With limited cybersecurity awareness and skills, African businesses face mounting threats amid a surge in cybercrime. Companies must act fast with response plans and staff training to stay protected.
Key takeaways
- Cybercrime is surging across Africa, with phishing and email scams as key issues for businesses.
- Africa's digital transformation is outpacing cyber resilience, leaving companies and consumers at risk.
- Businesses should bolster their defences and train staff on online safety to combat cybercrime.
Shutterstock.com/Golden Dayz
Africa is witnessing cybercrime boom, according to Interpol’s African Cyberthreats Assessment Report, published in May 2025. Recent high-profile incidents highlighting the growing risk include the cyber-attack on MTN – South Africa’s largest telecoms company – in April 2025.
According to Interpol, online phishing and business email compromise rank among the fastest-growing dangers facing African companies, compounded by limited cybersecurity investments and digital literacy gaps.
Africa’s vulnerability to cybercrime is closely linked to its accelerating digital transformation. The continent is home to the youngest population in the world, and mobile phone and internet usage is growing rapidly. Between 2024 and 2029, the number of mobile phone users is expected to jump from 14 million to 26 million.
But the surge in connectivity is outpacing cybersecurity awareness. The gap in cybersecurity knowledge leaves both companies and consumers exposed to the growing threat of cybercrime. The risks cybercrime poses to businesses are significant – ranging from financial loss and reputational damage to operational disruptions.
Enforcement agencies are ramping up their response to the threat of cybercrime. In March 2025, Interpol led an international operation across seven African countries, resulting in over 300 arrests in a crackdown on online scams and cyber-attacks.
Lexology PRO explores Africa’s regulatory landscape in key jurisdictions, highlighting best practices for companies to mitigate cybercrime.
The cracks in Africa’s cyber defences
Africa’s digital transformation is overtaking the development of cybersecurity awareness and infrastructure. While some jurisdictions are taking steps to bolster their cybersecurity defences, “the reality is that many African countries have other priorities such as addressing unemployment, poverty, physical crimes and lack of basic infrastructure,” according to Nick Altini, Johannesburg-based partner at Herbert Smith Freehills Kramer.
Three fundamental challenges stand out in Africa’s fight against cybercrime.
Digital illiteracy
Despite the prevalence of internet and mobile phone use in Africa, digital illiteracy remains a barrier to cybersecurity awareness. The risk is especially high in rural areas, where many individuals may not know how to keep their data secure or recognise phishing attacks. In 2023, phishing and online extortion stole over 1 billion rand (US$54.2 million) from consumers in South Africa.
Shortage of cybersecurity experts
A severe lack of cybersecurity experts compounds Africa’s skills deficit. In 2024, Africa had fewer than 300,000 working cybersecurity professionals, compared to 2.9 million across the Asia-Pacific region.
The shortage is worsened by “brain drain”– the exodus of skilled professionals due to higher-paid roles in other countries – leaving many African businesses unprepared to tackle online risks.
Weak cyber resilience
As online threats become increasingly sophisticated, businesses need to develop cyber resilience strategies. Cyber resilience refers to an organisation’s ability to respond to and recover from cyber incidents while maintaining core operational functions.
But many businesses struggle to achieve resilience, suggesting the need for stronger operational defences in Africa. This is reflected in low levels of public trust: according to a 2025 World Economic Forum survey, just 9% of respondents in Africa said they felt very confidents in their country’s ability to respond effectively to a cyber incident.
How do cybersecurity laws compare across key African jurisdictions?
South Africa
The Cybercrimes Act (No.19) 2020 – South Africa’s governing cybersecurity law – was the country’s first statute to explicitly recognise cybercrime.
The act applies broadly to all individuals and businesses that use digital devices or access the internet. This includes electronic communications service providers (ECSPs) and financial institutions (FIs), which are required to report cybercrimes to the South African Police Service (SAPS) within 72 hours of becoming aware of the offence and assist law enforcement with their investigation.
Failure to report on time may result in a maximum fine of 50,000 rand (US$2,767). Mandatory reporting obligations apply only to ECSPs and FIs under South African law, but the SAPS encourages other businesses to report cybercrimes voluntarily to them voluntarily.
Building on the Cybercrimes Act 2020, the South Africa Reserve Bank (SARB) issued Directive No. 01 2024 in May 2024 under the National Payment System Act 1988 (NPS Act).
It applies to payment institutions, third-party providers, system operators, and all entities regulated under the NPS Act, requiring them to implement cybersecurity and resilience measures, including incident response plans and multi-factor authentication.
In addition to the reporting requirements under by the Cybercrimes Act 2020, the directive also mandates that cyber incidents be reported to SARB within 24 hours of detection, followed by a detailed incident report to be submitted within 48 hours. These triple-pronged reporting requirements constitute a significant compliance burden on in-house lawyers within South African FIs.
Zambia
Zambia established two cybercrime laws in April 2025: the Cyber Crimes Act 2025 and the Cyber Security Act 2025.
The Cyber Crimes Act criminalises cyber terrorism, online harassment, and unauthorised access to computer systems or data. It also imposes severe penalties: individuals convicted of cyber terrorism may face up to 25 years of imprisonment, while hacking offences carry sentences ranging from 10 to 20 years.
While the Cyber Crimes Act focuses on prosecuting individuals involved in cyber offences, the Cyber Security Act has broader implications for businesses. It strengthens protections of critical digital infrastructure and expands law enforcement’s authority to monitor online activity. Companies that fail to secure systems or report breaches to the Zambia Cyber Security Agency face fines of up to 5 million Zambian kwacha (US$215,350).
The Cyber Security Act allows authorities to intercept communications and monitor digital activities from both business and individuals. For instance, if law enforcement requests to view to an individual’s work email or business communications, the company is required to grant access. The act’s broad surveillance scope is raising concerns about consumer privacy and freedom of expression in Zambia.
“There will likely always be an inherent tension between legislation aimed at surveillance for purposes of safeguarding against crimes in a digital environment, and human rights and liberties. Navigating the tension between safety and privacy is a challenge faced by all countries, not just Zambia,” Sandhya Foster, South Africa-based director at Herbert Smith Freehills Kramer, told Lexology PRO.
Namibia
Namibia lacks a dedicated cybersecurity law, but this is expected to change soon. The government is finalising a Cybercrime Bill aimed at developing a broader national cyber security strategy. The timeline for enactment remains uncertain, but the bill is expected to be tabled in parliament before April 2026.
In the meantime, virtual asset service providers (VASPs) in Namibia, and foreign VASPs operating in the country, face cybersecurity obligations under the Cybersecurity Rules: Virtual Assets Act 2023. VASPs are required to establish and maintain cybersecurity systems and train staff on cybersecurity practices, among other compliance obligations.
Nigeria
Nigeria’s Cybercrimes (Prohibition, Prevention, etc.) (Amendment) Act 2024 took effect in February 2024, repealing the Cybercrimes Act 2015 . The amended law applies to all individuals and businesses, including banks, insurance providers, and telecoms companies.
It mandates all companies to report cyber-attacks to National Computer Emergency Response Team – Nigeria’s cybersecurity incident response body – within 72 hours of detection. Failure to report may result in a 2 million Nigerian naira (US$1,280) fine and suspension of internet services for companies.
Best practices for African businesses to protect against cybercrimes
Shifting corporate priorities reflect the risk of growing cybercrime. In 2025, 74% of companies in East African countries will prioritise cyber risks as a key concern.
Companies may consider the following best practices to safeguard against cybercrime.
Conduct a cybersecurity risk assessment
Companies should carry out regular cybersecurity risk assessments to test their existing systems and identify any vulnerabilities. This may include conducting table-top exercises with real-world crisis scenarios.
Build technical defences
Cyber criminals often exploit outdated systems and security loopholes. To build up technical defences, businesses should regularly update their devices, use firewalls, and implement multi-factor authentication, among other measures.
Security measures should also cover employees’ mobile phones to protect corporate data. This is important for African businesses where mobile usage is widespread.
Prioritise staff cybersecurity training
Businesses should provide regular, mandatory cybersecurity training to help staff recognise and respond to online threats. This should include guidance on protecting personal and corporate data, such as using strong passwords. Training materials should be made easily accessible to all employees and updated to reflect shifting regulatory requirements.
Develop an incident response plan
Businesses should develop a clear incident response plan to ensure business continuity and minimise disruption in the event of a cyberattack.
This should include clear guidance on reporting obligations. Reporting requirements will differ by jurisdiction and sector, but the cost of non-compliance is high. For example, South African banks face two sets of reporting obligations to different authorities. Incident response plans should reflect these obligations and their respective timelines.
The plans should involve contingencies for every aspect of business operations and clearly outline how to assess and disclose a crisis to the public.
This is critical for large companies with complex operations affecting many stakeholders, such as airports or banks.