State agencies have weak security against cyber-crime: Survey

Numerous IT security holes have left government agencies highly exposed to cyber criminals who are constantly on the prowl for critical data.

A newly released IT security report indicates that most State agencies and institutions continue to rely on little more than antivirus software and password locks for data security despite recent sophistication and multiplicity of cyber threats.

Low levels of cyber-security also means greater exposure of private citizens’ data given the pace at which Kenya has been digitising most public services, including tax returns, driving licence, passport, bank accounts and social security information.

The report, which is the product of a joint ICT security survey by the Kenya National Bureau of Statistics and the Communications Authority of Kenya (CA), shows that 83.1 per cent of public sector institutions do not even have mechanisms to detect intruders into their networks.

This means that hackers could effectively break in and lie low for months, if not years, siphoning and shipping out sensitive data.

“Authentication software or hardware for internal users and intrusion detection system were the least employed security measures,” says the report.

No data back-up

Many State agencies do not have alternative plans of back-up in the event their data is compromised, according to the report.

Even more worrying is the fact that at least 45.9 per cent of the institutions surveyed do not regularly back up “data critical to [their] operations” while only 30.8 per cent have off-site copies of their information.

The survey also found that most of the State agencies do not have the software to authenticate the identities of people logging into their networks.  

The risk of interception for data on transit was also found to be high, with only 33.4 per cent of government institutions having secured their communications.

In government, the report says, antivirus software, used by 96.4 per cent of agencies, and computer passwords (with 91.9 per cent) are the most commonly used means of protection.

IT security experts, however, described the tools as incapable of warding off even a moderately proficient cyber-criminal. 

“This is definitely shocking. The level of sophistication and resources we’re putting in place to protect our systems are limited. The key question is why it is acceptable,” said Mr William Makatiani, the managing director of computer security firm Serianu.

READ: Identity theft dominates cyber crimes, says agency

ALSO READ: Government raises alarm on cyber crime threat

The study, however, found that the problem of weak IT security extends beyond the government.

Private sector also exposed

The KNBS and the CA, in a separate report, paints a picture of a private sector that is almost equally exposed.

While most businesses are also eager to download antivirus software, only 15 per cent have systems to detect intruders.

Most were, however, found to have effective data back-ups and redundancies that would enable them to operate in the event of an attack.

The survey found that rampant laxity on the subject of insecurity is the reason Kenya has some of the highest levels of exposure to cybercrime.

The report says up to 48.4 per cent of all government agencies report data loss due to a virus attack and that 5.1 per cent of businesses and 7.1 per cent of State institutions are hacked annually.

While it may seem a consolation that only 0.7 per cent of enterprises and 0.3 per cent of public institutions said they had been robbed of money online, previous studies have shown that organisations are notoriously cautious with these numbers, often fearing the damage such information may cause to their reputation.

Serianu estimates that last year alone Kenya lost about Sh18 billion ($175 million) to cybercrime.

In the private sector, businesses were more likely to lose money from unauthorised withdrawals from their accounts than during online transactions.

Kenyans have in the past few years witnessed some embarrassing, and sometimes very expensive, security breaches that have resulted from this laxed attitude towards IT security.

The Kenya Revenue Authority (KRA) is entangled in a court case with a 28-year-old man it accuses of having broken into its IT system and stolen nearly Sh4 billion. 

In January the Ministry of Foreign Affairs website was broken into, prompting ICT secretary Joe Mucheru to come out to try to assure the public that though passwords had been stolen and information leaked to the dark web, government data was secure.

Kenya’s largest telecoms operator, Safaricom #ticker:SCOM, reported a hack last month in an incident that saw one customer lose Sh266,000 (which he was later refunded).  

READ: Hacking Safaricom lands duo in court

ALSO READ: Co-op boss warns saccos on surge of cybercrime

The CA has also previously had its website defaced by hackers. 

Data suggests that most attacks will remain unknown. Over one third of public institutions and private sector companies don’t report cybercrime.

More than 70 per cent of the agencies surveyed didn’t even know that there exists a national body for the coordination of cybercrime response, KE-CIRT/CC.

The government spent Sh13 billion on ICT in the 2014/15 financial year, up from 9.7 billion in 2013/14.

A lack of proper Internet security in Kenya is especially worrying given the country’s increased reliance on technology in various sectors of the economy such as financial transactions and even farming.

Some 43.4 per cent of public sector institutions offer e-government services.

And while these numbers are not nearly as high as the State would wish, the most popular services, such as tax filing and business permit applications, involve the exchange of sensitive data.

The surveys were carried out last year among 4,000 businesses and 1,030 public institutions.