Underspending in cyber security costly mistake


Incidences of cybercrime have become increasingly prevalent in Kenya. According to the Kenya Cyber Security Report 2016, Kenya lost Ksh17.8 billion to cyber criminals in 2016, a 14 percent increase from Ksh15 billion the previous year. The threat level is clearly escalating. Despite the elevated level of threat, institutions are still grossly underinvesting in cyber security. The report indicates that 96 percent of firms in Kenya spend Ksh50,000 annually or nothing at all on cyber security.

Part of the reason why institutions are not beefing up their cyber security budgets, despite clear evidence that they need to, is because they don’t fully understand their risk of exposure. We generally lack awareness on mitigating controls or believe that we can not fall victim to cyber crime.

There is the general misperception that cyber criminals only target financial institutions and that if you are not a bank, insurance company or financial services provider, you are safe. This is not true.Any organisation that is connected to the Internet and has transactions taking place over telecommunication networks is a potential target.

Furthermore, there is an emergent underground digital economy in which data is a highly priced commodity, incentivizing theft of data. This has fueled data theft.

Data theft has serious consequences, both for governments and individuals. In November last year, for instance, WikiLeaks founder, Julian Assange, published troves of data that portrayed U.S. presidential hopeful, Hillary Clinton, as a key backer of an insidious plan that successfully toppled Gaddafi’s Libya. Though the veracity of the accusations remains debatable, it nevertheless reinforced negative attitudes towards Clinton.

On a personal level, many people, including prominent Kenyans, have been victims of character assassination campaigns in which hackers gained access to their phones and posted personal and compromising photos on blogs and online forums.

These illustrations indicate that spending on cyber security needs to increase. Moreover, institutions need to understand that the cyber security threat landscape has evolved from the initial password guessing in the 90s to highly sophisticated malware, bots and ransomware.

Ransomware is where hackers hijack control of your system and threaten to delete all files within a stipulated period if you don’t send a ‘ransom’. This specific kind of attack has become increasingly prevalent, with the authorities recently announcing that there were confirmed reports in Kenya.

Consequently, it is imperative that risk managers and top-level management take the time to understand the dynamics of cybercrime by reviewing analysts’ reports. These reports contain critical insights that can help an organisation set up their defence in depth strategy against cyber crimes.

It has also emerged in multiple reports that the key enablers of cybercrime in Kenyan organisations are insiders who have authorised access to the IT infrastructure as well as sensitive information. Rogue elements may sometimes use this access for illegal purposes, while innocent insiders may unwittingly share sensitive information on platforms such as WhatsApp and Facebook, exposing the organisation to external threats. This underscores the need for organisations to inculcate a culture of information security awareness and conduct proper background checks during employee recruitment.

Every organisation also has distinct vulnerabilities and strengths when it comes to preparedness for cyber-attacks. It is, therefore, imperative that organisations proactively engage cyber security professionals who can conduct penetration tests to identify vulnerabilities and propose mitigating controls. A survey by the Kenya National Bureau of Statistics and the Communications Authority of Kenya (CA), shows that 83.1 percent of public sector institutions does not even have mechanisms to detect intruders within their networks.

The government also needs to provide the legislative support to apprehend cybercriminals operating in and outside the country. This calls for cooperation and international legal frameworks between countries as Cybercrime occurs in a virtual environment beyond the borders and beyond the territorial law as some hackers purposely operate out of the country to avoid apprehension and subsequent prosecution.

Institutions need to act sooner rather than later as the threat of cybercrime isn’t subsiding anytime soon. The latest Internet usage report from the Communication Authority of Kenya indicates that 74.2 per cent of Kenyans is online, underlining the level of exposure to the threat. Furthermore, we have a young, well- educated population which is very tech-savvy and unemployed. Cybercrime has, therefore, become highly attractive, heightening the likelihood that the threat of cybercrime will escalate in coming years. The need for organisations to ramp up investments in cyber security can therefore not be overstated.


Olang is the Head of Laser Infrastructure & Technology Solutions (LITES), an ICT and infrastructure subsidiary of CPF Financial Services.



Leave a Reply

Your email address will not be published.

Hit enter to search or ESC to close