The number of cybersecurity threats reported in Kenya has decreased to an all-time low this year after a sustained spike in malware, web, and mobile application attacks since January.
Communication Authority (CA) data shows that 842,320,667 malicious activity cases were reported between July and September, an 81.6 percent decrease from the staggering 4,586,682,277 cases reported between April and June.
The three months to March saw 2,537,428,868 cyber threats, a 201.7 percent spike from 840,921,998 threats recorded in the three months to December 2024.
CA has attributed the sudden decrease to a regular update of ICT systems and critical information infrastructure across private and public institutions in the education, banking, and telecommunications sectors.
The regulator said multifactor authentication (requiring two or more verification types to confirm a user's identity for account access) also helped tame attacks by cybercriminals.
“This was attributed to regular updates of systems, implementation of organisational access controls, hardening the anti-virus and firewalls, patching vulnerable systems regularly, and utilising multifactor authentication and strong passwords,” CA said in its Sector Statistics Report for the first quarter of the 2025-2026 financial year.
An official at the authority told the Business Daily they have been sending advisories to organisations to strengthen their information system security features and firewalls in the wake of the previous quarter’s alarming spike.
But despite the overall decrease in cyber threats, system vulnerabilities remain the major weaknesses that cyber attackers are exploiting countrywide. These include weaknesses in hardware, software, or processes such as unpatched software, weak passwords, poorly protected wireless access, and missing authentication.
At 776,542,757 cases, they accounted for 92 percent of all recorded incidents in the three months to September. In the previous quarter, such weaknesses made up over 97 percent of all threats, similar to the period between January and March.
Prominent threats
Other prominent cyber threats in the three months to September involved malware (31,676,444), where attackers use malicious software to infiltrate devices or gain unauthorised access, and brute-force (18,811,738). This involves using trial and error to crack passwords and login credentials.
A major driver of the improvement is the widespread integration of multi-factor authentication, which has become a standard requirement in the deployment of IT systems, says Stanley Githinji, a professor of information security at USIU-Africa.
Previously, many systems were deployed with weak or incomplete security controls, treating safeguards “as an afterthought.”
“It left systems exposed both at the design and implementation stages. The integration of multiple-factor authentication has increasingly become a major requirement… and it is coming in handy,” Dr Githinji said in an interview.
CA has previously flagged inadequate software updates, also known as system patching, and limited user awareness of phishing and other social engineering techniques among the main drivers of the sharp increase in cybersecurity incidents.
“The persistence of such vulnerabilities is largely attributed to the rapid proliferation of Internet of Things (IoT) devices, many of which lack comprehensive security protocols,” the regulator said in June.
The authority also noted a growing adoption of AI-driven attacks and machine learning technologies by malicious actors.
One of Kenya’s biggest cyber incidents this year was the January data leak at the Business Registration Services (BRS), which exposed sensitive information of over two million companies registered between 1967 and 2024.
The agency did not publicly disclose the cause, but the Business Daily learned that the breach stemmed from a bug in its IT systems. Moldovan firm B2bhint accessed and published the data.
Dr Githinji warns that advances in quantum computing -- the use of quantum mechanics to process information faster than regular computers -- and AI are making cyberattacks easier to execute.
Firms should treat vulnerability assessments and penetration testing as continuous exercises rather than one-off projects, he says. “To prepare for emerging risks, organisations must pay attention to stronger data encryption.”
