Eighty-two percent of African organizations report difficulty recruiting skilled cybersecurity professionals, the highest rate in the world, creating a structural vulnerability that threatens the region’s booming digital economy.
- •According to a 2026 regional report on AI and cybersecurity by SmartComply, operational cyber breaches are translating into real capital flight.
- •Kenya lost US$83 million to cybercrime in 2023, while Uganda reported US$419,487 in losses, prompting 74% of regional businesses to rank cyber risk as a top strategic priority.
- •However, only 29% of East African firms conduct regular tabletop exercises, leaving most leaders untested against the very threats they fear most.
“Most organisations know cyber risk is a top threat, but very few have rehearsed what failure actually looks like. Until leaders simulate real incidents, cyber preparedness remains theoretical,” said Tim Theuri, CISO, M-PESA.
As more Africans join digital finance, the most vulnerable moments are no longer onboarding but account access, recovery, and authentication, placing identity attacks at the center of the region’s evolving cyber risk landscape.
AI-enabled attacks are rapidly proliferating: 60% of organizations report facing such threats, yet only 7% have deployed AI-driven defenses, and a mere 6% have enterprise-wide data controls strong enough for safe AI usage. The region is effectively fighting algorithmic adversaries with underpowered teams.
“The real stakes are when people are logging back into accounts that already hold value; moments like account recovery or changing PINs. Previously, we were fighting humans; now we are fighting autonomous agents,” said Mark Straub, CEO of Smile ID.
In East Africa, where mobile money and digital banking prioritize speed, attackers exploit the exact moments when convenience overrides caution. With mobile money transactions now accounting for 53% of Kenya's GDP, the shortage of domestic cybersecurity expertise could turn even minor cyber incidents into macroeconomic shocks.
Between July and September 2025, the Communications Authority of Kenya recorded more than 842 million cyber threat events, showing that automated attacks are rising in step with digital adoption. Central Bank of Kenya data show mobile banking fraud cases jumped 87%, driven by social engineering, credential compromise, and SIM-swap schemes, while healthcare ransomware incidents surged 95%, further underscoring that cyber risk now threatens life-critical services.
In Uganda, hackers used 2,000 SIM cards to siphon UGX 11 billion (US$3 million) across MTN, Airtel, and Stanbic Bank, exposing a critical blind spot. While banks were regulated, the middleware connecting them to mobile wallets was not. This gap means a single vulnerability in an unregulated API could trigger losses across the entire financial system, turning a local breach into a regional crisis.
The report also highlights a culture of “performative compliance,” which allows emerging threats like Shadow AI to bypass oversight and enable advanced persistent threats to flourish. Experts note that while privacy and cybersecurity are inherently linked, many organizations still treat them as separate compliance tracks, leaving gaps in protection.
The report reframes cyber success from zero breaches to system-level resilience. Countries that can build domestic talent, enforce API governance, simulate attacks, and secure identity verification will be better positioned to absorb shocks and maintain growth. In East Africa, cyber resilience may now determine which economies thrive and which falter.
