Spectre of hacking looms large over firms

Alex Mutungi Mutuku when he appeared in a Nairobi court  recently over a conspiracy to steal Sh3.9 billion from  the Kenya Revenue Authority through hacking. FILE PHOTO | NMG
Alex Mutungi Mutuku when he appeared in a Nairobi court recently over a conspiracy to steal Sh3.9 billion from the Kenya Revenue Authority through hacking. FILE PHOTO | NMG 

Alex Mutungi Mutuku rose to notoriety overnight after allegedly hacking into the Kenya Revenue Authority’s system, leading to the loss of an estimated Sh4 billion.

Barely a fortnight later, Robert Nsale, a Ugandan, and Morgan Kamande were arrested when Safaricom reported unauthorised access to its network.

The duo was accused of hacking into the network and stealing Sh266,000 belonging to a mobile phone subscriber through an illegal SIM swap.

The company investigated 27 cases of fraud in the 2016 financial year, two of which ended up in court.

There has however been a noticeable shift in the line of hacking with more financial related crimes being intercepted and reported.


The internet and data segment in Kenya has been growing with an estimated 39.6 million internet users recorded. This increased technological access has been a double-edged sword in Kenya as incidents of cybercrime have been on the rise.

Internet security firm Serianu estimates that Kenyan businesses had lost about Sh18.1 bilion ($175 million) to cybercrime last year. Audit firm Deloitte recently predicted that losses to cybercrime would peak this year.

According to internet security firm Kaspersky, the costs associated with cyberattacks on the financial sector are rising as organisations face increasingly sophisticated threats. New research by Kaspersky Lab and B2B International reveals the scale and impact of attacks, with financial firms facing $926,000 (Sh95.4 million) losses on average for each cybersecurity incident they face.

“Insufficient internal expertise, top management directives and business expansion are also among the top reasons for a budget increase. In general, investing more in security appears to be inevitable to a clear majority of financial firms as 83 per cent of them expect an increase in their IT security budgets,” said the statement by Kaspersky.

The Safaricom hack was discovered during a routine check on its platforms, a requirement of ISO 27001 Information Security Management System certification that confirms adherence and implementation of appropriate processes and controls relating to mobile data, mobile money services, cloud services, billing and customer support services.

The investment on cybersecurity for most firms, especially those handling sensitive data as well as financial institutions, is high and can run to millions of shillings to implement.

“Given the substantial monetary losses from cyberattacks, it is not surprising that financial organisations are looking to increase spending on security. We believe successful security strategies for financial organisations lie in a more balanced approach to allocating resources — not just spending on compliance — but also investing more in protection from advanced targeted attacks.” Said Veniamin Levtsov, Vice President, Enterprise Business at Kaspersky Lab.

Even with these measures by the organisations, Kenya still lags behind due to the lack of an actual law governing how cybercrime cases should be handled. The Cyber Security and Protection Bill is still in parliament waiting to be passed. The delay means that there is a lapse in the security structure in Kenya when it comes to the internet.

“Some of the problems in security are global. The (cybersecurity) bill needs to be put through to create some structure,” said Terry Greer-King Cisco, director for security in UK, Ireland and Africa, in an interview with Digital Business.

According to Greer-King organisations are taking security seriously but security has moved beyond just solutions to risk management.

The Kaspersky survey shows that financial firms seek to address security challenges by getting more threat intelligence and conducting security audits, with 73 per cent considering this measure effective. However, organisations from the financial sector are less inclined to use third-party security services with only 53 per cent of those surveyed perceiving it as an effective approach. Further, compliance is the main driver for increasing investment in IT security in banks and financial institutions. However, the study found that 63 per cent of organisations globally believe that being compliant is not enough security.

Another significant reason for spending more on security is growing infrastructure complexity. For example, an average financial firm adopts virtual desktop infrastructure (VDI) and manages approximately 10,000 end-user devices, a half of them being mobile smartphones and tablets.