Incidences of cybercrime have become increasingly prevalent in Kenya. According to the Kenya Cyber Security Report 2016, Kenya lost Sh17.8 billion to cybercriminals in 2016, a 14 per cent increase from Sh15 billion the previous year. The threat level is clearly escalating.
Despite the elevated level of threat, institutions are still grossly underinvesting in cyber security. The report indicates that 96 per cent of firms in Kenya spend Sh50,000 annually or nothing at all on cyber security.
Part of the reason why institutions are not beefing up their cyber security budgets, despite clear evidence that they need to, is because they don’t fully understand their risk of exposure.
We generally lack awareness on mitigating controls or believe that we cannot fall victim to cyber crime.
There is the general misperception that cybercriminals only target financial institutions, and that if you are not a bank, insurance company or financial services provider, you are safe. This is not true.
Any organisation that is connected to the Internet and has transactions taking place over telecommunication networks is a potential target.
Furthermore, there is an emergent underground digital economy in which data is a highly priced commodity, incentivizing theft of data. This has fueled data theft. Data theft has serious consequences, both for governments and individuals.
In November last year, for instance, WikiLeaks founder Julian Assange published troves of data that portrayed US presidential hopeful Hillary Clinton as a key backer of an insidious plan that successfully toppled Muammar Gaddafi in Libya. Though the veracity of the accusations remains debatable, it nevertheless reinforced negative attitudes towards Clinton.
On a personal level, many people, including prominent Kenyans, have been victims of character assassination campaigns in which hackers gained access to their phones and posted personal and compromising photos on blogs and online forums.
These illustrations indicate that spending on cyber security needs to increase. Moreover, institutions need to understand that the cybersecurity threat landscape has evolved from the initial password guessing in the 90s to highly sophisticated malware, bots and ransomware.
Ransomware is where hackers hijack control of your system and threaten to delete all files within a stipulated period if you don’t send a ‘ransom’.
This specific kind of attack has become increasingly prevalent, with the authorities recently announcing that there were confirmed reports in Kenya.
Consequently, it is imperative that risk managers and top-level management take the time to understand the dynamics of cybercrime by reviewing analysts’ reports.
These reports contain critical insights that can help an organisation set up their defence in depth strategy against cyber crimes.
It has also emerged in multiple reports that the key enablers of cybercrime in Kenyan organisations are insiders who have authorised access to the IT infrastructure as well as sensitive information.
Rogue elements may sometimes use this access for illegal purposes, while innocent insiders may unwittingly share sensitive information on platforms such as WhatsApp and Facebook, exposing the organisation to external threats.
This underscores the need for organisations to inculcate a culture of information security awareness and conduct proper background checks during employee recruitment.
Every organisation also has distinct vulnerabilities and strengths when it comes to preparedness for cyber-attacks.
It is therefore imperative that organisations proactively engage cyber security professionals who can conduct penetration tests to identify vulnerabilities and propose mitigating controls.
A survey by the Kenya National Bureau of Statistics and the Communications Authority of Kenya (CA) shows that 83.1 per cent of public sector institutions do not even have mechanisms to detect intruders within their networks.
Cybercrime has become highly attractive, heightening the likelihood that the threat of cybercrime will escalate in coming years. The need for organisations to ramp up investments in cybersecurity can therefore not be overstated.