Rising threat of cyber-attacks puts companies on the edge


As you are read this, a local organisation’s internal system is being hacked. Alarming statistics show that 30 companies suffer cyber-attack daily in Kenya. And what is even more worrying is that the devastation caused is unlikely to be detected until after 120 days.

The Kenya Cyber Security Report 2015 indicates that cybercrime is increasingly becoming a thorn in the flesh of economies as more companies embrace technology and online presence.

Companies, organisations and governments adopt technology to improve efficiency, cut costs and serve customers better.

However, it is also turning out that this move is exposing them to hackers who can mess up records and finances causing massive damage in a twinkle of an eye.

Various sectors are now coming to terms with the alarming fact that hacking is now taking a menacing proportion and causing untold havoc.

Last year, companies lost a mindboggling Sh15 billion, three times higher than the Sh5 billion that went the hackers’ way the previous year.


What compounds the threat is that the criminals are adept at covering their footprints making it extremely difficult to trace them.

The hackers ensure they have uncontested control of internal IT systems of a company.

They then stealthily log in and process transactions before wiping the evidence off the face of the earth.

As the threat of cyber-attack assumes ominous proportion, bankers and the public sector, which are apparently the prime targets in Kenya, are having sleepless nights as they craft measures to counter the menace.

Needless to say, without watertight measures, banks could pay a heavy price given the massive amount of cash and critical data they handle.

Hackers are keen on laying their hands on money and critical doucments. Others are said to strike just for morbid pleasure.

Banks are said to lose about Sh4 billion annually to cyber-attacks.

Kaspersky Lab Channel Sales Manager Bethwel Opil however noted that the amount could be much more than what is reported.

This is because companies do not want to admit their vulnerability as that could jeopardise the confidence consumers have in them.

With the dark clouds of cyber-attacks looming large over the public sector, the government has been compelled to take elaborate measures.

“Government now has a multi-stakeholder team that monitors attacks on its servers and executes immediate action against possible cyber-crime,” said ICT Authority CEO Victor Kyalo in an interview last week.


The same week, the Office of the President issued a directive to all government departments to have ICT systems centralised under the watch of ICT Authority.

“Widespread use of illegal and unauthorised software that contains malware and viruses within government network has led to blacklisting of government data traffic by local and international organisations,” said the directive signed by Chief of Staff and Head of Public Service Joseph Kinyua.

Most attacks on Kenyan sites are traced back to United States of America, China and Russia.

The Kenya Cyber Security Survey 2015 states that in almost all local organisations, at least one internal server is communicating with a computer in China. This is a disconcerting position as it points to the fact that nobody is safe.

Banks are particularly in a tight spot as it emerges that the Imperial Bank fraud was perpetrated through hacking. This has also brought to the fore the vulnerability of money transfer systems.


The rising threat of cybercrime has compelled about 10 banks to pull resources through a council of Chief Information Officers (CIO) in a bid to come up with a tight banking security system.

The council is chaired by Mr Nizar Tunda the CIO of Diamond Trust Bank (DTB) and comprises members from the financial services sector.

Companies that are in the team include Britam, Equity Bank, Commercial Bank of Africa, NIC Bank, Barclays, Kenya Commercial Bank.

“It could cost banks over Sh30 billion to construct an elaborate shared infrastructure that will deter cyber-attacks,” said Mr William Makatiani, managing director, Serianu Ltd, the firm behind the cyber security report of 2015.

Mr Tunda told Smart Company that the group would request for proposals this week at the CIO East Africa event in Naivasha on how to go about the issue.

Analysts term the move to set up the CIO council as critical and long overdue. The experts say there is a dire need to invest in systems that can detect fraud as it happens.

Research by consulting firm Deloitte states that 67 per cent of Kenyan banks lack an IT system that can detect fraud as it occurs, meaning that there is always a delay between the time the fraud is perpetrated and when it is detected.


In essence what banks have are a reactive rather than proactive measures.

For a long time, the global banking industry has suffered the most from cyber-attacks.

Even the mightiest of them such as J.P Morgan Chase & Co, the largest US bank by assets, was attacked last year.

The bank admitted that unknown attackers stole about 76 million customers’ contact information including names, email addresses, phone numbers and addresses.

J.P Morgan Chase & Co spends billions of dollars in IT and has a large team of security analysts.

Despite all these mindboggling measures, it still took the bank more than a month to detect that its system had been hacked.

Locally, Safaricom which is Kenya’s largest company by market value fired 58 of its employees this year owing to internal fraud related to hacking.

Fraud perpetrated using sophisticated technology remains a major challenge at the leading mobile phone company.

The telco had sent home more than 58 employees by March this year in relation to fraud.

NIC Bank system suffered cyberattack in August 2014, with hackers demanding to be paid Sh6.2 million in bitcoins — a virtual currency used to transact online and has at times been used by criminals to launder illicit cash.


Despite unrelenting attacks, banks like other targeted industries, are shy to reveal to the public how much they lose from cyber-attacks.

In 2014, Banking Fraud Investigations Department brought critical information of bank losses through fraud to the limelight.

The investigation reported hacking of customers’ bank accounts between April 2012 and 2013 which led to losses of Sh1.49 billion.

Deloitte states that the major causes of fraud in the banking industry are increased liquidity and weak controls.

A research by BFID pointed to the fact that banks recover less than one-third of the money stolen, exposing them to huge losses.

It is only recently that Kenya’s public sector has trumped banks in the amounts of the losses caused by cyber-attacks.

This state of affairs has come about because public services have gone digital and online.

To stem this, Mr Joseph Kinyua has ordered Cabinet and principal secretaries together with accounting officers to ensure that a new ICT framework aimed at fighting hacking is implemented forthwith.

The notice was to be effected by mid-October by state organisations and all government ministries.


Kenya has been given the onus of leading the fight against cybercrime in the region.

The country hosts the Common Market for Eastern and Southern Africa (Comesa) cyber-crime centre.

Communications Authority Director-General Francis Wangusi is the chairperson of the Association of Regulators of Information and Communications for Eastern and Southern Africa, a body that fights cyber-crime within Comesa.

The communications regulator has been holding talks with its regional counterparts on developing digital identity systems to trace attackers, especially those who are not within the regional group.

“We are working with Facebook, YouTube and Google to help us trace attackers,” Mr Wangusi (left) said.

Government’s digital crimes unit, which is already in place, is being equipped further to effectively fight cyber-crime.

Meanwhile, as regulators plan a way of tackling the cyber crime menace, the ICT industry is growing at a very fast pace.

The sector’s contribution to GDP was 8.4 per cent in 2014 up from 6.8 per cent in 2013.

Mr Makatiani nonetheless told Smart Company that Kenya, despite having a cyber-security master plan, has failed to implement specific safeguards.

“There needs to be serious action, we need to be far much ahead of the Internet revolution, as more people embrace the Internet, we become more vulnerable,” said Mr Makatiani.

Mr Wangusi also said that government plans to start registering phone numbers and ID numbers of public Wi-Fi users so that any hacker can be traced in case of a crime.

Uganda, Kenya, Rwanda and South Sudan have to register all mobile phone users and harmonise cross-border legal frameworks in a bid to stop hacking.