By Tony Olang, Head, Laser Infrastructure & Technology Solutions, LITES.
Incidences of cybercrime have become increasingly prevalent in Kenya. According to the Kenya Cyber Security Report 2016, Kenya lost Ksh17.8 billion to cybercriminals in 2016, a 14 per cent increase from Ksh15 billion the previous year. The threat level is clearly escalating. With the elevated level of threat, institutions are still grossly underinvesting in cyber security. The report indicates that 96 per cent of firms in Kenya spend Ksh50,000 annually or nothing at all on cyber security.
Underspending in cyber security is creating an opportunity for cybercriminals to wreak havoc, and the abundance of cases involving top government agencies,as well as key private sector players, demonstrates this.
Part of the reason why institutions are not beefing up their cyber security budgets, despite clear evidence that they need to, is because they don’t fully understand the risk of exposure to what a cybercriminal can inflict. We generally lack awareness on mitigating controls or believe that we cannot fall victim to cyber crime.
There is the general misperception that cybercriminals only target financial institutions, and that if we are not a bank, insurance company or financial services provider,we are safe. This is not true though financial institutions are a natural target for cybercriminals because of the prospect of monetary gain. Organisations are all connected through the Internet and with transactions taking place over telecommunication networks, any corporate organization can be a target.
Increasingly, hackers are burrowing through private and public networks to steal or gain access to sensitive information. There is an emergent underground digital economy in which data is a highly priced commodity, incentivizing theft of data.
Data theft has serious consequences, both for governments and individuals. In November last year, for instance, WikiLeaks founder,Julian Assange,published troves of data that portrayed U.S. presidential hopeful, Hillary Clinton, as a key backer of an insidious plan that successfully toppled Gaddafi’s Libya. Though the veracity of the accusations remains debatable, it nevertheless reinforced negative attitudes towards Clinton.
On a personal level, many people, including prominent Kenyans, have been victims of character assassination campaigns in which hackers gained access to their phones and posted personal and compromising photos on blogs and online forums.
These illustrations indicate that spending on cyber security needs to increase. Moreover, institutions need to understand that the cybersecurity threat landscape has evolved from the initial password guessing in the 90s to highly sophisticated malware, bots and ransomware. Ransomware is a variant of malware and is more commonly used by hackers today. Some cyber criminals have even resorted to social engineering, where they employ use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Consequently, it is imperative that risk managers and top-level management take the time to understand the dynamics of cybercrime by reviewing analysts’ reports. These reports contain critical insights that can help an organization set up their defense in depth strategy against cyber crimes.
It has also emerged in multiple reports that the key enablers of cybercrime in Kenyan organisations are insiders who have authorized access to the IT infrastructure as well as sensitive information. Rogue elements may sometimes use this access for illegal purposes, while innocent insiders may unwittingly share sensitive information on platforms such as WhatsApp and Facebook, exposing the organization to external threats. This underscores the need for organizations to inculcate a culture for information security awareness and conduct proper background checks during employee recruitment.
Every organization also has distinct vulnerabilities and strengths when it comes to preparedness for cyber-attacks. It is therefore imperative that organizationsproactively engage cyber security professionals who can conduct penetration tests to identify vulnerabilities and propose mitigating controls. A survey by the Kenya National Bureau of Statistics and the Communications Authority of Kenya (CA), shows that 83.1 per cent of public sector institutions do not even have mechanisms to detect intruderswithin their networks.
The government also needs to provide the legislative support to apprehend cybercriminals operating in and outside the country. This calls for cooperation and international legal frameworks between countries as Cybercrime occurs in a virtual environment beyond the borders and beyond territorial law as some hackers purposely operate out of the country to avoid apprehension and subsequent prosecution.
Institutions need to act sooner rather than later as the threat of cybercrime isn’t subsiding anytime soon. The latest Internet usage report from the Communication Authority of Kenya indicates that 74.2 per cent of Kenyans are online, underlining the level of exposure to threat. Furthermore, we have a young, well- educated population which is very tech-savvy and unemployed. Cybercrime has therefore become highly attractive, heightening the likelihood that the threat of cybercrime will escalate in coming years. The need for organizations to ramp up investments in cyber security can therefore not be overstated.
Mr. Tony Olang is the Head of Laser Infrastructure & Technology Solutions, LITES, an ICT and infrastructure subsidiary of CPF Financial Services.