2025 in review: Kenya’s cybersecurity journey from threats to strategy
Government and private sector race to defend a rapidly digitising economy.
by Allan Kisia
Audio By Vocalize
Organisations across Kenya were hit by relentless cyber threats
Kenya entered 2025 with a digital economy expanding faster
than its ability to quickly defend it.
By the end of the year, the country had experienced one of
the most turbulent cybersecurity periods in its history—marked by overwhelming
volumes of cyber threats, a rapid evolution of attack techniques, significant
disruptions to essential services, and a race by the government and private
sector to build the resilience required for an increasingly interconnected
nation.
The lessons learned in 2025 now form the backbone of Kenya’s
cybersecurity posture heading into 2026 and beyond, shaping legislation,
national strategy, institutional reforms, and international cooperation.
The first and most notable development was the government’s
admission, through repeated public briefings, that the scale of cyber threats
facing Kenya had reached unprecedented levels.
Data from the Communications Authority of Kenya (CA)
revealed that between July and September alone, the National KE-CIRT/CC
detected more than 842 million cyber threat events, a sharp rise that
underscored the increasing sophistication of threat actors and the
vulnerabilities that continue to plague Kenya’s digital infrastructure.
While Kenya had previously faced waves of cyber
incidents—including politically motivated attacks, online fraud, and ransomware
campaigns—2025 set a new benchmark, forcing policymakers to rethink both the
technical and legal frameworks underpinning national cybersecurity.
A major lesson emerged early; cyber threats were no longer
abstract risks affecting only large institutions. They had become a national
security concern touching every sector—government, financial services,
telecommunications, academia, health, transport, and emerging digital
businesses.
According to CA Director-General David Mugonyi,
organisations across Kenya were hit by “relentless cyber threats from
ransomware, Distributed Denial-of-Service (DDoS) attacks and social
engineering,” with malicious actors increasingly relying on advanced phishing
campaigns and artificial intelligence to scale their operations.
Deepfake-enabled scams, once considered experimental,
quickly became common tools for financial fraud, disinformation, and corporate
espionage.
The Kenyan experience in 2025 demonstrated that cybercrime
was not merely diversifying; it was industrialising.
The rise of cybercrime-as-a-service (CaaS) made it possible
for low-skilled actors to purchase sophisticated attack kits on the dark web.
Meanwhile, state-sponsored advanced persistent threats
(APTs) expanded their focus on Africa as geopolitical tensions intensified
globally.
These realities underscored Kenya’s second major lesson: its
cybersecurity defences had to evolve faster than its attackers.
To address this gap, Kenya embarked on a far-reaching
legislative and institutional transformation.
In early 2025, Parliament passed the Computer Misuse and
Cybercrimes (Amendment) Act, strengthening the legal framework for prosecuting
cyber offences and tightening provisions around data protection, digital
forensics, and cross-border information sharing.
Public prosecutors and investigators were given clearer
tools to pursue cybercriminals, many of whom operate across jurisdictions.
Another turning point was Kenya’s decision to ratify the
Budapest Convention on Cybercrime, becoming one of the few African countries to
align with the world’s leading framework on cross-border cooperation in digital
investigations.
This was a clear admission that cyber threats had become
transnational and that Kenya could no longer fight them alone.
Ratification was accompanied by reforms in digital evidence
handling, expanded training for investigators, and a commitment to collaborate
more closely with Interpol, Europol, and international CERT networks.
However, perhaps the most transformative institutional
development in 2025 was the operationalisation of the National Cybersecurity
Operations Centre, a new national nerve centre tasked with providing 24-hour
surveillance, coordinated incident response, and real-time analysis of threats
targeting the country.
The Centre expanded the capacity of the National KE-CIRT/CC,
which has existed since 2014 but had increasingly been stretched by the surge
in threats.
The new operations centre introduced advanced
threat-intelligence tooling, wider stakeholder integration, and improved
information sharing mechanisms with the private sector.
Despite this improved infrastructure, the data revealed by
KE-CIRT/CC in 2025 painted a sobering picture.
Malware attacks against critical infrastructure rose
sharply, with over 31 million attempts detected between July and September
alone. Attackers targeted systems with outdated software, unpatched
vulnerabilities, and weak authentication protocols—exposing weaknesses in
Kenya’s digital hygiene.
Internet Service Providers (ISPs), cloud service providers,
and government institutions bore the brunt of these waves, as attackers sought
persistent access, data exfiltration, or operational disruption.
Web application attacks, often exploiting weaknesses in
SSL/TLS configurations, targeted government portals and service platforms,
aiming to compromise login credentials or intercept sensitive data.
While the number of such attacks—over 10 million in three
months—showed a slight decline from earlier in the year, the persistence of
these vectors highlighted the failure of many institutions to update legacy
systems or invest adequately in secure infrastructure.
Mobile application attacks, though fewer in number, revealed
another important lesson: the explosive growth of Internet of Things (IoT)
devices and connected household gadgets represented a new frontier for
cybercrime.
Many IoT products used in Kenyan homes and businesses lacked
basic security protocols, creating millions of entry points for cyber
intrusions. As Mugonyi noted, the rapid proliferation of such devices meant
that cybersecurity could no longer be limited to traditional IT
infrastructure—security now had to extend to smart TVs, surveillance cameras,
automated gates, and office appliances.
The 2025 threat landscape also exposed human
vulnerabilities. CA’s advisories highlighted widespread reliance on default
credentials, inadequate cyber-risk awareness, and insufficient deployment of
multi-factor authentication (MFA).
As a result, the Authority issued more than 19 million
advisories between July and September alone, emphasising patch management,
strong password policies, network firewall configuration, and endpoint
protection.
The fact that so many advisories were necessary illustrated
a core lesson: Kenya’s cybersecurity problem was as much behavioural as it was
technological.
Communications Authority of Kenya (CA) headquarters, Nairobi/FILE
Another major learning curve came through the expansion of
cybersecurity capacity-building programmes, especially the high-profile Cyber
Threat Intelligence (CTI) training hosted in August 2025 in partnership with
the UK’s Foreign, Commonwealth & Development Office (FCDO) and facilitated
by KPMG UK.
This programme trained 87 participants from 25
organisations, focusing on threat analysis, crisis communication, incident
simulations, and benchmarking Kenya’s threat posture against global best
practices.
The training highlighted the reality that modern cyber
defence requires not only technology but also skilled personnel capable of
understanding attacker techniques, anticipating threats, and coordinating
multi-agency responses.
The discussions held during this programme revealed another
key takeaway from 2025: the threat landscape was evolving too fast for
individual institutions to operate in silos.
Effective defence required a “whole-of-nation” approach that
connected government agencies, regulators, private companies, academia, and
international partners. The National KE-CIRT/CC Cybersecurity Committee (NKCC),
composed of more than 50 organisations, played a central role in strengthening
trust networks and improving information sharing.
Quarterly meetings facilitated the exchange of sector-specific
threat intelligence and helped harmonise response strategies across Kenya’s
critical information infrastructure ecosystem.
The year also saw increased public engagement and awareness
efforts. In September 2025, KE-CIRT/CC participated in the inaugural UoN Data
Privacy and Cybersecurity Awareness Webinar, alongside the Office of the Data
Protection Commissioner (ODPC) and county government representatives.
These sessions served as reminders that cybersecurity
maturity in Kenya could not advance without empowering citizens, students, and
small businesses with the knowledge to identify, report, and prevent cyber
incidents. Through these engagements, Kenya learned that cybersecurity was no
longer a specialist domain—it had become a civic responsibility.
The rise in attacks in 2025 also illuminated the economic
implications of weak cyber defences. Financial sector institutions reported
escalating losses from digital fraud, leading to increased scrutiny from
regulators and pressure to invest in stronger security systems.
E-government platforms experienced attempted outages that
threatened service delivery, illustrating how cyber disruptions could easily
escalate into governance challenges.
Supply chain attacks targeting vendors and third-party providers
raised alarms among large corporations, which learned that the weakest link in
the chain could compromise the entire ecosystem.
One of the most important lessons Kenya learned was that
cybersecurity must evolve at the same pace as digital transformation, not lag
behind it.
As the government pushed forward with digital public
services, mobile-money integration, artificial intelligence adoption, and cloud
migration, attackers followed the same trajectory, targeting new digital
touchpoints as they emerged.
The vulnerabilities created by the use of deprecated
systems, insufficient investment in modern infrastructure, and the slow update
cycles of public institutions were repeatedly exploited throughout the year.
2025 also made clear that technological advancements—as
powerful as they are—do not necessarily translate into security unless
accompanied by policy clarity.
The draft National Cybersecurity Strategy 2025–2030,
released during the year, sought to address this gap by outlining a coherent national
roadmap that emphasised risk management, resilience building, capacity
development, and the protection of critical infrastructure.
Among its central pillars were commitments to strengthen
regulatory oversight, promote secure digital innovation, enhance cybersecurity
education, and integrate AI into threat detection systems.
The draft strategy was one of the clearest reflections of
Kenya’s determination to convert the lessons of 2025 into a long-term policy
vision.
Another key lesson came from the rising use of artificial
intelligence by both defenders and attackers. While Kenyan organisations began
experimenting with AI-powered monitoring tools, attackers also leveraged
generative AI to automate phishing campaigns, generate polymorphic malware, and
create convincing deepfakes.
The dual-use nature of AI reinforced the need for governance
frameworks and ethical standards that could help mitigate unintended
consequences.
By the end of 2025, it had become clear that Kenya’s cyber
threats were not isolated anomalies—they were symptoms of a global trend.
Cyber geopolitical tensions, digital conflict between
competing states, the growing complexity of global supply chains, and the
expansion of cloud-based ecosystems all increased Kenya’s exposure.
Kenya’s experience mirrored global patterns but also
reflected uniquely local challenges, including uneven investment in
cybersecurity among small businesses, limited awareness among citizens, and
fragmented defences across county governments.
This is premium content
Subscribe to Continue Reading
Help us continue bringing you unbiased news, in-depth investigations, and diverse perspectives. Your subscription keeps our mission alive and empowers us to provide high-quality, trustworthy journalism. Join us today to make a difference!