By Bothwell Nyajeka
ABOUT 10 years ago, I experienced my first cybersecurity incident. It started with what appeared to be an innocent email sent to our finance department.
The message purported to come from one of our major suppliers and advised that their banking details had changed. The email looked legitimate: correct branding, familiar tone, even a convincing signature block. Our accounts department updated the supplier records and processed payments into the new bank account.
Only later did we discover that the account did not belong to our supplier and that we had fallen victim to phishing (fraudulent emails designed to mimic trusted sources). Fortunately, after a lengthy investigation and nearly two years of recovery efforts, we managed to recover the funds. But the experience was sobering.
Since then, cyber threats have escalated dramatically and will continue to become more sophisticated as a result of Artificial Intelligence (AI).
Recently, I was made aware of a ransomware attack where a company was locked out of its data and systems until payment was made. The company had to pay a substantial amount of money to regain access to its data and systems.
This week, I read an article that was published on the internet (https://bbc.com/news/articles/c0j59vydxj9o). According to the article, at the beginning of this year, a video appeared on social media sites in India showing the chief executive officer of the Bombay Stock Exchange giving investors advice on what equities/shares to buy.
Viewers were promised handsome returns if they took the advice. The only problem was that it was not the chief executive officer of the Bombay Stock Exchange who appeared on the social media sites, it was a deepfake video of him, made using AI.
Local press reports regularly highlight cases of bank card cloning, identity theft, and digital fraud affecting both corporates and individuals.
Cybersecurity is the risk of financial loss, disruption, or reputational damage arising from breaches of internet connected digital information systems. This risk is no longer just technical, it has become strategic. This so because digital information systems now underpin almost every aspect of commerce and industry.
Zimbabwe’s exposure to cybercrime is significant. The National Cybersecurity Index (a global index that measures preparedness to prevent cyber threats and manage incidents), ranks Zimbabwe at number 129 out of 160 countries, reflecting weak defensive cyber capabilities. In addition, the Techpoint Africa, January 2025 report ranked Zimbabwe as the fifth most cyber-attacked country globally.
The government has made progress in addressing cybersecurity by enacting the Cybersecurity and Data Protection Act of 2021, which established the Data Protection Authority under the Postal and Telecommunications Regulatory Authority of Zimbabwe (Potraz). However, despite the legal framework, implementation across corporate Zimbabwe remains inconsistent, leaving organisations vulnerable to cybersecurity breaches.
As reliance on information technology increases, data has become one of the most valuable assets in any institution. Data is now as critical as financial capital or physical infrastructure. Therefore, boards must make data protection and cybersecurity a governance priority.
As a start, boards should also ensure that cybersecurity risk management is embedded into the company’s enterprise risk management framework and discussed regularly at the board level.
One of the most common causes of cybersecurity breaches is outdated software, weak security controls and human error. Unpatched systems, shared passwords, and poor user access controls create easy entry points for attackers. Many breaches occur not because of sophisticated hacking, but because of basic control weaknesses.
Boards must ensure that management conducts comprehensive cybersecurity risk assessments and identifies gaps requiring urgent attention.
Cyber threats evolve rapidly. Internal information technology (IT) teams may not always detect vulnerabilities. Boards should therefore encourage independent expert assessments, including penetration testing, external cybersecurity audits and continuous cybersecurity awareness campaigns throughout the company.
Regular reviews of compliance with data protection legislation are equally important. Boards must ensure that their organisations comply with the Cybersecurity and Data Protection Act of 2021 amongst other industry-relevant information security standards and best practices.
Boards should also evaluate cybersecurity insurance as part of their risk mitigation strategy. While premiums may appear costly, a risk-benefit analysis may reveal that coverage provides essential financial protection against major cyber incidents like ransomware.
Insurance does not replace strong internal controls, but it can help cushion the financial impact of catastrophic breaches.
A number of breaches also trace back to people, not technology, whether it’s an employee falling for a scam, an administrator reusing a password, or a developer misconfiguring a server. Thus, technology alone cannot prevent cybercrime. Human behaviour must also be addressed by creating a company wide culture that is aware and responds to cybersecurity risks timeously.
Phishing emails, suspicious links, and fraudulent payment requests succeed because employees are unaware or insufficiently trained. Regular training programmes should equip employees to identify phishing attempts and verify unusual payment instructions. Training will also cement the discipline, among employees, of maintaining strong passwords and escalating /reporting suspicious cyber activity promptly.
The financial, reputational, and operational consequences of cybersecurity breaches are severe. Data loss can erode investor confidence, damage brand reputation, and disrupt business continuity.
My experience a decade ago demonstrated how a simple email could trigger a significant financial event. Today’s cyber risks are more complex and potentially far more damaging.
Zimbabwe’s digital transformation presents enormous opportunities for growth and innovation. However, boards that fail to treat cybersecurity as a strategic issue risk exposing their organisations to financial loss, regulatory penalties, and reputational harm.
Lastly, as AI reshapes the tactics of cybercriminals, the responsibility falls on boards to remain vigilant, curious and engaged. Assessing emerging cyber risks is not a one-time exercise, it is an ongoing duty of governance in this digital age.
Nyajeka is a Chartered Accountant and business leader. He has vast experience as a corporate executive and has sat on various boards in Zimbabwe, Botswana, South Africa and Uganda. He is currently chairman of ACR Solutions and is also a seasoned trainer and facilitator for the Institute of Directors Zimbabwe (IoDZ). For board advisory, executive coaching, leadership development and business turnaround consulting. Email him on: bnyajeka@acr4solutions.com