Cyber Security Skills G Ap - African Cyber

201811Africa Cyber Security Report - BotswanaCyber Security Skills G apForewordForewordWelcome to the 1st edition of theBotswana Cyber Security Report, withthis inaugural report we tackle key themesthat capture the challenges the industryfaces and what needs to be addressed tomake progress in safeguarding the nation.With a rising awareness and understandingof cyber threats, both existing andemerging and with no individual, businessor institution being immune; We need toestablish multi-stakeholder consortiumsthat brings together industry, governmentand academic interests in an effort toimprove the state of cyber security onthe domestic, regional and internationalfronts.As to strive toward the goal of“Knowledge –Based Society” and theaspiration to be a ‘High Income Country’,we must be aware of the threats andopportunities that Cyber brings. If weup-skill our students and graduates with acollective effort, we have an opportunityto become a regional leader in IT securityand create much needed well paidemployment.Throughout the report we highlight theneed to raise our level of training, upgradecertifications and even more crucial,build the new talent pipeline by activelyskilling high school and technical institutestudentsThrough our responses’ to our survey,there is a higher focus on certification thanskills acquisition. The first is theoretical;the second is gained by practice. Whilecertification is highly encouraged forformal employment, we need to build apool of professionals that have a balancewith skill in order to strengthen theoverall capability to deal with emergingcyber security threats. This report showsthat cyber security losses have beenmounting annually, over the recent years.With the passing of the Data ProtectionAct 2018, this will place an enormousstrain on already hard stretched ITdepartments to implement the appropriatesecurity measures as required by the act.Boards and senior management teamsneed to assess the impact of this act willhave on their operations and have a clearroadmap to ensure compliance with theact.We estimate that today, Botswana needsat least 1,000 cyber security professionalsa year to keep abreast with the numberof organisations in need of this criticalskill, yet we have observed that each year,just about 20-30 new personnel join themarket. In another five years, going bythe current rate of technology uptake, weanticipate that the country will need atleast 5,000 cyber security professionals.We urgently need to narrow the cybersecurity skills gap; a factor that we haveestablished plays an enormous role inthe whole industry’s need to strengthenorganisational cyber security.With the establishment of ‘The AfricaCyber Immersion Centre (ACIC)’ thisstate-of-the-art research, innovation andtraining facility seeks to address Africa’songoing and long-term future needsthrough unique education, training,research, and practical applications,integrating modern, state- of -the -artfacilities for on job practical trainingmanned by a pool of highly experiencedtrainers.I’m pleased to announce our partnershipwith Serianu Limited who have now setup offices in Botswana with the the aid ofBITC. For the first time in our country,business and organisations will be ableto out-source their cyber security to alocally based team of world class cyberprofessionals.As to strive toward the goal of“Knowledge –Based Society” andthe aspiration to be a ‘High IncomeCountry’, we must be aware ofthe threats and opportunitiesthat Cyber brings. If we up-skillour students and graduates andwith a collective effort, we willhave an opportunity to becomea regional leader in IT securityand create much needed well paidemployment.Chris JohnsonCEO, African Cyber,Botswana

201812Africa Cyber Security Report - BotswanaCyber Security Skills G apForewordExecutive summaryEach year, we tackle key themes thatcapture the spirit of core mattersthat the industry needs to addressto make progress. This time, we arehighlighting the need to raise ourcollective level of training, upgradecertification and even more crucial,build the new talent pipeline byactively skilling high school andtechnical institution students.Just as the sun will rise from the eastand set in the west daily, the demandfor cyber security professionals willcontinue to grow, largely drivenby the degree with which both thepublic and private sectors havecontinued to embrace the use ofinformation and communicationtechnology (ICT). Even though ICTis evolving rapidly and organisationalleadership is raising the prioritygiven to cyber security risk, a lotmore still needs to be done toempower professionals.Our take, is that there is a higherfocus on certification than skillsacquisition. The first is theoretical;the second is gained by practice.While certification is highlyencouraged for formal employment,we need to build a pool ofprofessionals that have a balancewith skill in order to strengthenthe overall capability to deal withemerging cyber security threats.This report shows that cyber securitylosses have been mounting annually,over the past years.Serianu has summarized the skillneeds in three broad categoriesi.e. understanding, attribution anddeterrence.Understanding refers to the needto have a broader perspective ofthe events that are happening andtools being used, while attributioncovers pin pointing the perpetrators.It is only then that can deterrencetake place, because by now theperpetrators are known. Backed bythe law, it is then easier to enforceregulations. A structured approachto assessing and addressing the cybersecurity landscape shows us ourcollective primary areas of focus.This way we will begin to activelynarrow the cyber security skills gap,a factor that we have establishedplays an enormous role in thewhole industry’s need to strengthenorganisational cyber security.Fortunately, the solutions are nowavailable locally, integrating modern,state- of -the -art facilities for on jobpractical training manned by a poolof highly experienced trainers.This time, we are highlightingthe need to raise our collectivelevel of training, upgradecertification and even morecrucial, build the new talentpipeline by actively skillinghigh school and technicalinstitution students.William MakatianiCEO, Serianu Limited

201813Africa Cyber Security Report - BotswanaCyber Security Skills G ap2018 Highlights2018 Highlights200Cyber Security SkilledProfessionals in BotswanaSkills shortage at senior managementand mid management levels90%of companies to face talentshortage of Cybersecurityprofessionals in 2019Constraint cost of cybercrime 30m in Botswana in 2018successfully prosecutedCyber crimesIncreased Adoptionof CloudIncreased targetedATM attacksLack of InvestmentsIn Information SecurityLack of SolidExperienceIncrease in organisational spend incybersecurity in 2017 to 2018of respondents spendabove BWP 100,000Cyber Incidentsgo unreported orunresolvedIncreased TargetedPhishing Attack(Business EmailCompromise Attacks)50%Increased involvementof Board members onmatters cybersecurity

201814Africa Cyber Security Report - BotswanaCyber Security Skills G apTop Trends for 2018Top Trends for 2018Over 2018 the Serianu Cyber Intelligence team has seen a number oftrends develop which may impact your organisation’s operations andexposure to cyber risk as summarized below:MALWARE ATTACKSMalware keeps going from worseto worse. In 2018 we encountereddangerous malware such as Emotetalso dubbed (Payments.xls), Trickbot,and Zeus Panda. Our research teamidentified unique variants of thesemalwares. Criminals are increasinglytweaking malwares and bankingtrojans to better target organisations.Global malwares such NSA malwareand shadow brokers are now beingdeployed in Africa.A close relative of banking malwareis crypto mining malware. The rise ofBitcoin and other cryptocurrenciessuch as Neo, Etheurium etc. tookBatswana by storm. Hackers areplacing crypto mining software ondevices, networks, and websites atan alarming rate. The impact of theseattacks being: Financial Impact - drives up theelectric bill.Performance Impact: slowsdown machines.Maintenance Impact:Detrimental to the hardware asthe machines can burn out or runmore slowly.From our survey, crypto minersare targeting popular Batswanamanufacturing, educational andfinancial institutions, installing thesecrypto miners on core servers and userendpoints.In order to prevent such exploitationit is critical that enterprises employ amulti-layered cybersecurity strategythat protects against both establishedmalware cyber-attacks and brand newthreats.CYBER SECURITYSKILL GAPOne of the major trends pointedout last year was the lack of localcybersecurity skillsets in Botswanaorganisations. With the cost ofcybercrime increasing every yearacross Botswana, this is still achallenge to the nation.From our analysis, we identifiedthis skill gap comes from two majorsources. Few skillsets in the nationand an inability for companies tohave a proper cybersecurity teamand strategy. With the number ofSMEs and large organisations in thecountry facing cyber security threats,compared to the number of certifiedsecurity professionals in Botswana- 200 it is clear that businesses arean easy target for both local andinternational hackers. Some companiesin Botswana who hire security skillsetsfail to understand the strength ofthe skillsets hence confer all roles toan individual. For example, an ITadministrator with little or no trainingon security is conferred the role ofthe security engineer in an applicationdevelopment company.01DID YOU KNOW?Emotet isA BANKING TROJANzz EVADES TYPICAL SIGNATURE-BASEDDETECTIONzz SPREADS THROUGH EMAILS OR LINKSzzEmotet infections have cost state,local, tribal, and territorial (SLTT)governments up to 1 million perincident to remediate.US-CERT200Cyber Security SkilledProfessionals inBotswana

201815Africa Cyber Security Report - BotswanaCyber Security Skills G apTop Trends for 201802DID YOU KNOW?3rd party API integration serviceproviders are a lucrative targetfor hackers due to the vastamount of transaction and datathey process.Our analysis also discovered thatBotswana companies are reluctant todevelop the skillsets of their securityteam through frequent trainingsand certifications. This is due tothe fact that information security isstill seen as an expense rather than areturn on investment. This is whereorganisations fail to understandthat their team’s posture shouldbe proactive against constant andevolving new threatsThird Party ExposureOutsourcing enables organisations tofocus on their core business. However,this relationship is often based onService Level Agreements and TRUST.However, that third party trust mustbe earned. Examples of third partyvulnerabilities include: Compromise of vendor accountsthrough key loggersCollusion of vendor staff andmalicious hackersIntentional system compromiseby vendors (deletion of database,turning off CCTV, firewallmisconfiguration etc)How to reduce exposure?When a company gives 3rdparties access to its dataand sensitive information,the company is stillresponsible and legallyliable for that information.Margaret Ndungu, RiskConsultant Maintain primary control overwho has access, and at what level,to network systems (especiallyproduction systems).Monitor vendor access(especially remote access) withinthe network 24/7.Get your own house in order byensuring that physical, internaland operational security controlsare in place to secure data thatmay be accessed by externalvendors.BRING YOUR OWNDEVICES (BYOD)With the changing trends in the use oftechnology, most people are alwaysonline. Devices such as personalmobile phones, tablets and laptopsinevitably find themselves connectedto the an organisation’s network.These devices have become theweakest link and one such infecteddevice, could spread malware acrossthe organisation’s internal network,cause losses worth millions in financesand data.FAKE NEWSThe near instantaneous spread ofdigital information means that someof the costs of misinformation maybe hard to reverse and difficultto respond to, especially whenconfidence and trust are undermined.WhatsApp is seen as the most usedplatform to disseminate fake news.Instances of Fake news1Early September, news spread acrossdifferent platforms that 87 elephantsin Botswana elephant had been killed.However, the government issued apress release calling the story “falseand misleading”. A physical inspectionfound just 19 dead elephants, of whichsix had been killed by poachers.The real impact of the growing interestin fake news has been the realizationthat the public might not be wellequipped to tell the difference betweentrue and fake information.

2018Africa Cyber Security Report - BotswanaCyber Security Skills G ap16Top Trends for 2018Modern technology gives fraudstersthe fuel and platforms to instantlyaccess millions of people.The tech industry can and must dobetter to ensure the internet meetsits potential to support individuals’wellbeing and social good. It shoulduse its intelligent algorithms andhuman expertise to glean andclean out such information as it isuploaded.03DID YOU KNOW?In 2018, at least 17 countriesapproved or proposed laws thatwould restrict online mediain the name of fighting “fakenews” and online manipulation.Freedomhouse.orgSTUDIES HAVE SHOWN THAT OVER 90PERCENT OF THE MEDIA’S COVERAGEOF PRESIDENT TRUMP IS NEGATIVE.”ADIRECT CONSEQUENCE OF FAKENEWSStatement by Botswana BankersAssociation

17Africa Cyber Security Report - Botswana2018Cyber Security Skills G apIndustry Player PerspectiveSub Saharan Africa IT SecurityLandscape and Trends 2018-2019Security outlook 2019Breaches will continue to outpace spend.Threats will evolve faster than enterprise security.zz Security spending will be frequently misaligned with business needs and unrealistic risk mitigationzz Security awareness and skills remain a significant challenge across all organisationszz Increased adoption of cloud based security solutions and security managed serviceszz Emerging technologies will be disproportionately vulnerable and targetedzz Early uptake of advanced security solutions such as artificial intelligence security tools for behavioral analyticszzzzCIO perspectives of IT spending and focusCyber security and privacy technologiesMobile technologies for customer engagementData aggrega on and analy cs toolsSystem/applica on intergra on technologiesInternet of ThingsSocially enabled business processesCloud compu ngCogni ve technologies / AIWearable compu ngRobo cs3D Prin ng0%10% 20% 30% 40%HighModerateLow50%60%70%80%90% 100%Source 1: IDCAccording to IDC’s annual CIO Survey 2018, cyber security and privacy technologies rank the highest in importance for organisations looking at digitaltransformation.Various Dx technologies are hotspots for (in) security:zz Cloud (Spectre/Meltdown)zz IoT (auth/poisoning/DoS)zz AI/cognitive (subversion/DoS)zz Shadow IT (leakage/authentication/BC)

18Africa Cyber Security Report - Botswana2018Cyber Security Skills G apIndustry Player PerspectiveChallenges in managing securityLack of sufficient IT security budgetsKeeping abreast of threatsShortage of skilled IT security personnelLack of employee adherence to policyLack of mature security policiesKeeping abreast of security technologies and solu onsLack of execu ve management supportCompliance with industry or sector regula onsLack of, or out-of-date security policyCompliance with government regula onsLack of overall security strategy for the organiza onLack of quality security services providers0%10%20%30%40%50%60%Source 2: IDCSecurity as a Service spendingSecurity as a Service Spending 2015-2021 (US millions) 25 20 15 10 5 201520162017Kenya2018Nigeria201920202021South AfricaSource 3: IDCBotswana has a growing service-oriented view of IT management, fromoutsourcing to contract support, and security is now an establishedpart of that. Still some way to go to acceptance and maturity, but themarket is picking up.zz In Nigeria, it’s mainly continuity-based (backup, DR, BC) exceptfor large enterprises, where there’s a more holistic security view,especially in MNCs. Endpoint security as a service is making decentprogress too.zz RSA has a mature security-as-a-service market, plenty of serviceproviders including some exporting skills internationally. Still heavilyskewed towards the top organisations though, especially in BFSI andhealthcare - for the mid-market and down it’s still a grudge or postincident engagement.zz In all these markets, there’s a fairly clear sense that end-userorganisations can’t effectively keep up with cutting edge security.You either do the basics and hope the worst doesn’t happen, or yououtsource some of it. So the TAM ceiling for security as a service isreally about awareness, not need.zzNew Age CISOCommunicatorExpert on SecurityTrusted AdvisorPeopleManagerEssen al GuidanceAlways Informed

201819Africa Cyber Security Report - BotswanaCyber Security Skills G apIndustry Player PerspectiveAbout IDCInternational Data Corporation(IDC) is the premier globalprovider of market intelligence,advisory services, and eventsfor the information technology,telecommunications, and consumertechnology markets. With morethan 1,100 analysts worldwide,IDC offers global, regional, andlocal expertise on technology andindustry opportunities and trendsin over 110 countries.IDC has been present in Africasince 1999 and serves thecontinent through a network ofoffices in Johannesburg, Nairobi,Lagos, and Cairo, combininglocal insights with internationalperspectives to provide IT vendors,channel partners, telcos, andend-user organisations with acomprehensive understanding ofthe dynamic markets that make upthis diverse region.GivenIDC’srespectedstandingin themarket, we have also establishedclose working relationships withgovernments throughout Africa,providing them with in-depthconsultancy services designedto inform a new generation oftechnology policies, strategies,and regulations for the digitalera.As Africa’s digital transformationnarrative continues to evolve, IDCis perfectly positioned to help ITvendors, service providers, andchannel partners build long-termpartnerships, deliver lastingbusiness value, and provide thelocal context required to enablesuccess.You can follow IDC Sub-Saharan Africa on Twitter at @IDC SSA.

201820Africa Cyber Security Report - BotswanaCyber Security Skills G apIndustry Player PerspectiveTAKA NYAHUNZVIPresident, ISACA BotswanaWhat were the biggest technology and cybersecurity trends in Botswana in the past 12 months?the cybersecurity roadmap, and to take part in the CMMbuilding.Continued adoption and greater awareness respectively.What key cybersecurity competencies are lackingwithin the public sector? What can be doneto ensure that we attract young talent withingovernment and public sector?Particularly in the mobile space, there has been more andmore adoption of technology across all sectors of society.Even in the remote villages, there is mobile connectivity,and this has changed the way that the community lives.This is

the 1st Edition of Botswana Cyber Security Report. This report contains content from a variety of sources and covers highly critical topics in cyber intelligence, cyber security trends, industry risk ranking and Cyber security skills gap. Over the last 6 years, we have consistently strived to demystify the state of Cyber security in Africa.