Kenya has been worse hit by cyber crime attacks in the recent time, regionally, the country is ranked top putting financial institutions at a high risk. Being a new phenomenon and companies adapting to new technological changes, massive security loopholes has given the sophisticated internet criminals to phish and lead into severe losses. The worst part is the judicial system in the country is yet to adopt to new changes entirely, and lack of comprehensive investigations has seen a less than 3% prosecutions of cyber crimes. In short, they’re easily getting away with it.
Recently, a major crackdown whether real or staged was laid and a ring of these criminals involved in the desktops robbery arrested over KRA hacking and making away with Sh4B in which the case is still ongoing. This isn’t an isolated incident, according to a report by Serianu’s Cybersecurity Report 2016, African countries lost at least $2 billion in cyber attacks in 2016 with Kenya leading in East Africa losing $175M.
Being a global problem like terrorism, the international community is jumping in to help contain the situation. Sources intimate to Cyber Crimes revealed to Kenya Insights about a recent visit to the country by FBI’s Deputy Director Andrew G. McCabe doing a follow up and stamping the US government support on the crisis by offering technical training and facilitation to Kenya’s cyber crime unit on dealing with the mess.
In recent years, the technology landscape in Kenya has seen tremendous growth. From strategic options to the creation of new opportunities for innovation in products and services, technology is now incorporated in many if not all aspects of business. Mobile and Internet usage has also seen a continued increase, especially within the local SMEs.
However, as more businesses digitize their business processes and move to the internet, the potential attack vectors for these organizations expand. The past year was a particularly tough period for local agencies on cyber security. The number of threats and data breaches increased with clear evidence that homegrown cyber criminals are becoming more skilled and targeted.
The estimated cost of cyber-crime in Kenya has soared to $175 million. This cost continues to rise as many organizations automate their processes. This is particularly the case for banking and other financial services sectors where the introduction of mobile and e-services has introduced new weaknesses that have allowed the loss of money through these channels.
Mobile money in Kenya has experienced numerous attacks through social engineering, use of malware and account personifications. As one of the alternative channels for most banks, hackers are now exploiting the weak security controls around the mobile money platform to steal millions.
Malware targeting critical mobile and internet banking infrastructure are on the rise. The results of Serianu’s internal traffic analysis revealed that there are numerous forms of malware on internal systems which include: Trojans such as Dridex and Zeus malware. Attackers are using this malware to compromise and access sensitive information on the network. Unfortunately, statistics remain vague as organizations are reluctant to reveal the extent to which they have been targeted by attackers.
The insider threat is still the largest contributor to direct losses in cybercrime in Kenya. Insider threats refer to fraud involving information or employee abuse of IT systems and information, in the case of KRA it is suspected that an employee granted access into their system for manipulation by the gang from inside.
E-commerce platforms hit with more online scams, ATM card skimming, and Identity Theft as integrations with Electronic Payments and financial institutions increase. At the same time, electronic banking and cashless initiatives have been introduced into the country. This has resulted in unintended consequences ranging from online scams, ATM card skimming, and identity theft.
Increase in IoT threats – due to their insecure implementation and configuration, these Internet-connected embedded devices, including CCTVs and nanny cams, Smart TVs, DVRs, Smart routers, and printers, are routinely hacked and used as weapons in cyber-attacks. Technical training of employees is insufficient. The increase in the number of homegrown cyber criminals in Kenya is not because attackers are more talented, it’s because they are more creative, patient, single-minded and they explore limitless pathways. Kenyan organizations are not leveraging their own creative, curious analysts. Technical teams are not empowered with tools.
Low levels of security awareness. Most organizations don’t budget for advocacy and training programs for their staff. This was been proven by the numerous breaches seen in the period under review alone attributed to compromised employees. Most training is conducted after a security incident has occurred as opposed to prior.
Security professionals are struggling to demonstrate business value to senior management because they are providing very technical operational metrics whereas business managers are looking for more business-oriented metrics. Lack of practical regulatory guidance from industry regulators and government leads to poorly implemented and unenforceable security controls since they are not local focused and instead are copied and pasted regulations. Only 3% of reported cyber-crimes are successfully prosecuted. Inadequate training and awareness amongst the law enforcement and judiciary fraternity make prosecution of these cases impossible.
According to the Kenya Cyber Security Report, the challenges faced by the country and in essence African countries present significant business opportunities for entrepreneurs, researchers and vendors. To stay ahead of the threat curve, there’s a need to continually invest in research, build local cyber threat management infrastructure and enhance our ability to anticipate, detect, respond and contain information security threats. In the current state, we are unable to build these capabilities.
Kenyan entrepreneurs need to step up, work together to develop and provide information security services that address these challenges. Kenyan entrepreneurs and researchers should leverage their local presence and understanding of the environment to provide a clear indication of the security problems on the ground. This local presence combined with partnerships with global players will provide globally tested solutions and approaches to address identity security loopholes.
Kenya Insights allows guest blogging, if you want to be published on Kenya’s most authoritative and accurate blog, have an expose, news TIPS, story angles, human interest stories, drop us an email on [email protected] or via Telegram