Why unconscious incompetence is Africa’s biggest cybersecurity threat
Market research into Africa’s cybersecurity landscape across eight countries shows that while a high percentage (72%) of respondent are concerned about cybercrime and believe they are empowered to deal with it, few actually know what to do or how to do it. And so the problem of ‘unconscious incompetence’ continues to poke holes in cyber defence strategies across the continent.
This is according to the 2021 KnowBe4 African Cybersecurity & Awareness Report, based on a survey the company conducted with 763 respondents from eight countries, including Botswana, Egypt, Ghana, Kenya, Morocco, Mauritius, Nigeria and South Africa.
The Report focused on key metrics around cybersecurity awareness and behaviours to gain a holistic view of the continent’s cyber stance and how users perceived the threats. It also highlights some of the gaps that remain in security awareness in spite of the risks posed by the pandemic and the evolution of hybrid working frameworks.
One of the major concerns for KnowBe4 is the gap between being concerned and proactively responding to the situation.
Anna Collard, SVP Content Strategy & Evangelist KnowBe4 Africa, said, “One of the biggest concerns and something that has not improved a lot since the first round of surveys in 2019 is the problem of "unconscious incompetence". People say they are concerned, but they also believe that they have what it takes to protect themselves, when as a matter of fact they don't.”
Pandemic still an issue
The pandemic and the increased adoption of the hybrid working model have also exposed businesses and employees.
“The pandemic remains a central issue for most users when it comes to how they plan to work and live in the future,” said Collard. “This year, nearly 55% plan to continue working from home. Respondents are increasingly concerned about the risk of cybercrime at 72%, however, the trend this year has been an increase in overall security confidence, which is not necessarily earned. People think they know more than they do and this is causing issues.”
The challenge is that people are still taking unnecessary risks, in spite of their growing awareness and understanding of cybercrime. Around 10% are very likely to share their personal information and 54% will trust an email from someone they know, even though 36% have fallen for a phishing email and 55% have had a malware infection. These numbers are up from 2020, and are compounded by the fact that most users believe that they can confidently identify a security incident (44%) but only 46% could accurately identify ransomware – a small drop from 2020 at 47%.
Collard added, “The number or the sophistication of social engineering attacks has actually not really increased as such, (or there isn't much data to prove this), however the impact and success rate seems to have grown, potentially because of the increase in attack surface that has come with people working from home. (i.e. lack of proper security controls in distributed environments, rapid pace of tech scaling and roll outs etc.)”
Of increasing concern is that more than 30% of users do not know what two-factor authentication is, 40% are not using a secure password – 20% believed that P@$$word! was a strong password – and yet 63% use their mobile devices to do payments or banking. They are putting themselves at risk with poor password hygiene and limited security controls.
“Email remains one of the biggest security threats,” said Collard. “People are still very trusting of emails they have received from people they know (54%, up 2% from 2020), even though those email accounts could have been impersonated or hacked. There is definite need to educate people around the rising social engineering threats around emails, social media, chat apps and the phone (vishing)."
The report found that while people are paying more attention to security, they are still falling prey to scams and attacks that they could have avoided. From social engineering to investment scams, the threats are gaining ground.
Considering that around 34% have lost money because they fell victim to a scam, and 26% have experienced a social engineering attack over the phone, it is clear that cybercriminals remain determined to use any means necessary to catch people unaware.
“For organisations, it has become critical that they train employees around security best practices and the various methodologies used by the cybercriminal,” said Collard. “People need more help in learning about how to stay safe online at home, the office and on the road. Perhaps the worst mistake is that they believe they are security smart and can identify the risks, when they actually cannot. This is putting both them and their company at risk.”
According to Collard, there are many reports which provide evidence of the extent of the problem of social engineering.
She points to the Verizon's Data breach investigation report which lists the human element being involved in 85% of breaches, social engineering (amongst which phishing) being listed as the top attack vector.
“Business Email Compromise (BEC) scams a form of email based social engineering is the number one reported fraud by the Internet Crime Centre and the FBI. Social engineering is listed as the top attack vector for cyber extortionists. Social engineering is also what's behind many of the crypto / NFT scams. Romance scams coupled with crytpo investment scams all use sophisticated social engineering (psychological tricks) tactics to dupe victims. It is de facto next to vulnerable systems / patching one of the top cybersecurtiy threats and challenges we are faced with.”
KnowBe4 says building a security culture, or in other words, strengthening the human defence layer and making them aware of how to detect and prevent social engineering attacks is a crucial element in organisational cybersecurity posture, especially as many people continue to work from home.
While this will help, Africa’s cyber threat landscape continues to grow and continues to keep business leaders awake at night.
“We are faced with a myriad of challenges such as skills and capacity shortages, the pace of technology innovation and unwillingness / lack of understanding of many stakeholders (particularly in the Defi, crypto space) to adequately address security concerns, a lack of prioritisation by business and government leaders and an emerging economy that is highly cyber-dependent and therefore attractive to criminals,” Collard continued.
She explained that a public private sector collaborative approach is absolutely necessary to address the challenge of cybercrime and the impact it has on our organisations, society and citizens at large. “Focusing on critical thinking and digital literacy is crucial for our schools and educational institutions curriculums to prepare the new generation to navigate this space.”