Strengthening Cyber Defences: The Road to Resilience in East Africa

Findings from the 2025 East Africa Digital Trust Insights

Welcome to PwC’s East Africa Digital Trust Insights Survey

As cyber threats become more sophisticated and persistent, organisations across East Africa are rising to the challenge. Our latest survey reveals a significant shift in priorities, with 74% of businesses in the region placing cyber risks at the top of their agenda—well above global averages. It’s clear that cybersecurity is no longer just an IT issue; it’s a critical business imperative.

East African organisations are navigating a complex landscape, where regulatory compliance, third-party breaches, and social engineering attacks are testing their resilience. In response, 44% of businesses are focusing on regulatory alignment, and many are making bold investments to modernise their infrastructure and upskill their teams.

This report also dives into the promise and risks of emerging technologies like GenAI, which is poised to transform security operations but introduces new vulnerabilities that leaders must be prepared to manage. Despite these challenges, East Africa’s leaders are showing strong collaboration and engagement at the board level, positioning the region as a leader in cybersecurity readiness.

Through in-depth survey data and expert analysis, this report provides valuable insights into the strategies and investments shaping the future of cybersecurity in East Africa. Whether you’re looking to strengthen your defences or explore new innovations, we hope these findings will inspire actionable steps toward greater resilience.

We invite you to explore the findings and reach out to me or any of the PwC experts featured in this report for further discussion on how to turn these insights into tangible results for your organisation.

 

Key findings

Threat outlook and emerging technologies

74% of organisations prioritise cyber risks, with threats like third-party breaches, social engineering, and hack-and-leak operations identified as key concerns.

Regulatory development

92% of respondents report that cybersecurity regulations have challenged, improved, or strengthened their security posture, compared to 78% globally, underscoring regional commitment to improvement.

Cyber leadership

East African boards show strong levels of engagement on key subjects such as cyber metrics (59%) and regulatory actions (46%), both considerably higher than the global averages.

Cyber strategy

While 54% of regional firms prioritise critical processes in their cyber strategies, only 29% conduct tabletop exercises, highlighting resilience gaps.

Cyber investment and priorities

34% of organisations plan a 6-10% budget boost for cybersecurity (closely aligned with global trends), including significant investments in modernising cyber infrastructure.

Cyber risk quantification (CRQ)

46% of organisations lack confidence in using CRQ due to concerns about potential legal or regulatory exposure, and 39% due to the complexity of available tools and data quality issues.

Emerging technologies and GenAI

65% of security executives in the region indicate that GenAI has widened the cyber attack surface, nearly matching the global rate of 67%

Behaviours

East Africa outperformed global peers by 10-20% across all cybersecurity behaviours, reflecting a robust approach to threat response.

Threat outlook and emerging risks

Adapting to shifting risks

Balancing global cyber threats with regional economic concerns.

The cybersecurity landscape is rapidly evolving, with a recent survey highlighting significant shifts in organisational priorities. Globally, 57% of organisations now view cyber risks as their top concern, followed by digital and technology risks (53%) and inflation (48%). In East Africa, these concerns are even more pronounced, with 74% of organisations prioritising cyber risks and 71% focusing on digital and technology risks.

To learn more about the specific cyber threats and how organisations are adapting their strategies, download the full report.

Download the full report

Agility should be at the core of cybersecurity strategies for organisations across East Africa. By concentrating on pressing threats like third-party breaches and social engineering, while adjusting to economic challenges, they can bolster their resilience and secure their long-term defences.

Laolu Akindele - C&RS Partner (Consulting), PwC Kenya
Cyber threat concern versus preparedness chart

Regulatory developments

Leveraging the regulatory guardrail

Driving cybersecurity maturity through compliance and investment.

While East Africa may not exhibit the same regulatory push towards resilience as other regions, survey data indicates a positive trend. Despite compliance complexities, regulations are driving significant advancements in cybersecurity across various industries.

An impressive 96% of security leaders and CFOs in Africa report increased investments in security measures due to regulations, mirroring global trends. Additionally, 92% believe these regulations have strengthened their cybersecurity posture, compared to 78% globally.

Download the full report

Chart of obstacles to incorporating GenAI into cyber defense strategies

Regional businesses can build stronger cybersecurity frameworks by using international regulations as benchmarks. Aligning with global standards will not only enhance defences, but also position them to better meet evolving regulatory demands, while fostering trust with stakeholders by showing a commitment to best practices.

Julien Tyack - C&RS Partner (Risk), PwC Mauritius

Cyber leadership

Empowering leaders

Elevating cyber resilience through active engagement.

Leadership is crucial in shaping strong cybersecurity strategies and fostering accountability within organisations. Globally, there’s growing recognition of the importance of board-level engagement in cyber and privacy matters. In East Africa, 59% of organisations report discussing key cyber metrics at the board level, significantly higher than the global average of 35%. However, only 29% involve their boards in discussions about the cyber and privacy implications of major operating model changes, compared to 34% globally. 

To strengthen cyber leadership, East African boards must adopt a proactive approach, focusing on regulatory compliance, championing innovation, and embedding cybersecurity within the overall business strategy.

Download the full report

Chart of confidence in organization’s regulation compliance

For effective cybersecurity leadership, organisations must adopt a proactive, innovative stance that integrates security into their broader business strategies. In East Africa, progress at the board level is promising, but positioning cybersecurity as a driver of business transformation will be key to managing new risks and enhancing resilience.

Vikas Sharma - C&RS Leader, PwC Eastern Africa

Cyber strategy

Strategic foresight

Crafting cyber strategies that integrate resilience and compliance

Organisations globally are recognising the importance of a strong cyber strategy supported by leadership to sustain resilience. In East Africa, 54% of organisations have fully integrated the identification of critical business processes into their cyber strategy, surpassing the global average of 42%. However, other key resilience actions remain underdeveloped, with only 29% conducting tabletop exercises and 32% engaging in peer collaboration. Despite these gaps, East African organisations excel in stakeholder reporting (52%) and establishing resilience teams (45%), both above global averages.

To fully safeguard against evolving threats, East African organisations must accelerate the adoption of critical resilience measures, such as cyber recovery planning and industry collaboration. By incorporating these actions into their strategies, they will be better positioned to address existing gaps, navigate the complex cyber threat landscape, and ensure operational continuity and stakeholder trust. 

Download the full report

Chart of the benefits of quantifying cyber risk

To future-proof their defences, East African businesses should focus on advanced resilience strategies like tabletop exercises and cross-industry partnerships, reinforcing both preparedness and stakeholder confidence.

Edward Kerich - C&RS Leader, PwC Kenya

Cyber investment and priorities

Investing in resilience

Aligning cyber priorities to meet growing threats and regulatory demands

As cyber threats grow in complexity, organisations globally are increasing their cybersecurity budgets. In East Africa, 34% of organisations plan to raise their spending by 6-10%, aligning closely with global trends. Regulatory compliance is a priority for 44% of East African organisations, reflecting the region’s need to navigate expanding local and international regulations. In response, 50% of East African organisations are modernising their cyber infrastructure to address vulnerabilities, particularly against rising risks like third-party breaches and social engineering attacks.

Additionally, 50% of organisations in the region are prioritising cybersecurity training to build a more cyber-aware workforce, focusing on areas such as phishing simulations and incident response drills. Data protection remains a key focus, with 44% of East African businesses investing in safeguarding sensitive information. 

Download the full report

Chart of how organizations position cybersecurity as a competitive

Investing in both infrastructure and comprehensive cybersecurity training is crucial for businesses in the region to meet regulatory demands and address emerging threats. Acting now will help build the resilience they need to thrive in a rapidly changing environment.

Lyndon Lane-Poole - C&RS Partner (Risk), PwC Zambia

Cyber risk quantification

Lost in translation

Communicate cyber risk in terms that stakeholders care about

As cyber threats rapidly evolve, Cyber Risk Quantification (CRQ) has become essential for organisations. However, this year’s survey revealed that only 9% of respondents in East Africa are significantly measuring the financial impact of cyber risks. Across Africa, the number is slightly higher at 19%, with 86% of those using security posture assessments rather than scenario-based methods like FAIR. Hesitancy around CRQ in Africa often stems from uncertainty about the scope of risk quantification outputs and data quality issues.

Download the full report

Chart of implementation of cyber resilience actions across the organization

Quantified risks are more easily understood by management – organisations that don't measure cyber risks, or have not fully developed this capability, are leaving critical intelligence on the table, particularly when it comes to informing board decisions and capital allocation.

Diya Guttoo - C&RS Partner (Consulting), PwC Mauritius

Emerging technologies and GenAI

Be smart, be secure

Navigating a transformative tech landscape

Despite its transformative potential, Generative AI (GenAI) has yet to gain significant traction in East Africa. Investment over the past year has not been matched by integration into existing technological strategies. This cautious approach mirrors global sentiment, with 64% of CEOs acknowledging heightened cybersecurity risks associated with GenAI. Across Africa, 65% of security executives report that GenAI has expanded the cyber attack surface, making companies more vulnerable to sophisticated threats. Concerns about data integrity, privacy, and compliance, along with the potential for less sophisticated threat actors to craft effective phishing attacks and deepfakes, contribute to this caution.

Download the full report

As emerging technologies significantly alter the cybersecurity landscape, business leaders must take an engaged and proactive stance in navigating the complexities introduced by these innovations, making sure their organisations capitalise on new opportunities while also mitigating potential risks.

Jean-Pierre Young - C&RS Partner (Consulting & Innovation), PwC Mauritius

Behavious

Shared responsibility, collective action

The value of fostering collaborative behaviours

Based on our survey, security leaders in East Africa are nearly twice as likely as their global counterparts to implement controls and respond swiftly to cyber threats (51% vs. 26%). They are also more than twice as likely to collaborate with other business areas affecting cybersecurity (46% vs. 22%). This data highlights the mature stance of East African businesses in mitigating and responding to threats, emphasizing the necessity of quick responses to maintain trust and business continuity.

A key challenge for many organisations is the siloed nature of cyber resilience efforts. However, 74% of East African security leaders report frequent collaboration with colleagues on cybersecurity matters, underscoring a collective approach to shared responsibility. This unified strategy is crucial for tackling challenges that span across departments and organisations.

Download the full report

Chart of how organizations position cybersecurity as a competitive

Through collaboration and resource-sharing, security leaders in East Africa can strengthen defences against advanced cyber threats. By partnering with other organisations and government bodies to share threat intelligence and best practices, they will contribute to a more robust digital trust landscape.

Jamila Aroi - C&RS Partner (Risk), PwC Kenya

Methodology

The 2025 Digital Trust Insights Survey was designed to gather the perspectives of business and technology leaders worldwide on the challenges and opportunities for enhancing and transforming cybersecurity within their organisations over the next 12 months. The survey covers key topics such as threat outlook, investments, emerging technologies, regulations, and more.

The final results are based on 4,042 survey responses from 77 territories, spanning a diverse range of industries, sub-industries, and organisation sizes. Of these responses, 89% (3,585) were collected via an external panel provider, while 11% (457) were gathered through PwC’s territory network outreach. Responses were collected between 7 May and 12 July 2024.

The data shown in this report focuses on East Africa, including responses from Kenya, Mauritius, Rwanda, Tanzania, Uganda, and Zambia.

dti methodology

Required fields are marked with an asterisk(*)

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Follow us

Contact us

Vikas Sharma

Vikas Sharma

Regional Consulting & Risk Services (C&RS) Leader, PwC Mauritius

Tel: +230 404 5015

Lyndon Lane-Poole

Lyndon Lane-Poole

Consulting & Risk Services Leader, PwC Zambia

Tel: +260 (211) 334000

Hide