Kenyan firms pay heavy price for data safety lapses
Posted Monday, August 16 2010 at 00:00
Data has become an invaluable asset in every sector.
Yet even as the world’s businesses become interconnected by the same business language, developing nations face an extra cost burden through their almost complete negligence of information security, according to a 2005 Information Economy Report from UNCTAD.
In a clarion call, a full five years ago, to take the value of information more seriously, the report urged criminalising of cyber attacks and the introduction of risk-management policies, as well as constant monitoring of ICT security regulations and the training of skilled staff to run effective security programmes.
The calls have had virtually no impact in Kenya, despite the country’s galloping growth in intellectual property and information held within businesses — from client information, including card numbers and contacts, to sensitive company information such as log in details, mailing lists and security codes.
Not one company or public sector organisation in the country has yet implemented the globe’s international standards — ISO/IEC 17799:2005 and ISO/IEC 27001 — dealing specifically with information security.
Yet in some countries it is a compulsory requirement for any organisation holding data.
The absence of any data standards is a gap so costly to the nation that ACAL, the leading supplier of performance contract and ISO consulting to Kenya’s public sector, last month began a campaign to get companies to appreciate the huge costs of leaving their information unsecured.
The consultancy is this week flying in a British Standards Institute and Iade Training group trainer to provide a one-day briefing for all-comers on the ISO, and will in September by bringing in further international trainers to supply the first implementers course in ISO in Kenya.
The first trainer, Robert Cooke, has been a consultant in management system and information security for 27 years and is a lead auditor in the UK in the Information Security Management Systems ISO.
As well as targeting senior IT and systems managers, information security experts and the auditors who will introduce ISO 27001:2005 with the awareness training, ACAL last week launched a self-evaluation tool on its website for companies to assess their individual needs to implement information security.
The scale of the agency’s drive to raise awareness reflects the scale of the need, says John Njiri, an ICT consultant with ACAL.
“Many Kenyan businesses are yet to fully appreciate information as a critical business asset,” he said.
Yet “the biggest threat to information security lies with staff.”
The way that employees handle and store data is crucial in guaranteeing information security, with information that is lost through a stolen lap top, a misplaced flash disc, or carelessly placed paper files or folders capable of having a ripple effect.
This happened in 2005 to a Japanese bank, Aomori-based Michinoku Bank, which received a warning from the Financial Services Agency after the bank lost CD-ROMs containing personal information about the bank’s customers.