Despite the formation of the Communications Authority of Kenya's National Computer Incident Response Team/Coordination Centre (KE_CIRT/CC) in 2012, and the development of a national cyber security strategy in 2014, Kenya continues to lose an estimated Shs 2 billion shillings (US$ 19 million) yearly to cybercrime, a report by Control Risks shows.
East African governments have been identified as the top targets for cyber-attacks in the region at 33 percent, while 22 percent of attacks target telecoms companies, and 17 percent of attacks are directed towards financial service providers.
“Contrary to the perception that cyber breaches are a problem unique to large multinational companies based in developed markets, East African organizations are fast becoming a target for attacks, with local subsidiaries particularly attractive because they could be used to break into these multinationals”, Patrick Matu, a Compliance, Forensics and Cyber expert with Control Risks East Africa said.
According to Matu, the lack of obligation in many emerging markets to report on incidents is creating a false illusion that businesses operating in these markets are not subject to cyber attacks. In fact many organisations with bases in these emerging markets are prime targets and seen as the 'weak underbelly' when it comes to an organisation’s cyber security.
Control Risks' cyber threat intelligence team also highlights that the attacks are growing in speed and severity. Globally there has been a 42 percent increase in the number of targeted attacks reported between 2015 and the first half of 2016, and the most commonly used tactics are Advanced Persistent Threat attacks and Criminal Targeting.
The implementation of the National Cyber Security Strategy formulated in 2014 needs to be treated as a matter of urgency, especially considering the potential for data breaches that these attacks present. To deal with this threat, public and private sectors should aggressively adopt and interpret polices from paper to practice in all their modes of business.
Cyber security is often seen as an IT problem and not a business problem, meaning that businesses are not treating information security as a matter of priority. It is important for cyber security to be demystified at every senior level rather being perceived as an elusive dark art.
As the cyber world continues to evolve, businesses should continuously review their business practices and fully incorporate IT into their systems.