CYBER SCAPE AFRICA | Q2
2019
The Ponemon Institute in the 2017 report, "2017
State of Cybersecurity in Small and Medium- Sized
Businesses (SMB)" states that 61 % of surveyed
SMBs experienced a Cyber Attack and 54% experi-
enced a Data Breach with information about
employees and customers exposed with an
average of $1 .02B in financial loss the report
continues saying that half of critical data are
accessible from a mobile device what increases the
attacking surface. Another report from SANS
"Cyber Defense Challenges from the Small and
Medium-Sized Business Perspective" revealed that
surveyed companies faced challenges around
available finance to pay for talents, regulatory and
compliance as well as available professional talent.
Despite the fact that all referred documents takes
into account SMBs the assumptions and results can
be applied into startups. The African Union (AU) convention of 27th June
201 4 encourage all members to create local Data
Privacy Laws and startups are not apart of the
existing or upcoming regulations, despite the slow
adoption or ratification of the convention within
AU members, it's important to start incorporating
cybersecurity principles into the DNA.
The numbers expressed above is a wakeup call for
startups, because they deal with personal informa-
tion in some situations and others with financial
information making the need for proper controls in
place a must. The 201 9 Cybersecurity Forecast of
Issue #1 Highlighted an important subject that is
related to chapter "Data Protection Legislation
Gaining Ground in Africa", having that chapter in
mind the Angolan Data Protection Act of 2011
(Law No 22/11 , of 1 7 June 2011 ), states that
personal data is "any information, regardless of its
nature or the media on which it is stored,
processed by automated or manual means relating
to an identifiable natural person" so, startups
operating in Angola must comply with this Law
when dealing with personal information, and the
other situation is that many of them are stored on
well knowns cloud providers that interface as well
with the Law 22/11 "... the Agency of Data Protec-
tion must be informed of international data
transfer to countries that ensure a suitable level of
data protection". Because of the nature of startups some of them
doesn't have enough funds when starting what
make some investments difficulties and majority of
times cybersecurity is left behind on those types of
situations but doing so can jeopardy the business
or bring some risks.
The Lean startup lifecycle encompasses a process
with three phases also known as feedback loop
which most of Startups relies onWhich in case
suggest to Build "fast" and the questions that
comes in mind are how to insert secure develop-
ment principles in this fast building process? How
well known security standards (e.g: ISO27000,
NIST800-53) could fit into this process? And how a
company starting with 2 or 5 employees can
integrate those controls into the company genesis?
A startup competition (seedstars) in Angola has
listed 28 startups from 201 6 to 201 8 with offers
from transportation, food delivery, public internet
access, health and so on, what all these startups
have in common is that they deal with personal
data and they are prone to the same risks (data
theft, unavailability, ...).
In the report "The 2017 State of SMB Cybersecuri-
ty" they list four measures to protect against cyber
threats, including: Training, Password Manage-
ment, Mobile Device Protection and Early Invest-
ment in Cybersecurity. While those lines in some
cases can be challenging what I recommend is an
adoption os OWASP ASVS (Application Security
Verification Standard) following the "Case Study 2:
As a secure SDLC" on the document "Application
Security Verification Standard 3.0.1 ". The second
recommendation is to introduce some principles of
data classification, implementing some controls
for data at rest as well as to data in movement and
be in alignment with regulation because startups
may not have enough funds to pay for penalties.
In the case of Angola the Agency of Data Protec-
tion isn't created yet what makes hypothetically
the storage of personal data outside the country a
violation of the aforementioned Law.
Author
Alcides Miguel
Cybersecurity Analyst
Onzo Cybersecurity
45