Eswatini Faces Cybersecurity Crisis as Government Fails to Act on Rising Threats

Report Highlights Growing Cybersecurity Crisis in Eswatini Due to Government Inaction

MEDIUM
December 14, 2025
3m read
Policy and ComplianceRegulatoryOther

Related Entities

Organizations

Government of Eswatini

Full Report

Executive Summary

A report from December 13, 2025, paints a grim picture of the state of cybersecurity in the Kingdom of Eswatini. The nation is grappling with a significant and growing number of cyberattacks, while the government's response is described as largely ineffective. Key issues identified include a lack of investment, outdated legal frameworks, a critical shortage of skilled cybersecurity professionals, and a failure to implement the national cybersecurity strategy for 2022-2027. This inaction has left Eswatini's citizens, businesses, and government institutions dangerously exposed to cybercrime.

Regulatory Details

The core of the problem lies in a governance and policy vacuum. The country's legal frameworks for combating cybercrime are outdated and lack the necessary enforcement mechanisms to deter threat actors. The Eswatini National Cybersecurity Strategy 2022-2027, which outlines goals for building capacity and strengthening governance, has seen little tangible progress or implementation. There is minimal budget allocated to cybersecurity projects, and law enforcement agencies are reportedly ill-equipped to investigate or prosecute cybercrime cases, leaving victims with little to no recourse.

Affected Organizations

The lack of a national cybersecurity posture affects all sectors of the country:

  • Citizens: Increasingly falling victim to online scams and data breaches.
  • Businesses: Facing financial losses and operational disruptions from cyberattacks without adequate support.
  • Government Agencies: State institutions themselves are targets, threatening the integrity of public services and national data.

Compliance Requirements

The issue is not a failure to meet compliance requirements, but rather the absence of a robust compliance and enforcement regime. The report suggests a fundamental need to establish and enforce cybersecurity standards and regulations across both public and private sectors. Without a governing body to mandate and audit security controls, adoption of best practices remains voluntary and sparse.

Impact Assessment

  • Economic Impact: The lack of security deters digital transformation and foreign investment. Businesses suffer direct financial losses from cybercrime.
  • Social Impact: Citizens lose trust in digital services and are increasingly vulnerable to fraud and scams.
  • National Security: The vulnerability of government institutions and critical infrastructure poses a risk to national security and the stability of public services.

Compliance Guidance

The report implicitly calls for a multi-pronged approach to building a national cybersecurity capability:

  1. Policy Reform: Update and pass modern legislation that effectively criminalizes cybercrime and establishes clear investigative and prosecutorial powers.
  2. Investment: Allocate significant government funding to cybersecurity infrastructure, technology, and the creation of a national Computer Security Incident Response Team (CSIRT).
  3. Capacity Building: Launch national initiatives to train and develop a skilled cybersecurity workforce. This includes partnerships with academic institutions.
  4. Public-Private Partnership: Foster collaboration between the government, private sector, and academia to share threat intelligence and best practices.
  5. Public Awareness: Initiate nationwide campaigns to educate citizens and small businesses about common cyber threats and basic security hygiene.

Timeline of Events

1
December 13, 2025
A report is published detailing the cybersecurity crisis in Eswatini.
2
December 14, 2025
This article was published

MITRE ATT&CK Mitigations

User Training

M1017enterprise

Implementing national public awareness campaigns is a foundational step to improve baseline security hygiene among citizens and small businesses.

Audit

M1047enterprise

Establishing a framework for auditing government agencies and critical sectors against a national cybersecurity standard is necessary for governance.

Operating System Configuration

M1028enterprise

Developing and promoting secure configuration baselines for government systems is a key technical measure.

Mapped D3FEND Techniques:

D3-PH

D3FEND Defensive Countermeasures

Strong Password Policy

D3-SPPMaps to MITREM1027
D3FEND

As a foundational step for Eswatini, the government should develop and mandate a national Strong Password Policy for all its agencies and promote it as a best practice for the private sector. This policy should include requirements for password complexity, length, and history, and explicitly forbid the use of common or easily guessable passwords. While simple, this is a high-impact, low-cost measure that hardens systems against brute-force and password spraying attacks, which are common tactics used in less mature cyber environments. A public awareness campaign accompanying the policy can educate citizens on the importance of using unique passwords for different services, directly addressing the vulnerability of individuals to online scams.

DNS Denylisting

D3-DNSDLMaps to MITREM1021
D3FEND

To provide a basic level of protection at a national scale, Eswatini's government could establish a national DNS denylist service. This involves creating and maintaining a list of known malicious domains associated with phishing, malware, and command-and-control servers. The government could then offer a free, public DNS resolver service that incorporates this denylist, which citizens and businesses can opt to use. This would prevent users from connecting to a large number of malicious sites, effectively providing a national-level protective DNS service. This is a scalable way to protect a large number of users with minimal endpoint configuration and is a common feature of a national cybersecurity strategy.

Software Update

D3-SUMaps to MITREM1051
D3FEND

The government of Eswatini must prioritize the creation and enforcement of a national patch management policy for all government systems. This policy should mandate that all software, from operating systems to applications, be updated to patch security vulnerabilities within a defined timeframe. A lack of patching is a primary reason for successful cyberattacks globally. By creating a centralized directive and providing guidance, the government can significantly raise the security posture of its own institutions. This policy should be a core component of the currently unenforced National Cybersecurity Strategy and would serve as a model for the private sector to follow, reducing the overall attack surface of the entire country.

Sources & References

Cybersecurity Challenges Persist Unaddressed in Eswatini Amid Growing Threat Landscape
Cyber Observer (cyber-observer.com) December 13, 2025
Eswatini national cybersecurity strategy 2022 - 2027
Digital Watch Observatory (digitalwatch.gov) December 13, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Eswatinicybersecurity policygovernancenational securitycybercrime

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next