With the acceleration of digital transformation across the continent, African countries are compelled to invest in cybersecurity. 18 of the continent's 54 countries have already drawn up national cybersecurity strategies, and 22 have national computer incident response teams (CIRTs).
The lack of investment and weak regulation exposes Africa to cyberattacks, according to the report "Cybersecurity in Africa- A Call to action" published in June 2023 by consulting firm Kearney. Yet investment in the African cybersecurity market is set to rise from $2.5 billion in 2020 to $3.7 billion in 2025, representing a compound annual growth rate of 7.9%.
"Despite this investment, it’s estimated the region loses more than $3.5 billion annually due to direct cyberattacks, and billions more from missed business opportunities caused by the resulting reputational damage from the attacks,” the report says.
To show the continent’s vulnerability to cyberattacks, Kearney tested its cyber resilience –the ability to resist, adapt, and recover from cyberattacks. That test focused on the five African best performers in the International Telecommunication Union's Global Cybersecurity Index: South Africa, Morocco, Nigeria, Kenya, and Egypt.
“Through the five selected countries, the analysis showed that Africa’s cyber resilience is low, particularly around strategy, governance and operational entities and cross-sector cooperation,” the report states.
While the average benchmark is 0.25% of GDP, South Africa, the African champion in cybersecurity spending, invests just 0.19% of its GDP, compared with 0.03% for the rest of sub-Saharan Africa. "If each African country spends 0.25 percent of GDP annually on cybersecurity, this would be in line with spending in mature markets. Our estimates suggest that this translates to $4.2 billion annually for the region," reads the document.
In addition to financial investment, investment in human capital is also an important component. Indeed, 84% of organizations believe that less than 50% of candidates applying for cybersecurity jobs are qualified, and more than half of companies seeking these profiles take more than 6 months to find qualified people.
Against this backdrop, in an interview with We Are Tech Africa last May, Youssef Mazouz, Secretary General of the African Cybersecurity Center, explained that there was a need to support Africa “by setting up continuous training, building skills, and opening cybersecurity research centers and universities."
Regulatory issues
African countries are yet to agree on regulations. Although the African Union convention on cybersecurity and the protection of personal data was adopted in 2014, it is not yet effective to this day. According to Article 36, to become effective, the convention must be ratified by at least 15 of the continent's 54 countries. To date, only 14 have ratified it, the latest being Côte d’Ivoire (March 2023). However, digital transformation has been accelerating on the continent since the Covid-19 pandemic.
“Cybersecurity is not a matter from which African countries can isolate themselves. The interconnectivity of systems results in the interconnectivity of the security threats to member states.[...] The absence of an implemented, unifying, regional governance framework makes it difficult to collaborate and share intelligence,” the report indicates.
Africa will better manage cybersecurity by emulating European countries, which opted for the General Data Protection Regulation (GDPR). That law, effective since May 2018, frames data processing equally throughout the European Union (EU).
Adoni Conrad Quenum
