Cybersecurity priorities for the public sector

Introduction

Globally, massive cybersecurity breaches have become almost commonplace, regularly grabbing headlines that alarm organisations, big and small, and government institutions, citizens, the general public and the business community. But for all of the attention such incidents have attracted in recent years, many government institutions, parastatals and county governments still struggle to understand and manage emerging cyber risks in an increasingly complex digital society. As our reliance on data and interconnectivity increases, developing resilience to withstand cyber shocks—that is, large-scale events with cascading, disruptive consequences—has never been more important.

Several trends observed in 2019 continued to dominate the landscape in 2020. The threat to governments’ general elections from information operations remains high, as does the risk of attacks against critical public infrastructure. Traditional techniques such as phishing emails remain a highly prevalent infiltration method for both criminal and espionage actors.

Financially motivated attacks have increased in prominence, mostly targeting mobile payment platforms which are connected to core banking systems. New trends have also emerged, including a more concerted move towards attacks related to data leakage, both personal data and corporate data.

The rapid adoption of a digital economy in Kenya has led to more business operations being conducted online. This phenomenon provides immense opportunity for efficient service delivery by improving relationships between service providers and the general public.

However, in seizing these opportunities, public organisations become more vulnerable to an increasing number of evolving cyber threats. Indeed, any organisation that uses technology, whether storage devices or even email, will be susceptible to an online attack.

Managing the threat of cyber attack As access to the internet expands, so do cybercrime rates in Africa where businesses and governments are starting to face a new type of threat for which few are currently prepared. According to the Communications Authority of Kenya, the internet penetration rate in Kenya is 41% and about 89% of the population are active internet users. These statistics are expected to continue rising as internet penetration continues to improve in towns and rural areas.

Only a minority of countries in Africa have taken steps in anticipation of the cybercrime problem posed by the development of the online financial industry in Africa. Kenya has drafted a Computer Misuse and Cybercrimes Act in 2018 to set up a legal framework that will allow lawmakers and enforcement agencies to establish legal grounds for the investigation and prosecution of cybercrime matters. However, laws are not enough to help protect organisations and businesses from an increasingly sophisticated type of threats.

To effectively manage cyber attacks, public organisations must broaden their focus beyond just security and technology and develop a high-level, senior government and official-driven enterprise-wide playbook to deal with such threats. Such a strategy requires the central government and county governments to take ownership of cyber risk, and be willing to commit the resources required to address it. Failure to do so could result in damage to government institutions operations, reputation, brand and intellectual property.

"Organisations must dig deeper to uncover risks. Achieving greater cyber resilience as a society and within organisations will require a more concerted effort to uncover and manage new risks inherent in emerging technologies."

Despite the widespread impact of such attacks, many organisations still place the responsibility for managing cyber threats solely in the hands of their technology departments. In our experience, these threats are dynamic and sophisticated, yet traditional approaches to security are still too narrow and flat-footed. Managing cyber risk is a fundamental part of management and leaders need to see cyber threats for what they are: enterprise risk management issues that severely impact their organisation’s objectives.

Having interacted with a number of public organisations in Kenya; I have observed that a significant number of them still do not practice basic cyber hygiene.

Tomorrow’s successful governments will be those that invest in infrastructure, knowledge, and relationships resilient to shock— whether economic, environmental, societal, or cyber. So how can public organisations achieve the toughness required to absorb the disruption caused by a cyberattack?

  • Build cyber resistant public organisations: An appropriate cyber-risk management programme should be part of organizations’ IT governance process. Such a programme should cover the overall institution-risk environment and feed into the overall enterprise-risk management framework. Specifically, top level officials should collaborate upfront to understand how the organisation will defend against and respond to cyber risks, and what it will take to make their organisation cyber resilient. As cyber risks cannot be eliminated entirely, management needs to also determine what level of risk it is willing to accept, and then build its defences around those parameters.
  • Leaders must assume greater responsibility for building cyber resilience: Organisations must have the right leadership and processes in place to drive the security measures required by digital advancements. Many businesses are just beginning this journey. However, there is no one optimal cyber governance model. As such, key IT decisions, the level of involvement of stakeholders, governance structures, processes and policies will differ widely depending on the organisation.

Strategies for business continuity, succession planning, strategic alignment, and data analytics are key. Yet PwC’s Global State of Information Security Survey of 2018 found that most organisations are not proactively shaping their institutions' security strategies or investment plans. Many still see it as an IT problem. Organisations must dig deeper to uncover risks. Achieving greater cyber resilience as a society and within organisations will require a more concerted effort to uncover and manage new risks inherent in emerging technologies. In some cases, technical expertise in Africa may be lacking and adequate training will have to be sought in order to implement effective measures to counter the cyber threat. With that in mind, public organisations need to be flexible enough to react quickly to cyber-risks and a fast-changing external environment.

Related articles

Digitisation in the public sector

Digitisation is crucial for creating a more innovation-driven, competition-based and value-adding economy. In this article, PwC's Laolu Akindele compares local and global trends in digitisation and highlights the key areas that Kenya’s government should prioritise on its digitisation journey.

Augmented Reality applications for the NPO sector

Beyond just visual effects, AR has the potential to provide a multi-sensory composite experience. Dennis Maina and Nicholas Kanyagia from PwC's Business Recovery Services unit discuss the potential Augmented Reality has and the possible applications for companies in the public sector.

Transforming Africa through ICT: Managing crises through technology

The COVID-19 pandemic provides an opportunity for Africa to transform its economies through innovation and ICT, as well as to prepare more effectively for future crises. PwC Rwanda Senior Manager, Victor Omurunga however notes that countries will have to invest in ICT infrastructure, foster innovations and effectively regulate emerging technologies to achieve a balance between collective safety and individual privacy, if they are to realise these benefits.

Benjamin Mkwizu

Associate Director, Risk Assurance Services T: +254 20 285 5346 T: benjamin.x.mkwizu@pwc.com

Share with your networks

Read the next article: Data Protection Requirements for the Public Sector