Kenyan firms pay heavy price for data safety lapses

The Kenya Commercial Bank call centre. Lax data security saw the first printing of the then draft constitution derailed by unauthorised changes to the text. Photo/FILE
The Kenya Commercial Bank call centre. Lax data security saw the first printing of the then draft constitution derailed by unauthorised changes to the text. Photo/FILE 

Data has become an invaluable asset in every sector.

Yet even as the world’s businesses become interconnected by the same business language, developing nations face an extra cost burden through their almost complete negligence of information security, according to a 2005 Information Economy Report from UNCTAD.

In a clarion call, a full five years ago, to take the value of information more seriously, the report urged criminalising of cyber attacks and the introduction of risk-management policies, as well as constant monitoring of ICT security regulations and the training of skilled staff to run effective security programmes.

The calls have had virtually no impact in Kenya, despite the country’s galloping growth in intellectual property and information held within businesses — from client information, including card numbers and contacts, to sensitive company information such as log in details, mailing lists and security codes.

Not one company or public sector organisation in the country has yet implemented the globe’s international standards — ISO/IEC 17799:2005 and ISO/IEC 27001 — dealing specifically with information security.


Yet in some countries it is a compulsory requirement for any organisation holding data.

The absence of any data standards is a gap so costly to the nation that ACAL, the leading supplier of performance contract and ISO consulting to Kenya’s public sector, last month began a campaign to get companies to appreciate the huge costs of leaving their information unsecured.

The consultancy is this week flying in a British Standards Institute and Iade Training group trainer to provide a one-day briefing for all-comers on the ISO, and will in September by bringing in further international trainers to supply the first implementers course in ISO in Kenya.

The first trainer, Robert Cooke, has been a consultant in management system and information security for 27 years and is a lead auditor in the UK in the Information Security Management Systems ISO.

As well as targeting senior IT and systems managers, information security experts and the auditors who will introduce ISO 27001:2005 with the awareness training, ACAL last week launched a self-evaluation tool on its website for companies to assess their individual needs to implement information security.

The scale of the agency’s drive to raise awareness reflects the scale of the need, says John Njiri, an ICT consultant with ACAL.

“Many Kenyan businesses are yet to fully appreciate information as a critical business asset,” he said.

Yet “the biggest threat to information security lies with staff.”

The way that employees handle and store data is crucial in guaranteeing information security, with information that is lost through a stolen lap top, a misplaced flash disc, or carelessly placed paper files or folders capable of having a ripple effect.

This happened in 2005 to a Japanese bank, Aomori-based Michinoku Bank, which received a warning from the Financial Services Agency after the bank lost CD-ROMs containing personal information about the bank’s customers.

The warning was the first action under the new Personal Information Protection Act, Japan’s privacy law, and it is now compulsory in Japan for all businesses to be ISO-certified in Information Security Management.

In Kenya, lax data security saw the first printing of the then draft constitution derailed by unauthorised changes to the text.

Likewise, the country has seen exam results compromised, and the Central Bank of Kenya has reported an exponential growth in data-related banking frauds.

These lapses, and many more like them, have now sparked moves within government to draft Kenya’s own data protection legislation, which is now being penned.

Importance assigned

But “it isn’t just e-data that’s valuable,’ says ACAL director Harry Mathenge.

“How often have you walked into a meeting room and the whiteboard is covered with details of the company’s client list, or revenue projections, fee structures, strategy or latest new product — as if visitors can’t read and understand what they’ve just been given?”

The ISMS ISO requires companies to look at every place it holds information, from the papers loose on the managing director’s desk, to the files in the lock-up, and on its own servers: each type of information is grouped and its importance assigned — and then different controls are applied from the standard.

In some cases, individual members of staff are coded on what data they can access, or some information can only be accessed by two people authorising the access together.

Likewise, the ISO lays out procedures for segregating duties, rather than having many people able to do everything.

However, each procedure is applied according to circumstance, with different needs across industries, and different economies.

In one country, holding information on a rented server may be deemed safe.

In another, with no controls to stop the buying and selling of a customer’s information, a rented server may be an open gateway.

Similarly, the ISO section dealing with terrorism threats may not apply to a provincial company manufacturing toothbrushes.

But the ISO dies require schedules and programmes for all ICT systems to protect them from viral attacks, and unauthorised access.

Moreover, as information moves along communication chains of multiple senders, channels and recipients, data integrity can be compromised at different stages, especially at unappreciated points of vulnerability.

These points of vulnerability can also exist within a company’s own ICT infrastructure.

“Even an unsecured wireless network is a major security risk,” says one security expert. “Companies have visitors, who they just allow to plug into their local area networks. But those visitors walk away with that connection on their laptops, which can get them back in from even hundreds of metres away, at any time.”

The new information-secured system is then maintained by staff trained to ISO standards.

It’s a process, says Mr Njiri, that has its biggest impact on internal processes, and also helps cut down on operational costs, as well as inspiring more confidence from customers.

Compromised information, he concludes, stifles creativity, stalls innovation and regularly results in heavy loses to both individual and corporation.

Yet, it is entirely unnecessary.

African Laughter