Africa’s security culture levels cause for concern
Being cyber aware is no longer a tech skill, it is a life skill and everybody should know how to conduct themselves.
This was the sentiment of Anna Collard, senior VP of content strategy and evangelist at KnowBe4 Africa, speaking during her talk at the ITWeb Security Summit 2021 this week.
Collard was remarking on the findings of the 2021 KnowBe4 Security Culture Report that measured security culture based on industry.
To determine its findings, the report surveyed more than 320 000 employees across 1 800 organisations worldwide.
Based on the report’s finding, the financial services sector has the highest score in terms of security culture. Meanwhile, government and the education sectors were among the lowest scorers, which Collard described as sad, but hardly surprising.
She added that people who work in government and construction have the worst attitude towards security.
Collard said she found it quite concerning that in terms of cognition, which refers to knowledge, learning and awareness, the education sector scored worse. With people working from home, schooling being done online, and a new generation coming into the workplace, the fact that education institutions are not providing security knowledge and security awareness as part of their standard curriculum is unfortunate, she added.
Referencing another KnowBe4 report that surveyed 400 organisations across 18 African countries – where security officers were asked to rate themselves or their organisations – she said 34% of the respondents said they believe they have a mature security culture, while the rest (66%) said they needed to do more work.
In terms of threats, the respondents listed ransomware, malware, phishing, spear phishing and social engineering as the usual threats that companies in Africa are concerned about. “It’s not that much different from the rest of the world,” she stated.
According to Collard, what was positively surprising in the respondents’ feedback were the initiatives or security projects that they are involved in, with them noting that security awareness or training and security culture programmes are top of mind.
Interestingly enough when looking at the data from the Nigerian respondents, security awareness training didn’t come out on top. Instead, they cited multi-factor authentication, which could have been due to the move to remote work, she said.
User-based security culture
Turning to users, Collard said her company conducted another report that surveyed 800 people from eight different African nations, namely SA, Botswana, Egypt, Morocco, Mauritius, Kenya, Nigeria and Ghana.
She revealed that in 2020, only 40% of those surveyed had the confidence that they would recognise a security incident. This was in stark contrast to 2019, where half of respondents said they were very confident that they would recognise a security incident.
Collard explained: “In 2019, over half of the people didn’t know what multi-factor authentication was or they clicked on the wrong example. More than half of them didn’t know ransomware was.
“On the one hand side, we are dealing with people who think that they know how to spot a security incident and are quite confident, but on the other hand they don’t know the most basic threats or controls.
“What we are dealing with is a problem of unconscious incompetence – people that don’t know what they don’t know yet, which is a big problem, especially when one considers the amount of people coming online in Africa.”
She continued: “It’s been forecast that the number of connected people will double in the next two years, a lot of them are first time users and a lot of them will do mobile payments on their devices; and the fact that those consumers don’t know what out there could possibly happen to them is quite concerning.”
"In January, we surveyed about 800 users from those eight African countries," she said. "The majority of the people said they are concerned about their privacy rights, with about a third of them expressing 'severe' concern."
Despite this, only 11% said they would consider moving away from the popular messaging platform, with South Africa having the highest number at 15%. Sixty percent won’t do anything.
Collard stressed that the level of security awareness in Africa is not where it should be and governments are not prioritising cyber security as much as they should, adding that there are not enough public private collaborations. “We really need to do something about that; it’s like a ticking time bomb.”
To improve security culture on the African continent, she pointed to public private collaboration. “The fact that industry is not working with government to solve this problem… anyone working in security should try to find ways of working with government.
“Governments, especially in South Africa, need more help in terms of incident response, creating citizen awareness and bringing cyber security learning programmes into schools,” she concluded.