners.

My position is straightforward: no AI deployment in critical sectors such as healthcare, agriculture or education should move forward without a mandatory pre-deployment security audit. That is not a conservative approach. It is the minimum requirement for turning this technological opportunity into a lasting advantage rather than a large-scale vulnerability.

WAT: Beyond the broader discourse around digital transformation in Africa, what message would you like to send to decision-makers in Côte d’Ivoire and across the continent?

BB: The message is simple: digital transformation cannot succeed sustainably if security is treated as an afterthought.

Digitization without cybersecurity is like building a city without doors or locks. The larger the system becomes, the more vulnerable it grows.

The ambitions outlined by the Ministry of Digital Transition are real. Expanding the startup ecosystem, deploying AI in public services and positioning Côte d’Ivoire as a regional technology hub are important goals that deserve support.

But cybersecurity is still too often absent from these discussions. That omission matters because it reveals a structural blind spot. Governments are digitizing services, connecting agencies and opening public contracts to startups without building the security mechanisms needed to protect the ecosystem at the same pace.

Every digital service launched without adequate security measures creates a new vulnerability. Every database assembled without encryption increases the risk of future breaches. Every connected agency without proper network segmentation becomes a possible entry point into wider government systems.

The consequences are already visible. Startups in Côte d’Ivoire increasingly have access to public contracts, which is positive. But many of these companies still lack strong cybersecurity practices while handling sensitive government data and connecting directly to state information systems.

Every digital service launched without adequate security measures creates a new vulnerability. Every database assembled without encryption increases the risk of future breaches. Every connected agency without proper network segmentation becomes a possible entry point into wider government systems.

That creates opportunities for supply chain attacks, where attackers compromise smaller or less protected organizations to gain indirect access to larger targets. I have already documented this type of pattern in Côte d’Ivoire.

Digital transformation creates value, but it also increases systemic dependencies. If those connections are not secured, they become systemic vulnerabilities.

There is also an important human dimension that remains underestimated. Internal rivalries, resistance to change and managers reluctant to integrate younger talent continue slowing both cybersecurity progress and digital transformation more broadly.

These factors are holding the country back at a time when both digital transformation and cyber threats are accelerating simultaneously.

What decision-makers need to do is involve private-sector actors, SMEs and operational experts directly in the design of digital transformation strategies — not just cybersecurity strategies.

These are the people confronting vulnerabilities every day. They understand where systems fail, where digitized processes generate unexpected risks and where local talent can strengthen resilience.

Digital transformation has to be built with the people living these realities on the ground.

Interview by Adoni Conrad Quenum