Cyberattacks against financial institutions in developed countries tend to get the lion’s share of reportage. In fact, it is easy to forget that developing countries and areas also have their share of attacks and financial losses. West Africa is one such region that rarely gets coverage in western security magazines. However, a survey has recently been carried out by Dataprotect, a Moroccan information security company, which looked at the cybersecurity capabilities of 148 banks in the West African Economic and Monetary Union (UEMOA). UEMOA countries comprise Mali, Niger, Senegal, Benin, Burkina Faso, Ivory Coast, Togo, and Guinea-Bissau. Three Central African countries – Gabon, the Congo, and the Democratic Republic of Congo were also included in their survey.
The results found that over 85% of the banks in these countries had suffered cybersecurity related attacks that incurred losses. Of this 85%, around one-third involved bank card fraud, while phishing scams were responsible for another third. Twenty-four percent of cyberattacks involved intrusions into the core banking systems, whether to steal data or implant other malware.1 The remainder consisted of identity theft, money-transfer fraud, information leakage, and fake check scams.
Just 6% Percent of Cyber incidents Discovered
These cyberattacks have cost the banks an average estimated loss of approximately €770,000 (approximately US$852,350), over the past few years. Each malware infection costs, per computer, around €9000 (approximately US$9963) for the companies involved to mitigate. However, the founder of Dataprotect, Ali El Azzouzi, believes that the problem may be even more significant. He has estimated that only 6% of cyber incidents are discovered by the banks’ cybersecurity staff and that even when they are, they are not always made public.2
West African Banks & Cybersecurity Investments
Although West African banks report investing in cybersecurity, the amount remains low relative to other regions. For example, 85% of the surveyed banks said that they spend at least €500,000 (approximately US$553,475), whereas 50% invested much less: between €100,000 and €500,000 (approximately US$110,695 and US$553,475).3 This modest investment represents a much lower amount than the costs incurred by an attack. So, are these banks just being complacent in the face of growing cybercrime worldwide, especially within the financial sector? The truth is a little more complicated.
The African continent, as a whole, is behind the rest of the world when it comes to cybersecurity awareness. In many countries, people are owning computers and connecting to the internet for the first time, and so are not particularly informed about the possibility of cybercrime. Employees of companies, including financial organizations, also tend to be uneducated about cyber threats such as phishing emails, leaving companies open to hackers. However, one of the biggest threats to the continent is the lack of cybersecurity personnel. While this is a global issue, of course, in African countries, as in other developing countries around the world, the situation is exacerbated by lack of funds, a lack of cybersecurity initiatives, and a shortage of specialized cybersecurity courses in universities.4 Weak legislation and law enforcement also act to create environments where hackers can operate with impunity.5 Because of these issues, many West African banks outsource their cybersecurity needs to subcontractors, as this saves the time and cost of trying to find someone suitably qualified for the task.
A Few Incidents Worth Noting
The DataProtect report found that only 20% of those surveyed took cybersecurity seriously.6 This is shortsighted, as the region has suffered from a wave of cyberattacks over the past few years. According to Symantec, the first series of attacks began in mid-2017, targeting Ivory Coast and Equatorial Guinea with a piece of malware known as NanoCore (Trojan.Nancrat).7 The second attack in late 2017 focused on organizations in Ghana, the Congo, Ivory Coast, and Cameroon. It used the password-stealing malware Mimikatz, and also malicious PowerShell scripts, and a commodity malware called Cobalt Strike (Trojan.Argentimis) which creates a backdoor for further malware payloads on infected computers. The next incident, for which no date is recorded, was aimed at one organization in Ivory Coast that had been targeted before. The last attack recorded by Symantec started in December 2018 and, once again, was directed at organizations in Ivory Coast.8 This time the cybercriminals used an off-the-shelf piece of malware known as Imminent Monitor RAT (Infostealer. Hawket) to steal information and credentials.
All of the software used on these four occasions was easily sourced online at little or no cost and required minimal expertise to operate. Because of this, it has been difficult to say whether the attacks were the result of one group or many. Neither has it been possible to say whether the cybercriminals behind them were home-grown or from abroad. Figures of more recent attacks have been impossible to come by, but it would seem extremely unlikely that there haven’t been any more since 2018. As things stand, due to the lack of cyber-security measures and poorly designed networks, banks in West Africa, and indeed elsewhere in the continent, are sitting ducks for malicious actors.
Cybersecurity Education & Saya Summit Africa 2020
Until cybersecurity is taken more seriously and greater investment seen in cyber threat education and policy, this state of affairs can only get worse in the future. We hope to change this. In our modest effort, we will join with leading thought leaders in Africa to elevate and promote cybersecurity to the world. The Saya Cybersecurity 10x Awareness Summit will be the largest global and virtual summit featuring a dedicated track on Africa. Multiple days will focus on topics such as security awareness, the threat landscape, data protection and many more. It will cover various verticals in health, telecommunications and financial. We will also feature leading women in cybersecurity. Some of the countries discussed will be Kenya, Uganda, South Africa, Zimbabwe, Nigeria, Ghana, Sierra Leone, Egypt, Morocco and Algeria. This is not your typical summit. All registration proceeds will be dedicated to charities directly involved in Covid-19 efforts. In addition to Africa, we will have conversations and experts from Japan, Brazil, Chile, Argentina, USA, Uruguay and more.
- El Mehdi Berrada, ‘Cybercrime: West African Banks are Under-protected,’ The Africa Report, 02/11/2020, accessed at https://www.theafricareport.com/22644/cybercrime-west-african-banks-are-under-protected/
- Jeremy Whannell, ‘West African Banks are Battling Cyberattacks,’ Born2Invest, 01/22/2020, accessed at https://born2invest.com/articles/poor-protection-of-west-african-banks/
- ‘Lack of Quality Cybersecurity Hurting West African Banks,’ CISO Mag, 02/03/2020, accessed at https://www.symantec.com/blogs/threat-intelligence/african-financial-attacks https://www.cisomag.com/lack-of-quality-cybersecurity-workforce-hurting-west-african-banks/
- Catherine Chapman, ‘How Africa is Tackling its Cybersecurity Skills Gap,’ The Daily Swig, 08/22/2018, accessed at https://portswigger.net/daily-swig/how-africa-is-tackling-its-cybersecurity-skills-gap
- Nir Kshetri, ‘Cybercrime and Cybersecurity in Africa,’ Journal of Global Information Technology Management, 04/09/2019, accessed at https://www.tandfonline.com/doi/pdf/10.1080/1097198X.2019.1603527
- Jeremy Whannell, ‘West African Banks are Battling Cyberattacks,’ Born2Invest, 01/22/2020, accessed at https://born2invest.com/articles/poor-protection-of-west-african-banks/
- ‘West African Financial Institutions Hit by Wave of Attacks,’ Symantec blog, 01/17/2019, accessed at
- Antony Peyton, ‘Cyberattack Waves wash Over West African Banks,’ Fintech Futures, 01/17/2019, accessed at https://www.fintechfutures.com/2019/01/cyberattack-waves-wash-over-west-african-banks/