A new study reveals that more than 80 per cent of Kenyans connected to the Internet are vulnerable to cyber attacks. The study, titled –The State of Cybersecurity in Kenya was carried out by cyber security consulting firm Serianu in partnership with PKF consulting and USIU Africa. The study found the vast majority of private companies and public sector organizations are also exposed to cybercrime and internal IT fraud.
Serianu Managing Director William Makatiani stipulates that the study was published in the report dubbed – Kenya Cyber Security Report 2015.
“Our study revealed that 70% of Kenyan businesses are vulnerable to cybercrime yet most of them remain ignorant of these vulnerabilities. Nearly all internet devices in the Kenyan cyber space are vulnerable to attacks, exposing more companies and individuals to the risk of malicious insiders and cyber criminals,” said Makatiani. He added that during the study, Serianu discovered that on average most medium sized organisations with over 70 employees in Kenya have at least two vulnerable computer servers and up to fifteen infected computers that were already hacked into by cybercriminals. The most vulnerable businesses and home owners are those that have installed low cost home routers, Closed Circuit Television (CCTV) systems and public email servers on their networks.
To counter this situation, Makatiani explained that Kenyans who are busy installing these internet access systems in their homes and office networks must work with cyber security experts to ensure that they are not exposed. Similarly, companies need to raise their degree of vigilance with the IT teams required to invest more time and resources in auditing their entire systems and establishing modalities to reduce breaching incidences.
Paula Musuva Kigen, an Associate Director of Cybersecurity at USIU-A’s Centre for Informatics Research and Innovation (CIRI), highlighted the need to have localized cyber intelligence research in order to have organizations appreciate and respond appropriately to the threat landscape in the region. She added that the report highlights the technology trends in areas such as cloud computing, internet of things, near field communications and points out the cyber security considerations organizations need to make.
Serianu’s study also reports that the annual cost of cybercrime to Kenyan companies is estimated to be KES 15 billion (USD146 Million).
According to Makatiani, this amount is based on Serianu’s estimates from their 2015 cyber security study. The firm reviewed publicly and privately available data from individual industries, complemented by interviews with business leaders and IT security practitioners. But it was much harder to establish the extent of financial losses by the public sector.
“Unlike many governments, Kenya has not established any mechanisms to track and calculate the losses made by public sector organizations to cybercrime,” he said. “This makes them even more susceptible to such crimes such as website defacements and ransom demands from criminals before restoration.”
The study further breaks down the losses per industry, citing the public sector as the most affected losing approximately KES 5 billion per year followed by the financial services sector at KES 4 billion and manufacturing and industrial at KES 3 billion in third place. The telecommunications, media and technology and other sectors are estimated to lose about KES 2 billion and KES 1 billion respectively.
Further, Serianu conducted a technical assessment of the Kenyan cyber space by performing a scanning exercise of Kenyan IP addresses of publicly accessible administrative interfaces and which ordinarily are procured with a default password. The firm then made a catalog of popular network appliances, at least 5,000 internet routers and CCTV cameras, accessible over the Internet. Makatiani said that most of the hacked devices were those that remained configured with their factory default settings.
Remarkably, three quarters of the IP addresses scanned during the study were found to be vulnerable to remote attacks. “Most of these devices have their administrative interfaces viewable from anywhere on the internet since their owners have failed to change the manufacturers’ default settings.
“Leaving factory default settings and administrator passwords is something that is overlooked due to poor information security training and awareness among employees and the common mwananchi” Paula pointed out. “Hackers have an easy time getting in because they have databases of default settings for these access points, networking devices and servers.”
The report warns that security breaches have become more sophisticated, with many involving attacks from staff. As a result of these emerging complications, the system down times caused by cybercrime attacks are getting longer with the average number of days to detect an attack in many organisations totaling to 120 days, more than double the days it took one year ago. The more complex ones easily take an additional 45 days to resolve.