Case Study:
The last two decades have witnessed increased technology adoption in Africa. According to
Forbes, there are more than 600 million total internet users in Africa. Analysis by the IFC and
Google finds that Africa's internet economy has the potential to reach US$180bn by 2025,
accounting for 5.2% of the continent's GDP. By 2050, the projected potential contribution could
reach US$712bn, 8.5% of the continent's GDP. But the rise of the internet also has a dark side,
with the growing risk of private citizens, businesses, and governments falling victim to cybercrime.
The South African Reserve Bank (SARB) has identified cybercrime and emerging technologies as
growing threats to South Africa's banking sector. In its report, the reserve bank said threats
including internet and mobile banking platforms, may be exploited to facilitate money-laundering
and fund terrorism. South Africa is ranked among the top ten countries in the world in terms of
cybercrime. The country is also ranked seventh out of sixteen countries polled for the highest cost
of a cyber breach. The report notes over 90% of the banking sector offers online banking services,
and mobile application banking, except for one mutual bank.
"Although online banking offers faster transactions and more convenient options for banking,
these features are also attractive to criminals. Online features can hide the true identity of clients
(which in-branch visits would have detected), and these features can also hide the true
destination and beneficiaries of funds," says the SARB report. Southern African Fraud Prevention
Service (SAFPS) CEO, Manie van Schalkwyk says consumers must try by all means to make sure
that their data is always secured. According to SABC News, Phishing remains one of the most
prevalent scam techniques. The South African Banking Risk Information Centre (Sabric) estimates
that SA businesses suffer a total of about R250 million in losses each year due to phishing attacks
and internet fraud.
However, according to an article by African Business published on August 8, 2022, Kaspersky, a
Russian firm that provides anti-virus software, in their analysis revealed that attacks related to
data loss threats including phishing, scams, and social engineering increased significantly in Africa
in Q2 2022 in comparison with the previous quarter.
The company detected 10,722,886 phishing attacks in Africa in Q2. Kenyan users were influenced
the most by this type of threat: there were 5,098,534 phishing attacks detected in 3 months - a
growth of 438% when compared with the previous quarter. Kenya was followed by South Africa
(4,578,216 detections and a growth of 144%) and Nigeria (1,046,136 detections and a growth of
174%).
The Guardian in an article published August 3, 2022, reported Kaspersky saying social engineering,
"human hacking" scams, are used in many ways, and for different purposes, to lure unwary users
to the site and trick them into entering personal information. It stressed that the latter often
includes financial credentials such as bank account passwords or payment card details, or login
details for social media accounts.
According to the security firm, phishing is a strong attack method because it is done on a large
scale. It stressed that by sending massive waves of emails under the name of legitimate
institutions or promoting fake pages, malicious users increase their chances of success in their
hunt for innocent people's credentials. The article explained that phishers deploy a variety of
tricks to bypass email blocking and lure as many users as possible to their fraudulent sites, adding
that a common technique is HTML attachments with partially or fully obfuscated code. It stressed
that HTML files allow attackers to use scripts, and obfuscate malicious content to make it harder
to detect and send phishing pages as attachments instead of links.
According to a recent Interpol report, about 90% of African businesses are operating without the
necessary cybersecurity protocols and, therefore, are exposed to cyberattacks. The report also
noted that there were more than 700 million threat detections in Africa within one year. Over the
years, there have been efforts from different African countries to address the cybersecurity
challenge. According to an article by Forbes published on August 2, 2022, in South Africa,
President Cyril Ramaphosa signed the Cybercrimes and Cybersecurity Act in 2021. This law
mandates electronic communication service providers and financial institutions to act when their
systems suffer a cybersecurity attack or breach. South Africa had previously signed the Protection
of Personal Information Act No. 4 of 2013 Act into law.
At the continental level, the African Union (AU) adopted the Convention on Cyber Security and
Personal Data Protection, also known as the Malabo Convention, in 2014. This was followed by
the release of the Personal Data Protection Guidelines for Africa, a collaborative measure
between the Internet Society and the AU, in 2018. According to the United Nations Conference on
Trade and Development (UNCTAD), out of the 54 countries in Africa, only 33 (61%) have a data
protection law in place. Meanwhile, Business Tech in an article dated July 8, 2022, said the
Department of Police gazetted its draft search and seizure rules for cybercrimes committed in
South Africa. The Gazette, which is currently open for public comment, falls under the
Cybercrimes Act which was partly introduced by President Cyril Ramaphosa at the end of 2021.
"The Cybercrimes Act provides a new legal mechanism for addressing cybercrime in South Africa,
as well as creating a range of new cybercrime offences," the department said. "It also provides for
mechanisms to preserve electronic evidence in the cyber domain, to conduct the search, access,
and seizure operations in respect of an article as defined in the CCA, and the gathering of data
connected to both cyber and other crimes that are committed by means of or facilitated through
the use of an article." The draft rules also noted that an individual's right to privacy, as well as
other fundamental rights, must always be respected, and any infringement of these rights may
only be justified in terms of the law. "The right to a fair trial is paramount, and the responsibility
of the investigation and prosecution team in terms of gathering, preserving, and presenting
evidence to a court fairly and objectively, remain of utmost importance." Without serious
cybersecurity efforts, opportunistic criminals around the world stand poised to reap the benefits
of Africa's internet growth story.
It is important to understand the different options related to cryptography to implement it
correctly. Discuss three options that African businesses can use to implement
cryptography correctly.
The answer discusses the three options for implementing cryptography and applies them to the case study.
1. Secure Communication Protocols: African businesses can implement cryptography by using secure communication protocols. These protocols encrypt the data being transmitted over networks, ensuring that it cannot be intercepted or tampered with by unauthorized individuals. Examples of secure communication protocols include Secure Sockets Layer (SSL) and Transport Layer Security (TLS), which are commonly used in online banking and e-commerce transactions. By implementing these protocols, businesses can protect sensitive data such as customer information and financial transactions from being compromised.
In the case study, the South African Reserve Bank (SARB) identified internet and mobile banking platforms as potential targets for cybercriminals. By using secure communication protocols, banks can ensure the confidentiality and integrity of their customers' transactions, making it more difficult for cybercriminals to exploit these platforms for money laundering or other illegal activities.
2. Data Encryption: Another option for implementing cryptography is by using data encryption techniques. This involves converting plain text data into ciphertext using an encryption algorithm and a secret key. The encrypted data can only be decrypted and read by authorized parties who possess the corresponding decryption key. By encrypting sensitive data such as customer records, financial information, and business communications, African businesses can ensure that even if the data is stolen or intercepted, it remains unreadable and useless to unauthorized individuals.
In the case study, the article by Kaspersky highlights the prevalence of phishing attacks in Africa, where cybercriminals attempt to trick users into entering their personal information on fraudulent websites. By encrypting sensitive data, businesses can protect it from being accessed by these phishing attackers, reducing the risk of data loss and financial fraud.
3. Secure Storage and Access Controls: In addition to secure communication protocols and data encryption, African businesses can implement cryptography by employing secure storage and access controls for their data. This involves encrypting data at rest, such as stored databases or files, and implementing strong access controls to ensure that only authorized individuals can access the encrypted data.
By securing data storage and controlling access to sensitive information, businesses can protect against unauthorized access or data breaches. The Interpol report mentioned in the case study highlights that many African businesses are operating without necessary cybersecurity protocols, making them vulnerable to cyberattacks. By implementing secure storage and access controls, businesses can reduce the risk of data breaches and unauthorized access, ensuring the confidentiality and integrity of their data.
In conclusion, African businesses can implement cryptography correctly by using secure communication protocols, data encryption techniques, and secure storage with proper access controls. These measures can help protect sensitive data and mitigate the risks associated with cybercrime, as highlighted in the case study.
Implementing cryptography correctly is crucial for African businesses to ensure the security and privacy of their data and communications. There are several options available for implementing cryptography effectively. Here are three options that African businesses can consider:
1. Secure Communication Protocols:
One option for implementing cryptography is to use secure communication protocols. These protocols, such as SSL/TLS for web communications and IPsec for network communications, provide encryption and authentication mechanisms to protect data as it is transmitted over the internet or other networks. African businesses can adopt these protocols to ensure secure communication between their systems, preventing unauthorized access and eavesdropping.
Applying this to the case study:
African businesses, including banks and financial institutions, can implement SSL/TLS for their online banking and mobile application banking services. By doing so, they can ensure that the communication between their customers' devices and their servers is encrypted and protected from interception by cybercriminals. This will help prevent scenarios like phishing attacks and unauthorized access to customer data.
2. Encryption for Data-at-Rest:
Another option for implementing cryptography is to use encryption for data-at-rest. This involves encrypting sensitive data stored on devices, servers, or databases to protect it from unauthorized access or data breaches. African businesses can use encryption algorithms and technologies, such as AES (Advanced Encryption Standard), to secure their data-at-rest.
Applying this to the case study:
South African businesses, especially those in the banking sector, can implement encryption for customer data stored in their databases. By encrypting sensitive customer information, such as account details and personal identification data, businesses can ensure that even if their systems are compromised, the data remains encrypted and unreadable to unauthorized individuals.
3. Public Key Infrastructure (PKI):
PKI is a comprehensive solution that enables secure communication and authentication using public-key cryptography. It involves the use of digital certificates, key pairs (public and private keys), and trusted third-party entities called Certificate Authorities (CAs). African businesses can implement PKI to establish secure communication channels, digitally sign documents and emails, and verify the authenticity of parties involved in transactions.
Applying this to the case study:
African businesses, including banks and government institutions, can implement PKI to secure their online transactions and communications. They can issue digital certificates to customers, employees, and other stakeholders to ensure the authenticity and integrity of sensitive financial transactions and data exchange.
By considering these options, African businesses can strengthen their cybersecurity posture and protect themselves against cyber threats, including phishing attacks, data breaches, and unauthorized access. It is essential for organizations to assess their specific needs and resources to decide which cryptography implementation option suits them best.
Implementing cryptography correctly is crucial for African businesses to safeguard their data and protect it from cyber threats. Here are three options that African businesses can consider for implementing cryptography correctly:
1. Secure Communication Protocols: Using secure communication protocols is essential for protecting data transmission over networks. For example, businesses can adopt protocols like Transport Layer Security (TLS) or Secure Socket Layer (SSL) for encrypting data during communication between servers, websites, or applications. By implementing these protocols, businesses can ensure that data remains secure and confidential during transmission, making it harder for cybercriminals to intercept and obtain sensitive information.
In the case study, implementing secure communication protocols would help protect online banking transactions, preventing cybercriminals from eavesdropping on communication between banks and their customers. This would make it more difficult for criminals to exploit online banking platforms for activities like money laundering and terrorism financing.
2. Encryption for Data Storage: Data encryption plays a crucial role in protecting sensitive information when it is at rest. By encrypting data, businesses can ensure that even if unauthorized individuals gain access to the data, they will be unable to read or utilize it without the encryption key.
African businesses can implement encryption for their data storage solutions, including databases, cloud storage, and backups. Encrypting sensitive data such as customer information, financial records, and personal data will provide an additional layer of security, making it significantly more challenging for cybercriminals to access and misuse this information.
In the case study, implementing encryption for sensitive banking data stored on servers and in databases would help protect against data breaches and unauthorized access. It would prevent cybercriminals from accessing and utilizing stolen data for phishing attacks, financial fraud, or identity theft.
3. Public Key Infrastructure (PKI): Public Key Infrastructure is a framework that enables secure communication, authentication, and data integrity through the use of digital certificates and encryption keys. PKI is widely used for securing transactions, digital signatures, and authenticating users in various applications and systems.
Implementing a PKI infrastructure can benefit African businesses by providing a robust framework for secure communication and authentication. It enables the use of digital certificates and encryption keys to verify the identity of users or systems, ensuring that only authorized individuals or devices can access sensitive information or perform specific actions.
In the case study, implementing a PKI infrastructure could help enhance the security of online banking platforms. By leveraging digital certificates and encryption keys, banks can ensure that only authenticated users can access their accounts and perform financial transactions securely. This would mitigate the risk of unauthorized access and protect customers' data and funds from cybercriminals.
In conclusion, African businesses can implement cryptography correctly by adopting secure communication protocols, encrypting data at rest, and leveraging public key infrastructure. These measures would enhance data protection, safeguard sensitive information, and mitigate the risk of cybercrime in various scenarios, as highlighted in the case study.