October is Cybersecurity Awareness Month. The Cyber Security Authority (‘CSA’) has announced its theme as ‘Building a Safe, Informed and Accountable Digital Space’. The theme focuses on protecting digital rights, using technology responsibly and fighting the spread of false information. What does this mean for your business? In this article, we consider the national theme, the implications for the workplace and how businesses can build a safe and responsible digital workspace. We discuss (i) what cybersecurity is and the importance of a cyber-aware business, (ii) common cyberattacks, and (iii) building a safe and responsible digital workspace.
What is cybersecurity?
The International Telecommunication Union defines ‘cybersecurity’ as a “collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, trainings, best practices, assurance and technologies that can protect the cyber environment of organisations and user’s assets. Cybersecurity is an integrated domain comprising technology, people and processes to achieve a secured cyber environment.”
Essentially, cybersecurity protects the confidentiality, integrity and availability of data and information systems. Confidentiality ensures that only authorised people have access to information, integrity maintains the accuracy and reliability of information, and availability guarantees that information systems are accessible to authorised persons when needed.
The importance of a cyber-aware business
Today’s businesses rely heavily on digital systems to collect, process and store information. This makes cyber-awareness essential, as the information held makes businesses prime targets for cyberattacks. As recently seen with a global automotive company, a single breach could be extremely costly, ranging from operational disruption to financial loss, legal repercussions and reputational damage. Thus, cybersecurity must be embedded into every aspect of the business. Good corporate governance requires continuous oversight over cybersecurity. Investment in cybersecurity and strong digital defences not only reduce the impact and risk of cyberattacks, they also keep businesses compliant with cybersecurity laws and preserve customer trust.
Common cyberattacks
Cyberattacks occur in several ways, but some are more prevalent. Verizon’s 2025 Data Breach Investigations Report (‘DBIR’) indicates that in Europe, the Middle East and Africa (‘EMEA’), the biggest threats are ‘system intrusion’ and ‘social engineering’ breaches. System intrusion is where attackers gain unauthorised access to a system, and social engineering occurs when victims are tricked into giving away sensitive information or making security mistakes.
For many businesses, cybersecurity risks could arise not only from external attacks but from the actions of their own employees. Verizon’s 2025 DBIR shows that in the EMEA region, 71% of cyberthreats came from external actors and 29% from within organisations. While external actors like criminal groups, hackers and even former employees pose serious threats, the risks from internal actors (employees, independent contractors and other staff) should not be underestimated or ignored. A worker’s lack of proper training or inadvertence could leave a business vulnerable to cyberattacks like phishing emails, which could result in data breaches, financial loss and legal repercussions, among other risks.
Hackers use malware as a system intrusion attack. Malware are software programs, like ransomware and viruses, designed to destroy or gain unauthorised access to computer systems. Phishing is a type of social engineering attack that uses fake websites, texts or emails to trick people into revealing confidential information like passwords and financial details. For example, attackers may use phishing techniques to send emails to businesses, and if an ill-informed employee opens a link or attachment, malware spreads on the computer network.
These risks are real; due to a ransomware attack in August 2024, the Electricity Company of Ghana Ltd (‘ECG’) lost between GHS 400 million to GHS 500 million. The cyberattack impeded ECG’s ability to collect revenue and the efficient operation of their systems. Weak and ineffective cybersecurity practices have far-reaching ramifications.
Building a safe digital workspace
Cyber-awareness ensures a clear plan exists before a crisis occurs. An effective plan can be three-pronged and consist of establishing a cybersecurity policy, engaging professional support, and obtaining insurance coverage to manage residual risks.
- Cybersecurity Policy: Every business should have a well-defined cybersecurity policy that provides the guidelines and procedures needed to protect an organisation’s systems, networks and data against unauthorised access, theft or disruption. A well-structured cybersecurity policy typically includes provisions on employee awareness and training, access controls to sensitive data and incident response procedures. Cybersecurity policies should be reviewed regularly and updated to reflect new threats and changes in business operations. Management must approve policies, allocate resources and ensure collective responsibility for the implementation of cybersecurity policies. The policy’s effectiveness depends on all employees understanding and complying with it.
- Engage Cybersecurity Service Providers: Businesses should seek specialist support from cybersecurity service providers (‘CSP’). CSPs help identify vulnerabilities, recommend best practices and provide staff training.
- Cyber Liability Insurance: Businesses should obtain cyber liability insurance to mitigate legal and financial liabilities resulting from cyberattacks.
Cyberattack! What next?
Even well-prepared businesses could still face cybersecurity incidents. Under the Cybersecurity Act, 2020 (Act 1038) (‘Cybersecurity Act’), a ‘cybersecurity incident’ is essentially any act or attempt to gain unauthorised access to, disrupt or misuse an information system or the information it holds. After a cybersecurity incident, a business has to report the incident to the relevant authorities. The business may also engage a licensed CSP to perform a forensic examination of affected systems to identify and remove malicious elements, determine the root cause, and restore security.
Under the Cybersecurity Act, the affected institution must report the cybersecurity incident to the relevant government agency within 24 hours after the incident is detected. Currently, the CSA has named the following agencies for these specific institutions:
- Government – National Information Technology Agency;
- Telecommunications – National Communications Authority;
- Banking and Finance – Bank of Ghana; and
- National Security – National Signals Bureau.
Other institutions report incidents directly to the CSA by email or through the Incident Reporting Form. The CSA treats all incoming information as confidential. Sensitive incidents may be explicitly marked as ‘sensitive’ (for example, in the email subject line) and, if possible, should be encrypted.
Furthermore, where a cybersecurity incident involves unauthorised access to personal data, a business must report the data breach to the Data Protection Commission as soon as reasonably practicable after detection.
The Data Protection Act, 2012 (Act 843) (‘DPA’) applies to the processing of personal data in Ghana, or processing personal data that originates from Ghana. The business must also take steps to restore the integrity of the affected information system.
Conclusion
Businesses should view cybersecurity as a core business responsibility. Building a safe, informed and accountable digital space requires collective effort across all levels of a business. Investing in strong cybersecurity, and fostering awareness and accountability allows businesses to adapt to our increasingly digital world. When cybersecurity is integrated in this manner, it becomes embedded in the business’ culture and evolves into a shared responsibility that demands ongoing dedication.
