- There is need for more training and awareness for people responsible for securing their organisations’ information infrastructure.
- There is opportunity for policy makers to work with the industry to develop optimal customer and user-centric privacy and security policies.
- Local ICT experts must shift their thinking from security at the periphery to securing every point of contact with the network.
- The cybersecurity laws do not take into consideration budget limitations of small businesses to secure their systems.
- Information systems and infrastructure should be classified as either critical or non-critical for better regulation.
Society and economic development in general continues to rely heavily on information systems and networks in Africa. Almost all sectors, whether agriculture, finance, education or government, all increasingly depend on information and communication technology to enable solutions. Sometimes being the solution itself to the various challenges faced in Africa. In addition, some countries are taking advantage of this shift to establish themselves as regional leaders or hubs in Information and Communication Technologies (ICTs).
Many businesses, including those with models not common in Africa are being built to support this new paradigm of economic development in many countries on the continent. At the same time, security threats enabled by ICTs are growing at an alarming rate and the threat actors themselves are evolving. A remote farmer who would traditionally only be worried about attacks from local robbers, now have to worry about the availability of the platform from which s/he accesses markets and the security of a digital wallet.
Reports of millions of dollars lost by businesses and individuals to cybercrime are becoming a common feature in the media. Even more worrying besides the financial losses is that systems and networks providing critical services to societies are also at risk of attack and sabotage.
Knowing the different points of attack or threat attack surface and the readiness of organisations in preventing such attacks is a first step in improving the security posture of any cyber infrastructure. Such information would typically inform policies developed to address the security of information infrastructure, whether at national or organisational level.
However, such data is hard to find on the continent. Where there is some data, the studies focus primarily on the English-speaking countries in East and West Africa. For this reason, we set out to study Cameroon’s cybersecurity posture, starting with an understanding of what organisations perceive as their threat attack surface, their readiness to address the identified threats and regulatory compliance to both international and local standards.
ICT in Cameroon
The government of Cameroon has long identified ICTs as a strategic tool in its economic development plans, including a strategic vision to lead the Central African sub-region’s telecommunications industry and be an ICT hub in the sub-region. In its Strategic Plan for a Digital Cameroon by 2020, the government promised to integrate and promote the use of ICTs in all sectors of the economy, thereby transforming Cameroon into a digital economy. In addition, it promised to improve the regulatory framework by ensuring that the legislative and regulatory framework is adapted to the market and technology trend.
As this vision gets implemented and as the society depends more and more on digital technologies, security of the information infrastructure of the country becomes a major concern. Especially the critical ones.
Cybersecurity in Cameroon
Little is reported about the state of cybersecurity in Cameroon. While cybersecurity laws exist, there is no publicly available study or report on the state of cybersecurity in Cameroon, to our knowledge. It is this gap in data which inspired us to carry out a study to better understand how organizations are doing from a cybersecurity perspective.
Our study, the ‘2020 State Of Application Security in Enterprises’ identified some key findings, some of which are interesting and others worrying. The sections below highlight a few of these findings, including some analysis and policy recommendations, with the hope that it might be useful to industry and policymakers in Cameroon and Africa in general.
Threat Attack Surface and Trends
Our findings show that for the majority of organisations, cyber attacks happen through Web Application. Furthermore, most organisations were afraid of a cyberattack leading to data leak or loss. Curiously, when asked how attacks are carried out, no organization indicated phishing was involved, yet, it is widely acknowledged in the industry, as shown on figure 1 that 91% of all cyber attacks start with a phishing attack. Therefore, either organizations in Cameroon are not aware of what phishing is, or they do not really understand how attacks against their organisations occur. We suspect this is a contributor to another finding from our study which found that only 16% of enterprises were protecting their applications and only 8.4% were performing penetration testing. The organisations seem to still be using bygone enterprise security strategies of protecting the network perimeter.
Figure 1 Attack vector distribution
Source: Worcester Polytechnic Institute
Another interesting finding from the report is regarding breach notification. We found that organizations rarely notified customers of a breach. Instead, they focus on notifying the National Agency for Information & Communication Technologies (ANTIC). Presumably, this is because there is no law or guidance on data breach notification by companies in Cameroon.
Based on our finding, there appears to be a need for more training and awareness to be done for people responsible for securing their organisations’ information infrastructure. One possible solution to this could be to have organisations hire a dedicated information security personnel to look after information security tasks in the organization. We noticed that only 26.9% of organizations interviewed hire a dedicated information security personnel. The majority of companies ask IT professionals with different skill-sets to also perform information security tasks.
In the area of breach notification, there is opportunity here for policy makers to work with the industry to develop optimal customer and user-centric privacy and security policies. Such a policy might also enable Cameroon align with other privacy regulations like Europe’s General Data Protection Regulation (GDPR).
Our study found that most companies still rely on traditional network periphery security, in effect ignoring the disruptions to security brought about by mobility and cloud computing.
What is even more concerning is that even with this obsolete security architecture, up to 53% of companies were confident in their ability to prevent a cyber attack (see figure 2). Organizations in Cameroon seem to be unaware of the fact that almost all points in the network are entry points now since mobility allows users to bring their own devices to the workplace and the changing traffic patterns introduced by cloud computing.
Figure 2 Confidence in the ability to prevent a cyber attack
Organizations need to realise that today’s and future network architectures which take advantage of cloud technologies and Internet of Things (IoT) require security at every point where a mobile phone, laptop, sensor or API makes contact with the network. This could even be from within, not the perimeter in its traditional sense. So again, a little bit more training and awareness is perhaps required here. Furthermore, the practice of using other IT personnel like network engineers or application developers to take on the role as security specialists has an impact on the organization’s readiness to fight cyber attacks. Without the right cybersecurity skills, the infrastructure and applications will not be adequately protected against attacks.
Information Security Standards
Most organizations implement international information security standards and guidelines like the international ISO/IEC 27001 standards and frameworks like the US National Institute of Standards and Technology (NIST) framework. In Cameroon however, our study found that focus is on compliance with ANTIC’s regulations as spelled out in Law N° 2010/012 of December 21, 2010 relating to cyber security and cyber criminality. This is perhaps explained by the fact that organisations can be made to pay penalties of up to 50 million FCFA (approx. USD 90,000) if they do not comply with certain requirements of the law. One of which is Section 26 (1) of Law N° 2010/012 of December 21, 2010 relating to cyber security and cyber criminality, which states that, “operators of information systems shall take every technical and administrative measure to ensure the security of services offered”.
We believe in general, the existing laws seem to have a positive impact on the cybersecurity posture of Cameroon, due to the hefty fines meted out in the laws, especially for organisations not taking all necessary steps to secure their infrastructure. However, the laws do not consider that some smaller companies who operate an information system in order to provide their services and products to their customers may not have the large investments and budget usually required to properly secure information systems. This might be where a national strategy on cybersecurity might help define how the government plans to encourage and incentivise the private sector to comply with the passed cybersecurity laws and regulations. Tax incentives or other ideas of how small companies may otherwise afford security solutions to protect their information systems should be important aspects of such a strategy.
It might be helpful to classify companies in different sectors into different categories. Clearly indicating which sectors, systems and infrastructure are critical and which are not. It is unreasonable to expect a hotel that uses and operate information systems to run their operations to implement the same level of security as a critical infrastructure company like an electricity company or a telecommunications company or a hospital. Classifying information systems as either critical or non-critical infrastructure would make the regulation less of a financial burden to those sectors that are not considered critical.
Our study demonstrates that there is a lot to be done by both the private sector and policy makers to put Cameroon in a better cybersecurity posture. While the aim of the study was not to measure and allocate a value on a scale, of how good or how bad Cameroon is doing with regards to cybersecurity, the report shows poor cybersecurity measures and practices are prevalent in enterprises in Cameroon.
The report identified (1) a need for more training and awareness for people responsible for securing their organisations’ information infrastructure, (2) the absence and therefore need for policy makers to work with the industry to develop optimal customer and user-centric privacy and security policies, (3) the importance for local ICT experts to shift their thinking and focus on securing the periphery and instead consider securing every point of contact with the network, and (4) that the cybersecurity laws do not take into consideration the budget limitations of small businesses. Information systems and infrastructure should be classified as either critical or non-critical for better regulation and security.