To fully appreciate why cybercrime merits a robust and well-coordinated security and policy response from key stakeholders, one has to look no further than the billions cyber criminals siphon each year from the Kenyan economy.
Kenyan companies conservatively lose Sh15 billion annually to cybercrime, but this figure could be significantly higher, considering most victims are not even aware that they are vulnerable. A recent report – State of Cybersecurity in Kenya – indicates that 70 per cent of Kenyan businesses are vulnerable to cybercrime, yet most of them are ignorant.
The government has been ranked as the most vulnerable to cyber criminals, according to the report. The banking sector comes in at a close second, while financial services and mobile are ranked third in vulnerability, as these innovations are now seen as new payment channels and online services that facilitate easier access to money.
The prospect of more than Sh15 billion being skimmed off each year through shadowy digital networks is profoundly terrifying, especially in an economic environment where private companies and the public sector are forever grappling with acute budget constraints.
Part of the reason for the growing prevalence of cybercrime in Kenya is the country’s increasing digitisation.
The cyber security policies instituted in most Kenyan companies don’t reflect the magnitude, complexity and full range of risks they face. This hit-and-miss approach can be very costly.
For instance, many organisations have overwhelmingly embraced the Bring -Your-Own-Device trend (BYOD) without factoring in the risks. BYOD is simply the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications.
BYOD can help save costs and even act as an incentive to younger employees. However, on the flipside, BYOD can severely compromise cyber security. Staff can access proprietary company information on their personal phones, including passwords, and share it with third parties either intentionally or unknowingly.
It is actually no surprise that employees (insider threats) account for 80 per cent of data-related fraud in Kenya companies.
Companies, therefore, need to be aware of the loopholes of the BYOD. Specialist risk managers can help seal these loopholes as well as other more complex ones.
No company is too big to be hacked. Leading US Bank J.P. Morgan, whose $235 billion market value is more than 10 times the $20 billion combined market value of all listed firms on the Nairobi Securities Exchange, was not spared.
J.P Morgan suffered a high-profile hack in August 2014, just two months after it had committed a mindboggling $250 million to cyber security. Kenyan companies need to start making significant budgetary allocations to cyber security. More significantly, they need to understand that you cannot secure your business against cyber criminals through sporadic one-off spending.
Atul Shah is PKF Kenya CEO