Criminal masterminds, smart attack vectors, clever phishing tactics and sophisticated cybercrime methodologies are putting people and platforms at risk.
“We undertook a poll to assess cybersecurity awareness in Africa and discovered that some of the key issues facing organisations right now were awareness and understanding,” she explains. “Many people still feel safe online and believe that cybercrime will not affect them personally. Others expect their work to take care of their cyber safety or do not know how to mitigate the threats themselves.”
The KnowBe4 Cybersecurity in Africa survey polled 800 employees across multiple sectors in Mauritius, Botswana, Egypt and Ghana to assess their cybersecurity awareness. The survey focused on their levels of connectivity, the digital devices and platforms used, their perceptions of cybersecurity, the ways in which they work and their understanding of the threats. Of those surveyed, 97% use a smartphone, 74% use a laptop, 47% have a smart TV, 31% use a tablet, 17% have a gaming console, 8% use a feature phone and less than 1% had none of these devices.
When asked what applications they use for work, the most prevalent was WhatsApp (89%), followed by email (80%), Facebook (59%), Telegram (46%), Instagram (45%), Twitter (42%), Zoom (42%), LinkedIn (36%), Microsoft Teams (18%), Snapchat (18%), Slack (5%), WeChat (4%), Signal (4%) or other tools (1%). On the personal front, the picture remains largely unchanged with Facebook ranking second (78%), followed by Instagram (57%), email (46%), Telegram (40%), Twitter (39%), Snapchat (25%), LinkedIn (14%), Zoom (11%), Signal (3%), Microsoft Teams (2%) and other tools (1%).
“WhatsApp is the most used app across both personal (98%) and business use cases,” says Collard. “While email remains the most popular form of business communication on the continent, it is still immensely popular for personal use. Both platforms are high-risk for cyber threats such as phishing, ransomware and fraud, so these should be a priority for organisations looking to drive awareness and training.”
Connectivity is of course a key concern, as it often introduces vulnerabilities to both professional and personal networks and devices. The survey found that 71% access the internet through their mobile networks, overlapping with the 71% who access the internet through home Wi-Fi, and 36% who go online through work/office networks, while 12% access the internet at internet cafes and 15% use free Wi-Fi at public places.
“The question is – do people understand the risks associated with accessing the internet in public places and are they putting the right security protocols in place?” asks Collard. “Often, people do not even know that they can be hacked while they access free Wi-Fi, or that they can have critical information, like passwords, stolen while they are online.”
This concern is reflected in the research on cybercrime awareness. On a scale of one to five, most said that they were concerned with cybercrime, with 29% saying they were ‘very concerned’ and 38% saying they were ‘concerned’. However, 19% said that they were ‘somewhat concerned’ but that they did not understand the threats or how to mitigate them while 7% said that they did not believe it affected them personally because their work took care of it and 7% felt safe and ‘not at all concerned’.
“The problem is – everyone should be concerned about cybercrime,” says Collard. “All it takes is for one person to introduce a virus to a system or open up a doorway or lose their passwords, and the entire organisation is put at risk. Training has never been more important, especially when there is a clear trend around people feeling like they do not know enough about cybercrime to protect themselves or feel like they do not understand what they need to do to stay informed about the risks.”
This is reflected in the biggest concerns raised by those who were worried about cybercrime, with respondents citing online fraud (51%), identity theft (24%), children and family (14%), lack of understanding (10%) and other concerns (1%) as their primary worries. While over half said that they had received cybersecurity training from their employers, only 21% agreed that the training was adequate, while 10% felt it was not adequate at all. And it is worth noting that many people still were not entirely sure what their roles and responsibilities were around information security (11%) and 45% said that they ‘somewhat agree’ that they could recognise a security incident. Only 34% of people said they felt ‘very confident’ that they could recognise a security incident if they saw one.
Most respondents are hesitant to give away personal information, with 29% saying they tended not to share personal details such as their identity number, and 51% saying they would share this information only if there was a real need to do so, and they understood what it was being used for. 13% part with personal information if they cannot avoid it. Worryingly, 7% are comfortable sharing personal information, with 4% saying they are likely to do so if they can get something in return – such as a discount, and 3% saying they share personal information all the time.
“Then, we look at issues like cyber hygiene and discover that only 43% of respondents could identify what ransomware was, and only 61% could identify a strong password,” says Collard. “A worrying 20% selected P@$$word!, 25% selected thisismysuperwonkyapp#1, 16% chose Summer#123 and 3% chose Grandma1959. 6% said none of these was strong passwords. Only the 62% who chose DSM@8043&! were correct.”
Digging deeper into how well people understand security, the survey asked people to define two-factor authentication, and 60% said it was ‘using my password plus something I own, such as a One Time Password generator’. However, 20% said it was ‘Entering my password twice for extra security’, 8% said it was Captcha generators, 9% said it was using two different passwords and 4% said it was using a password manager. Only 17% say none of the common cybercrime tactics has affected them. More than half (51%) said they had previously had a virus infection on their computer, 32% had lost money due to a scam or con artist, 26% had clicked on a phishing mail, 21% had been scammed from a phone call and 17% had forwarded a scam or hoax email.
When checking to determine whether an email is legitimate, 55% said they only trusted emails from people they knew, 54% do not click on links or open attachments they were not expecting, and 27% checked for bad grammar or spelling as a sign the mail is not legitimate. 31% Google the sender or topic to see if it is a scam, 23% hover over links to see their origin, and 11% do all the listed checks.
Add to this the risks of working from home – 32% said they had moved to work from home and among the 20% who were affected by cybercrime while working from home, a multitude of scams and cybercrimes occurred. These scams ranged from being tricked into crypto investment schemes and identity theft, to accidentally downloading viruses and being hacked.
“The entire landscape is a challenge and the only way to thrive within this complexity is to arm your people with the tools and understanding they need to protect themselves,” concludes Collard. “Training is the only way to ensure that all the protections and security investments made by the business are fully realised by those who use them. If people understand the threats, their role in mitigating the threats, and what to do to protect against them, they are empowered and more able to overcome the challenging landscape that lies ahead.”