Cybercrime in Kenya
Cybercrime incidents in Kenya are among the highest in Africa and thanks to widespread use of internet, cyberattacks are increasing in frequency and scale, and they threaten all areas of economic activity. Data in my possession shows Industries and businesses are at higher risk than individuals. Just like developed countries, Kenyan businesses of all sizes, from multinationals to mid-sized industrial sectors and small-scale sole proprietor entities, rely extensively on Information Technology in their production and operations. As a result, they are very vulnerable to cyberattacks. Given such a situation, the damage and losses to these companies and multinationals operating in Kenya are potentially immense. According to a recent study by a cybersecurity think tank, Kenyan enterprises and institutions have a 52 chance of encountering Advanced Persistent Threats.This level of risk is just above the South Africa’s average of 58% which is the highest in Africa and more than twice the global average of 21%. When it comes to cyberattack risks, attention must be paid to small and medium-sized enterprises in Kenya. This is because SMEs are a large and important component in Kenya’s economy. In a 2015 survey, more than half of SMEs in Kenya had incorporated IT into their production processes. But unlike the larger corporations which have installed programs and systems to protect themselves, majority of SMEs are still unaware of the high risks of cyberattacks.Available statistics on SMEs underlining their significance to the country’s manufacturing sector and to the future of Kenya’s digital economy. All efforts must therefore be made to protect the sector from cyberattacks.
Another survey show that SMEs’ anxiety and concern with cybercrime has doubled from 5% in 2014 to 14% in 2015. The survey carried by a British firm revealed that SMEs’ greatest fear is loss of customer data and damage to their reputation. In terms of potential threats arising from cybercrime, Kenyan SMEs rate theft of customer data as the most critical risk of cybercrime and this accounted for 32% of respondents, while damage to reputation as a result of a cyberattack ranked second with 19%. Shockingly, many of those surveyed still believe they are too small in size to be at risk. In the SME category,Kenya ranked third among nations most worried about cyberattacks in Africa. Sadly, most still lack awareness on information security and this often leads to haphazard management of their information and digital assets. Many Kenyan SMEs also outsource their data and information to third-parties to aggregate, store and process. Such sensitive data is not only about customers and their profile but also includes information about business structure, financial health, strategy, and exposure to risk. These SMEs eventually become dependent on third-party companies to handle IT security risks. For businesses, managing information is often seen as costly. Most do not appreciate the benefits of proper and secure information management and how this can assist to generate further revenue for their companies.
Consequently, a sizeable number of Kenyan SMEs delay in setting aside investments to build and maintain proper and effective systems with regard to information security. This problem is compounded by a lack of in-house cyber security expertise. This attitude needs to be corrected. Small and midsize organisations simply cannot afford to disregard security.In the digital economy, information such as Intellectual Properties and other digital information owned by SMEs must be protected in order to preserve the confidentiality, integrity and the availability of information. Kenya’s cyber security agencies need to establish systematic risk management, improve operational effectiveness, and more so competitive advantage.Their main principle should be to design, implement, and pursue a coherent set of policies, processes and systems to manage risks that could threaten Kenya’s information assets. At the same time, the level of risks to information security of small businesses must be at a minimal and acceptable level. International standards that am familiar with require businesses to put in place a system that ensures all information under its control remains confidential, its integrity preserved, and information readily available when needed. Information as an asset must be protected from potential damage through malware. Apart from that, protection must be in place to prevent internal and external attackers stealing business information. In the face of increasing cyber attack threats that is now on an unprecedented scale, Kenyan business community must urgently address the challenge.To me, the key thing is that they need to change their mind-set in order to function securely in an IT landscape of escalating risks and dangers.