Kenyan enterprises are losing millions of shillings to cyber attacks as hackers set their sights on small businesses with little or no defences on their digital systems.
Industry statistics and reports from analysts indicate that small and medium-sized enterprises (SMEs) in the country today are most vulnerable to emerging forms of cyber-crime.
Analysts note that cyber attacks have risen on SMEs who have increased their presence online in a bid to grow but now face a seemingly insurmountable challenge from hackers.
This is a departure from previous trends where cyber criminals made large multinationals, banks and Saccos the primary targets for their hacking exploits.
Dr Bright Mawudor, the head of managed security services at Dimension Data, noted that the drive by businesses across all sectors to have a digital presence has exposed many to costly cyber attacks.
“SMEs have tighter IT budget constraints, coupled with limited capacity to invest and maintain an in-house cybersecurity expert,” he explained.
“Constantly being taxed to do more with less and digital security being an afterthought, these firms end up compromising on security controls making them a prime target.”
According to the Communication Authority (CA), the number of cyber threats detected in the country stood at 38.8 million between April and June this year. This marked a 38 per cent increase compared to the previous quarter, with increased adoption of ICTs blamed for the spike.
Working remotely
The surge in the cybercrimes has also been on account of more people working remotely following the outbreak of Covid-19 last year and subsequent social distancing guidelines issued. Many of the locations that Kenyans have been working from including homes have weak defences from hackers.
“This increase in cyber threat events detected is attributed to the significant increase in targeted attacks at Internet of Things devices, increased activity by organised cybercrime groups and adoption of more sophisticated tools by ransom-ware gangs,” stated the CA in its report.
Firms that allowed employees to use own devices such as laptops for remote working also ended up increasing their exposure to hackers.
According to the regulator, other forms of attacks that recorded an increase included targeted attacks at critical systems and services, mobile applications and cloud-based services.
“During the same period, the National Kenya Computer Incident Response Team/Coordination Centre received 529 digital investigation requests as compared to 298 requests received during the previous period, a 77.51 percent increase,” explains the CA.
“This increase is attributed to the rise in impersonation, online fraud and online abuse cases arising from increased Internet access.”
Dimension Data’s Mawudor says instances of ransomware and internal threats have risen in the recent months with criminals increasingly deploying sophisticated tools to evade detection.
“From our research, we have seen there is usually collusion between external adversaries and internal staff,” he explains.
“With people working from home, lack of complete oversight has created blind spots for many SMEs. These blind spots are only discovered too late.”
Henry Bett, a senior cyber security solution architect at Dimension Data, said many firms have adopted digital products from third parties such as cloud-based solutions and payment systems in a bid to accelerate their digitisation.
However, this has also opened up another front for attacks especially in instances where third party vendors are still allowed access to the systems even after their contracts have ended.
“There are cases where third parties come and deploy solutions inside SMEs and they still have passwords and log in details even after they’ve completed the project,” explained Bett.
“A lot of Kenyans have also been falling for social engineering scams such as phone calls and WhatsApp messages where hackers try to extract login or PIN details by tricking the user to follow certain prompts,” he explained.
Social media platforms have also emerged as another avenue to trick users to reveal their digital credentials through phishing attacks.
In phishing attacks, hackers create a page that looks very similar with the actual social media platform and users are asked to re-enter their details. Phishing attacks target large organisations with some losing their social media pages to hackers.
“The attacks seem to come from outside but they are actually coming from within,” explains Mawudor. “Hackers are using servers they have bought outside the country to make it seem like it came from other countries.”
Dimension Data has one of the handful of cyber threat detection centres in the country where attacks happening in Kenya are detected and monitored in real time.
According to the firm, many SMEs are not equipped with the technical tools and systems necessary to fend off automated tools used by hackers.
In addition, many firms are yet to comply with the requirements of the Data protection Act 2020, one year after the regulations became law.
“We have seen a lot of people still struggling to understand what the Act is about,” explains Mawudor.
“The Act recommends moving from compliance-based security where you are just checking boxes, to risk-based, where your security solutions are informed by the threat profile.”
The Data Protection Act further requires ICT practitioners to alert the Data Commissioner in instances where their systems have been breached and users’ personal data compromised.
In its cyber security report, Serianu noted that following Covid-19 and in turn increase in the number of people working remotely and the attendant rise, there was “the increase in cybersecurity attacks as criminals stepped up their foray into weak and exposed networks”.
“We witnessed a sharp increase in malware distribution, business email compromises, the spread of fake news and mobile money network fraud,” said Serianu.
The firm adds that every time a company opens up its system to remote access, there is an inherent risk of compromise and should up their level of cyber security.