0

By Nikita Shaw, Partner, Bowmans

Cybercrime and cybersecurity incidents are no longer simply an IT issue. They have become critical governance, legal and compliance risks that can impact an organisation’s reputation, regulatory standing and financial stability. Attackers are constantly evolving their tactics to compromise sensitive information (including personal data), disrupt business operations and exploit vulnerabilities.

RELATED: LogRhythm partners with Dataproof Communications to deliver cyber resilience in Africa 

For modern organisations, staying ahead of these threats is not optional. It is a core responsibility of leadership and the board to ensure robust oversight, effective risk management and regulatory compliance.

INTERPOL’s 2025 Africa Cyberthreat Assessment Report

According to INTERPOL’s 2025 Africa Cyberthreat Assessment Report, phishing attacks, where cybercriminals impersonate trusted entities via emails, messaging platforms and fraudulent websites, continue to account for a third of all cyber incidents detected across Africa.

Whilst phishing has been a leading cause of cyber incidents for well over a decade, artificial intelligence is increasingly being deployed to amplify the sophistication, credibility and reach of cyberattacks. AI now enables cybercriminals to:

ADVERTISEMENT
  • generate thousands of personalised emails rapidly;
  • optimise subject lines or message content for higher click rates; and
  • mimic the tone and style of legitimate communications with context-specific language

Another emerging tactic involves inserting invisible text or hidden instructions into otherwise innocuous-looking emails. When an AI assistant (for example, a summarising tool in an email platform) processes the email, it may include the hidden wording and produce a fraudulent summary or alert, such as claiming a password has been compromised. Some alerts even prompt the recipient to call a ‘support’ number, which is unknowingly operated by the attackers.

These multi-layered phishing campaigns combine traditional phishing methodologies, AI-enhanced messaging and social engineering via telephone, making them significantly harder to detect and increasing potential legal and regulatory exposure for organisations.

Cyber risk considerations for boards and leadership

Boards and leadership teams are expected to ensure that cybersecurity is integrated across the enterprise risk framework. This includes reflecting cyber risk in risk registers, monitoring regulatory compliance and overseeing internal audits of controls, incident response and vendor risk management. Organisations must also ensure that measures to protect personal data are appropriate, reasonable and documented, in line with data protection laws.

Building true cyber resilience requires addressing vulnerabilities across the entire cyber risk ecosystem:

Technological resilience

At its core, technological resilience relies on the usual technical measures, i.e zero-trust architecture, network segmentation, layered defence tools, continuous monitoring, regular backups, vulnerability testing and patching, and third-party assurance and vendor risk management. While not new, these measures remain the backbone of protecting organisations against increasingly sophisticated threats.

ADVERTISEMENT

Social resilience

Building a robust ‘human firewall’ requires more than rolling out email awareness and e-learning campaigns. Organisations should utilise ongoing scenario-based training simulations to move beyond annual tick-box exercises. These simulations improve digital fluency, clarify reporting processes and foster a culture of cautious digital behaviour. [This is] something that must be modelled at the highest levels of leadership. Training should also include executive decision-making and communications exercises to expose operational gaps and build ‘muscle memory’ for responding to incidents.

Organisational resilience

Cyber risk should be integrated into broader enterprise risk frameworks alongside credit, liquidity and operational risks. Organisations should ensure this issue is reflected in risk registers, and insurance coverage, [This must also be reflected in] board reporting and contracts with third-party vendors who have access to data or systems. Incident response frameworks should clearly define roles across IT, legal, compliance, communications and risk teams to ensure alignment. Learnings from incidents and ‘near misses’ should be fed into policies, procedures and future training simulations to ensure continuous after-action learning.

Cybersecurity is now a core governance issue. Boards and leadership must actively oversee and validate technical and organisational controls. [They must] ensure comprehensive employee awareness programmes and stay informed about evolving threats.

More in Business

You may also like