Cybercrime losses surge above Sh20 billion

Overconfidence by users and lack of smart cybersecurity strategies are exposing many Kenyans to cybercrimes, reveals a NationNewsplex review of cybersecurity data.

Kenya lost Sh21.1 billion to cybercrime in 2017, a 40 per cent increase from Sh15.1 billion in 2015, according to the 2017 Kenya Cybersecurity Report by Serianu, an information technology services consultancy firm.

Three-quarters of employees in formal sector in Kenya have experienced cybercrime in their organisations, according to the report. The proportion could be even higher as many people do not know what event or action qualifies as cybercrime. The study also reveals that most organisations fail to provide enough resources for cybersecurity thus making them prone to attacks.

Kenya ranks third in Africa and 45 globally in the 2017 World Cybersecurity Index. The index that is compiled by the International Telecommunications Union covers 134 countries globally.

“Technology alone cannot solve cybersecurity issues. We need to have cyber aware employees, industry aligned processes and procedures as well as the right technology,” says Serianu CEO William Makatiani.

He says people, the human factor, is the weakest link in cyber security. “Users don’t necessarily have bad intentions. The vast majority operate in good faith without realising that they are exposing themselves and their organisation to cyber threats,” he adds.

Personal data

Findings from past studies support his view. Two in five victims of cybercrime globally trust in their ability to safeguard their personal data, according to the 2017 Norton Cybersecurity Insights Report. Another third of victims believe they are at low risk of being targets of cybercrime.

“Consumers who have fallen victim to cybercrime emphasize the importance of online security more than non-victims, yet they are more likely to contradict their efforts through simple missteps,” states the report by Norton, an international information technology security firm.

Figures from the Norton study show that a fifth of cybercrime victims globally use the same password across all online accounts despite the fact that they practice new security techniques such as fingerprint ID (44 per cent), pattern matching (22 per cent), personal virtual private networks (16 per cent), facial recognition and two-factor authentication at 13 per cent each, and voice ID (one per cent). More than half (58 per cent) of cybercrime victims share at least one device or account password with others. By comparison, only 17 per cent of non-cybercrime victims use the same password across all online accounts and 37 per cent share their passwords with others.

Mr Makatiani says attackers leverage employees' ignorance and use social engineering to compromise an organisation. This involves sending emails convincing people to reveal personal information or click on links. Sometimes, he says, the threats come from insiders. These are typically disgruntled employees who want to steal or compromise their organisations. Insider threat contributes up to 50 per of all direct losses.

Common types of cybercrime in Kenya include insider threats, attacks on computer systems, identity theft, phishing, data exfiltration, online fraud scams and ransomware. According to the Norton study, more than half of the cyberattacks victims globally had a device infected by a virus while more than a third fell for debit or credit card fraud or had their account passwords compromised.

The increasing internet penetration rate in Kenya is a huge contributing factor to the rising cases of cybercrime, as more devices are getting connected to the internet. The Economic Survey 2018 indicates a 22 per cent increase in the internet penetration rate from 59 per cent in 2016 to 72 per cent in 2017.

Most cyberattacks in Kenya target the banking sector. The sector accounts for a third (Sh7 billion) of the overall estimated loss to cybercrime followed by governmental agencies (24 per cent or Sh5 billion), according to the Serianu report. However, very few of these cases are reported because financial institutions fear losing credibility.

In Kenya, on average, 96 per cent of cybercrime incidents either go unreported or unsolved.

The biggest hurdle for organisations is implementation and enforcement of policies.

Last year, a man was charged in court for allegedly hacking into the Kenya Revenue Authority’s system, a breach that resulted in the loss of Sh4 billion. In Nyeri County this year, police arrested three suspects who had allegedly defrauded a ward representative of Sh1.9 million from his bank and MPesa accounts. With Kenyan businesses stepping up their efforts to digitise and embrace new technologies, the vulnerabilities are likely to increase.

“Most businesses are quick to open channels such as mobile banking to keep up with their competitors and demanding customer needs. However, in most cases, these technologies are launched and deployed without proper security controls in place (such as encryption, certificate validation and user account management) making them a lucrative target for cybercriminals,” says Mr Makatiani.

Computer virus

A fifth of businesses, mostly large organisations, reported being attacked by a computer virus, according to the Kenya National Bureau of Statistics Enterprise ICT Survey Report 2016.This is half the proportion of public institutions which reported the same, at 45 per cent.
This is unusual given that 96 per cent of public institutions reported deploying antivirus software as a security measure. It suggests that the software might not be updated regularly to capture any new threats. Failure to prevent computer virus attacks resulted in about half (48 per cent) of the public institutions losing data, especially those operating under county governments.
Most organisations’ cybersecurity programs are tool oriented, a fact which experts believe acts as an obstacle to ensuring full security. Deploying only complex security systems is not enough. They recommend focusing on setting policies that involve all users, coupled by not only technical power, but also awareness creation.
In the public sector, despite having the largest share of members with IT security policies, state corporations and learning institutions are the most affected by attacks, according to the Public Sector ICT Survey Report 2016.

Only one in three county governments has IT security policies and were the second most attacked entity in the public sector. Constitutional commissions were the least affected, and also have the most offices with a security policy.

“The biggest hurdle for organisations is implementation and enforcement of policies. A majority of organisations download templates from the internet which may not necessarily address their specific issues,” adds Mr Makatiani.

He argues that failure to communicate policies to users and lack of IT security expertise also play a role in the ineffectiveness of the policies.

In the private sector, 70 per cent of large businesses have IT security policies in place, the largest share. However, they are the most attacked. (seven per cent), followed by medium businesses (five per cent), small (four per cent) and micro businesses (three per cent).

When it comes to hacking, small businesses are the most prone (seven per cent), followed by medium (six per cent), micro (five per cent) and large businesses (four per cent). One in six incidents of cybercrime in the private sector targets the transportation, storage and health sectors.
Health systems are not new to cyberattacks. The 2017 WannaCry ransomware attack hit more than 300,000 computers in over 150 countries around the world, crippled hospital systems in the United Kingdom, and demanded that hospitals pay about Sh30,000 in Bitcoin to restore access. In 2016, a Los Angeles hospital was forced to pay Sh1.7 million in Bitcoin to hackers after all its files were encrypted.

Cybersecurity attacks aimed at government institutions are increasing all over the world, from accusations of Russia hacking the US Democratic National Convention servers in run up to 2016 elections to North Korea allegedly spreading the WannaCry ransomware to other nations. The most famous case in Kenya was in 2012, when government cybersecurity experts were caught flatfooted after an Indonesian hacker, identified as direxer, brought down 103 state websites by merely following tutorials from an online forum.

According to the Computer and Cybercrimes Act 2017 which addresses the cybersecurity threats, computer hackers face a Sh5 million fine or a three-year jail term or both if found guilty.