In June 2022, the Costa Rican government was forced to declare a national emergency after a significant ransomware attack by Conti, a hacking group with Russian ties. The group had found vulnerabilities within the public sector cybersecurity infrastructure which left many agencies struggling to regain their feet, and many citizens seriously affected by the outages and shortages.
The sheer scale of this attack and the magnitude of its impact on society, people and business, underscored the growing complexity of the cybercrime landscape and the threats it represents.
One of the key lessons learned in 2022 is how every layer of society and business can be affected by a successful cyber attack. In the event of the Costa Rica ransomware attack, around 27 ministries were affected, from the Ministry of Finance to the Ministry of Science, Innovation, Technology and Telecommunications. After the initial hit, there followed a second one which had a serious impact on their healthcare system.
This story should be of tremendous concern – not just for the citizens of Costa Rica, but for other emerging economies like countries in Africa as well. We are just not prepared.
This is reflected in a recent analysis of the African cybersecurity landscape by the ITU, the UN specialised agency for ICTs. The ITU found that out of 54 African countries, only 29 had implemented legislation that would promote cybersecurity and that all but six countries lack “capacity-development incentives for cybersecurity’” It is a warning sign.
Costa Rica is another emerging economy that was hit really badly. This is something that we need to take as a warning sign. We need to prepare for what lies ahead, because these cyber-extortion and ransomware groups are not going away. In fact, they specialise in different techniques and many of them are focusing on finding new ways into companies and new avenues of putting pressure on their targets to extort higher ransoms.
Over the past year, there has been a clear shift in how cybercrime organisations approach their attack vectors. They have not focusing as much on encryption anymore – they are now also stealing data and threatening the organisations to release it.
Another risk area is cloud. With many companies and countries in Africa now investing heavily into cloud-based technologies – a smart move to improve efficiencies and speed to service delivery – they are opening up unexpected vulnerabilities that cybercriminals are taking advantage of.
Many companies do not have the right resources and skills to correctly configure their cloud environments. So, while they are getting the much-needed benefits of cloud platforms and services, they are putting themselves at risk.
One of the reasons why cloud technology is a vulnerability is skills. The cybersecurity skills shortage is a global problem, but it is also very much a digital thorn in the organisation’s side in Africa. The skills shortage has become even more of a challenge in 2022 with higher demand than there are people, and this is unlikely to change in the near future. While people are being lured into cybersecurity as a career, the current gap between talent and demand is vast.
Africa needs to seriously invest into resolving our education systems and in creating opportunities for youth to enter into technology-driven professions, especially cybersecurity. In the KnowBe4 Cyber Security skills pipeline survey, 58% of respondents had vacancies in their cloud security space and 72% said their biggest challenge was finding candidates with practical experience. We really do have a resource pandemic, and this is crucial to resolve as we move into 2023 – a year that is set to be shaped by even more rigorous and effective cyber attacks.
The lessons learned in 2022 need to be carried into 2023 because the future is going to be challenging. The cybercriminals are changing vectors, approaches and targets, and they are constantly evolving their skills to ensure that they are ahead of the systems put in place to deflect them.
Crime tactics have evolved, targets have shifted and skills remain too scarce to provide organisations with adequate defences against them.
It is a gloomy outlook, but it can be managed with the right expectations and with a clear eye on the risks that remain a threat to businesses, citizens and the public sector.