Data security

 

​ Data security is a high priority material topic

Data security icon

Data security

Data security is the foundation of trust in a digital world 

As cyber threats evolve, protecting our customers’ information is our highest priority. We invest in cutting-edge security solutions, expert talent and rigorous governance to safeguard sensitive data while ensuring network resilience and full compliance with local laws to drive customer confidence across our 14 markets.

Our focus areas

Confidentiality

Protecting information from exposure to an unauthorised party and keeping sensitive information private as well as introducing encryption services to protect stored data and data in transit.

Integrity

Ensuring the constant reliability of our data, network and systems. This includes introducing proactive measures to restrict unapproved changes while also having the ability to recover data that has been lost or compromised.

Availability

Guaranteeing our authorised users have access to the systems, platforms and data that they need to perform their daily tasks as well as resolving hardware and software conflicts to build resilience in design. This is supported by regular maintenance to keep systems up to date and available.

GRI framework

GRI 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

Our approach to managing data security

At Airtel Africa, data security is fundamental to our business and essential to maintaining the trust of our customers – and we remain vigilant in protecting our digital ecosystem.

To counter cyber threats, we deploy industry-leading security technologies:

  • Web application firewalls and anti-DDoS solutions to safeguard our infrastructure
  • Network detection and response to proactively identify threats
  • Endpoint detection and response for enhanced device security
  • 24/7 security incident response, supported by specialised partners, ensuring real-time action
  • Brand protection and takedown services to combat fraudulent activities.

We continuously monitor the cyber threat landscape, including the dark web, to stay ahead of emerging threats. We employ advanced data loss prevention (DLP) technology to protect sensitive information across our network and engage external security experts to respond to incidents rapidly and build resilience.

We track performance against KPIs which are reviewed regularly by our chief information security officer (CISO). Any deviations trigger immediate corrective action plans. 

1

Our commitment to data security and privacy establishes us as a trusted leader, proactively anticipating and mitigating risks to uphold the highest standards of information security for customers, partners and regulators.

2

Prashant Nair

Chief information security officer

Risk management

Risk management is a key aspect of our approach to data security. We conduct information security risk assessments at multiple levels, including: 

  • Continuous evaluation of critical external-facing assets
  • Ongoing threat identification through vulnerability and penetration testing, prioritised by asset criticality
  • Application security assessments conducted before code implementation
  • Annual Group-wide security assessments
  • Our risk assessment procedure evaluates risks by classifying assets based on confidentiality, integrity, availability and privacy. Threats are assessed and rated by likelihood, ranging from very low to very high
  • Threat hunting and intelligence tools help us detect vulnerabilities before they escalate.

Key risk indicators are assessed monthly and reported to the chief information officer (CIO). Compliance with ISO 27001 and ISO 22301 frameworks provides additional security.

This year, we enhanced our multi-layer security framework, achieving significant improvements in our security priorities. Our adherence to global best practices is reflected in the following certifications:

  • ISO 27001 for Group, including GSM and Airtel Money
  • ISO 22301 for Group, including GSM and Airtel Money
  • ISO 27001 for SmartCash PSB (Nigeria)
  • ISO 22301 for SmartCash PSB (Nigeria)
  • PCI DSS certification for SmartCash PSB (Nigeria)

Training 

We ensure a robust data security culture through employee training, including phishing simulations across all OpCos. Employees who fail simulations undergo mandatory security training, reinforcing our commitment to data protection.

To extend our security awareness initiatives beyond internal teams, we also introduced specialised security training mailers for our Board of directors at selected OpCos, tailored to meet regulatory requirements. Additionally, in July 2024, we launched a security awareness programme for key partners and vendors, reinforcing security best practices across our wider ecosystem.

Governance

Data security is a standing agenda item at quarterly Executive Risk Committee (ERC) meetings, where the CISO presents the state of information security, emerging threats and mitigation strategies. The CISO also reports quarterly to the Audit and Risk Committee on outstanding audit issues and material security risks. In addition, the CIO, CISO and OpCo IT directors review data security matters monthly. The information security team includes specialists from various cybersecurity domains and a dedicated security expert from a trusted third-party provider.

We’ve also established comprehensive information security (IS) and business continuity (BC) governance structures, comprising two main governing channels.

Group-level governance

The Group-level information security team, led by the CIO and supported by the CISO, is responsible for strategic decision-making, governance, overall implementation and monitoring of data security controls across 14 OpCos.

This governing body includes:

  • Chief information officer (CIO) – chair
  • Chief technology officer (CTO)
  • Chief compliance officer (CCO)
  • Chief information security officer (CISO)
  • OpCo representatives and, as and when required, domain specialists in application security, vulnerability management, third-party risk, network security, endpoint security, security operations, identity and access governance, threat intelligence and risk compliance.

OpCo-level governance

At OpCo level, governance is managed by a dedicated information security and business continuity working group comprising the country managing director, information security manager, functional head, technical team leaders and representatives from multiple departments who are responsible for implementation of information security controls in each OpCo. This working group is chaired by the CISO.

These governance bodies work closely with the Group information security team, ensuring alignment and compliance with Group-wide security strategy.

Policies and frameworks

Our data security framework is guided by key internal policies, including:

  • Group information security policy
  • Data protection and privacy policy
  • Third-party risk management framework
  • Ransomware protection policy

These policies ensure a structured, proactive approach to safeguarding data across Airtel Africa.

Key performance indicators (KPIs)

1,478

external penetration tests

(2,993 in 2023/24)

30

ISO certifications across 14 OpCos

(30 in 2023/24)

44%

increase in number of security applications and platforms

(25% in 2023/24)

0

successful breaches of our security platforms

(0 in 2023/24)

Progress update against our targets in 2024/25

Over the past year, we've made significant progress in enhancing our cybersecurity capabilities, focusing on advancements in technology, talent development, software security and Group-wide awareness initiatives.

Enhancing network and endpoint security

In August 2024, we implemented a distributed denial of service (DDoS) prevention solution which has significantly reduced our exposure to DDoS attacks, protecting our IT systems and ensuring continuity of service. We reinforced endpoint security by replacing legacy laptops and desktop computers with more secure devices. We also introduced automated patching solutions and enhanced vulnerability scanning processes to detect and mitigate potential risks.

Investing in talent and expertise

Retaining highly qualified experts remains a priority as the cybersecurity landscape evolves. In April 2024, we strengthened our endpoint security governance by appointing an experienced senior manager to oversee this critical area. In November 2024, we expanded our security assurance team with the addition of a specialist responsible for vulnerability management and application security. These hires bring additional expertise to our security operations, ensuring we remain resilient against emerging threats.

Advancing software security

We continue to improve our software security, with a focus on detecting vulnerabilities early in the development cycle. Over the past 12 months, we introduced and embedded a vulnerability detection and remediation platform, increasing the accountability of infrastructure asset owners for security patching compliance. In addition, we fully integrated a secure code review platform, which identifies security flaws in application source code as developers write it. Introduced in 2023, this platform has matured during the past year, improving software security and reducing the risk of exploitable vulnerabilities in applications which are developed internally.

Enhancing a culture of security awareness

Building a strong security culture across Airtel Africa continues to be a key focus. We conducted a series of targeted awareness campaigns, including security briefings for OpCo Boards, as well as training sessions for the Group. We also shared our security awareness campaign’s materials with partners and suppliers. In October 2024, we held our second annual Group-wide information security awareness month. In addition, we launched an information privacy month in January 2025, strengthening the knowledge of our employees on privacy rights, security responsibilities and protective measures.

Spotlight story icon

Data security in action

Strengthening cybersecurity resilience and vigilance across our workforce

Cybersecurity training remains fundamental to our approach. We’ve embedded a structured training programme across the Group, ensuring all employees understand their role in safeguarding digital assets. Mandatory annual training covers areas such as information security, data privacy and business continuity, and in 2024/25, 100% of our workforce completed these training modules. To complement these efforts, in October 2024, we launched a cybersecurity awareness month engaging all OpCos in a programme designed to strengthen employees’ understanding of cybersecurity threats and best practices. It featured expert-led training sessions and educational materials.

To test employees’ ability to recognise cyber threats, we conducted six phishing simulations between April and December 2024, targeting users across multiple OpCos. Learning from this Group-wide exercise, we undertook further measures to reinforce understanding of social engineering threats across our workforce.