Professional services firm KPMG's ‘Africa Cyber Security Outlook 2022’ survey found that 74% of Africa’s large companies reported a relatively mature approach to privacy and cybersecurity, but 75% of companies encounter challenges in recruiting and retaining qualified cyber professionals and only one in three have access to a sufficient talent pool.

The development of highly specialised cybersecurity resources with skills for cyber leadership, and securing and testing systems should be prioritised, KPMG recommends in its report.

Despite this, some industries are well geared in terms of cyber skills, with the highest percentage of adequate skills being in the manufacturing sector, at 48%, and energy and natural resources sector, at 47%, followed closely by the fast-moving consumer goods and information and communications technology sectors.

Further, the financial services and public sector have been prime targets for cyberattacks and demonstrate an acute demand for cyber resources, largely owing to the high level of regulatory oversight required.

“The cyber landscape in Africa is highly dynamic and rapidly evolving, propelled by widespread digitisation and matched by adequate investments in protecting assets and data from cyberthreats,” says KPMG Nigeria partner, cybersecurity head and Africa Cyber lead John Anyanwu.

While the African continent continues to face many challenges, including poverty and political conflicts, multiple economies in the region have shown tremendous growth, with a number of countries demonstrating rapid post-pandemic recovery with increased consumption and adoption of digital technologies at grassroot level, he says.

Additionally, while there is currently a shortage of skills, there is no doubt that Africa is taking this seriously, with 55% of large companies planning on recruiting cybersecurity resources in the next 12 months, with 58% planning to onboard at least one to two resources and 25% looking at three to five resources.

“We need to change the way we recruit in this sector by improving the recruitment process and requirements, looking at non-traditional degrees, offering competitive salaries and looking at external collaborations with educational institutions to build skills, develop in-house talent and outsourcing of skills to those in the know. Without this shift, we may be left behind,” he says.

Meanwhile, cyber strategy in Africa is more mature than ever before, with 75% of companies having strategies that were either regularly refreshed or had been built in alignment with the organisation’s threat profile with measurable key performance indicators, he highlights.

Further, 61% of companies have implemented a clear data protection/governance approach, with 80% reporting the establishment of robust frameworks and well-defined strategies to mitigate security and privacy risks, says KPMG South Africa partner and cybersecurity head Marcelo Vieira.

“This demonstrates the significant efforts taken by leaders in organisations to secure the processing of data across the expanding digital landscape. As organisations undergo digital transformation, it is crucial that they envision data protection and privacy as a key strategic component and we are starting to see a massive shift across the African continent,” he emphasises.

Further, the report also highlights that organisations in Africa with a global footprint have been able to achieve more clarity in strategic cybersecurity direction compared with those operating solely within Africa.

Similarly, those that operate across multiple countries in Africa have established clearly defined frameworks and strategies compared with organisations with a presence in only one country.

Irrespective of organisational size, companies are working to ensure data privacy and protection to build trust and safeguard consumer privacy. Organisations that report having a mature approach to cybersecurity strategy have been subject to half the number of cyber incidents reported across organisations that have not proactively dealt with cyber strategy, highlights Vieira.

“Organisations must build commensurate confidence in the overall cyber awareness and incident response function to drive digital trust and positively influence consumer perception. To ensure cyber readiness, organisations need to develop a strong security framework covering technical and human-focused defence/response strategy,” he advises.

“The statistics speak for themselves, with 46% of those that do not have a standard approach to data protection, privacy and cybersecurity [having fallen] victim to cyberattacks, compared to 28% who have robust security in place,” Vieira notes.

“Cybercriminals in this modern era are changing tactics to include data exfiltration, targeting personal user information and targeting organisations that attempt to aggregate, combine, compare and analyse data to better service their consumers.

“Therefore, today, there is a much [more focus] needed on not only mitigating threats but in the way organisations are set up to deal with them,” says KPMG East Africa cyber lead Anthony Muiyuro.

The approach should focus on a few key principles including understanding crown jewel information assets, evaluating the current and emerging threat landscape, documenting and aligning a fit-for-purpose cyber strategy, and placing it into practice and monitoring effectiveness, he recommends.

“This function should be a strategic focus, cut across all business functions. Therefore, establishing an independent information security function is touted as a critical success factor for mature information risk management,” he says.

“While 39 out of the 54 African countries have established cybersecurity legislation, Africa’s adoption of cybersecurity policies and regulations stands at 72%, which is the lowest across the globe.

“This, together with the outcomes of our research, indicates that there is a very real need to rapidly advance agile cybersecurity measures to enhance risk resilience and enable organisations to harness new opportunities for revenue growth and business success, while ensuring business continuity,” states Anyanwu.

“This comes with its own budgetary and resource challenges, but, as a continent, we need to become innovative in our approach and lean into experts that can tighten controls and improve Africa’s cyber resilience for increased economic benefit,” he concludes.