Cyber Insecurity is Harming Emerging Markets
Emerging Market Businesses Want to Grow, But Can They Succeed Without Cybersecurity?
Data breaches seem to be the name of the game in tech this year, and the latest, a software flaw that exposed the private data of hundreds of thousands of Google+ users, has just snagged the spotlight. Despite the fact that data breaches and cybersecurity attacks occur across the globe, their occurrences in major technology markets such as the United States and the European Union (EU) tend to take policy precedence and draw greater media attention.
However, as emerging market nations—such as Indonesia and those in Sub-Saharan Africa—continue to rapidly digitize and foster new technology-based businesses, more attention needs to be paid to the risks these markets and their users face. Failure to do so will significantly hinder economic growth and business development in these regions.
Over 90% of African businesses operate under the cybersecurity poverty line, which means they are unable to adequately protect themselves from vulnerabilities and losses. Although Africa has comparatively limited communications infrastructure, the continent has a high penetration rate of new technologies, and as a result is a prime target for digital attacks. In 2017, cybercrime cost the continent $3.5 billion and yet 96% of online security incidents went unreported. Large and expanding digital hubs such as Nigeria and Kenya particularly suffered, accruing losses of $649 million and $210 million, respectively.
Cybercrime in Africa has targeted startups, corporations, institutions and governments alike. This June, South African insurance company Liberty Holdings Ltd. was held ransom by hackers who were able to access sensitive data including emails. The company is responsible for overseeing 2.5 million life-insurance policies and administering over 10,000 retirement plans and 500,000 individual and institutional investment customers, raising concerns about the consequences of such a hack. Some progress, however, is being made: there was a 73% increase of Information Security Management System certified companies on the continent between 2015 and 2016, the majority of which are based in South Africa, Nigeria and Morocco.
Similarly, in the Asia-Pacific region, cybercrime poses a serious threat to economic success. A study commissioned by Microsoft found that the total potential losses to the region from cyber attacks was $1.745 trillion, or 7% of the region’s current gross domestic product (GDP). These risks are particularly apparent in the ASEAN region, where nations invest an average of 0.07% of their GDP in cybersecurity infrastructure and operations. The consequences of such underfunded and undervalued cybersecurity initiatives can be seen in practice in Indonesia, where the country’s highest valued startup on record, Go-Jek, was found to have significant security vulnerabilities.
Go-Jek is a ride-sharing and logistics startup that has over 15 million weekly active users and is widely considered a major competitor to global brands such as Uber and Lyft. In March 2017, Fallible, an Indian security firm claimed they were able to extract information such as GPS coordinates of rides and user data such as phone numbers and pick up and drop off points from two problematic APIs on the app. The firm also claimed they were able to exploit a vulnerability which enabled them to manipulate notifications users received. An Indonesian hacker based in Thailand identified similar vulnerabilities in 2016. Go-Jek is Indonesia’s first startup to become a unicorn (meaning it became valued at $1 billion), and over the past year, the company has invested heavily in expanding their services to include mobile payments.
This expansion into a field that engages with even more sensitive user data underscores the need for a greater cybersecurity focus, as well as a complementary regulatory environment that similarly prioritizes security in tandem with growth. In 2017, the Government of Indonesia took steps in this regard, establishing a National Cyber Agency (NCA) to develop an integrated cyber defense strategy. However, given that in the same year, almost half of Indonesia’s companies were impacted by over 205 million cyber-attacks, costing $34 billion in direct financial losses and long-term reputational damage, there is a great deal of work to be done.
In larger and more developed technology markets, data security and privacy laws such as the recently passed General Data Protection Regulation (GDPR) compel companies to invest more time and resources into developing and maintaining robust security infrastructure. However, in markets, such as in Sub-Saharan Africa and Asia-Pacific, where such regulations and cybersecurity-focused policy environments are weaker or lacking in enforcement, commensurate practices by businesses are less common.
Going forward, emerging market businesses and governments need to recognize that to achieve economic growth and reap the benefits of the ongoing digital boom, cybersecurity needs to be a priority. In practice, this means that there needs to be greater emphasis on operating and maintaining updated and robust security systems; training and expanding cybersecurity workforces; developing long-term cyber resilience strategies that account for all levels of corporate or institutional operations; raising awareness about the importance of such security practices; and generating legislation that adequately offers protections and remediations.
Greater investment in regionally-specific cybersecurity infrastructure can also open up noteworthy business opportunities. The cybersecurity market is expected to be worth $2 billion by 2020, and thus far the African continent has not released any commercially viable cybersecurity products, while ASEAN nations, although having made some progress, also have room to grow.
The average cost of cybercrime for businesses and governments across the globe is increasing at a rapid rate, and emerging markets are at significant risk. Developing more robust cybersecurity infrastructure, policies, programs and cultures must be prioritized. This is particularly important now as these regions will soon be host to the majority of global internet users, as well as a large share of future digital businesses and services.
Spandana Singh is the Cybersecurity and Technology Fellow at Young Professionals in Foreign Policy (YPFP) and a Policy Associate on the Open Technology Institute team at New America. Spandana is a graduate of the University of California, Berkeley and has previously worked at organizations such as the East-West Institute, Twitter, the World Bank Group and UNICEF.