A new report by Cyber Security consulting firm Serianu in partnership with PKF consulting and USIU Africa has revealed that more than 80 per cent of Kenyans connected to the Internet are vulnerable to cybercriminal attacks.
Dubbed The State of Cybersecurity in Kenya 2015, the report which were presented by Serianu Managing Director William Makatiani shows that a vast majority of private companies and public sector organizations also remain very exposed to cybercrime and internal IT fraud.
“Our study revealed that 70% of Kenyan businesses are vulnerable to cybercrime yet most of them remain ignorant of these vulnerabilities. Nearly all internet devices in the Kenyan cyber space are vulnerable to attacks, exposing more companies and individuals to the risk of malicious insiders and cyber criminals,” said Makatiani.
He added that during the study, Serianu discovered that on average most medium sized organisations with over 70 employees in Kenya have at least two vulnerable computer servers and up to fifteen infected computers that were already hacked into by cybercriminals. The most vulnerable businesses and home owners are those that have installed low cost home routers, Closed Circuit Television (CCTV) systems and public email servers on their networks.
To counter this situation, Makatiani said that Kenyans who are busy installing these internet access systems in their homes and office networks must work with cyber security experts to ensure that they are not exposed. Similarly, companies need to raise their degree of vigilance with the IT teams required to invest more time and resources in auditing their entire systems and establishing modalities to reduce breaching incidences.
Paula Musuva Kigen, an Associate Director of Cybersecurity at USIU-A’s Centre for Informatics Research and Innovation (CIRI) also highlighted the need to have localized cyber intelligence research in order to have organizations appreciate and respond appropriately to the threat landscape in the region. She added that the report highlights the technology trends in areas such as cloud computing, internet of things, near field communications and points out the cyber security considerations organizations need to make.
Serianu’s study also reports that the annual cost of cybercrime to Kenyan companies is estimated to be KES 15 billion (USD146 Million).
According to Makatiani, this amount is based on Serianu’s estimates from their 2015 cyber security study. The firm reviewed publicly and privately available data from individual industries, complemented by interviews with business leaders and IT security practitioners. But it was much harder to establish the extent of financial losses by the public sector.
“Unlike many governments, Kenya has not established any mechanisms to track and calculate the losses made by public sector organizations to cybercrime,” he said. “This makes them even more susceptible to such crimes such as website defacements and ransom demands from criminals before restoration.”
The study further breaks down the losses per industry, citing the public sector as the most affected having losing approximately KES 5 billion per year followed by the financial services sector at KES 4 billion and manufacturing and industrials at KES 3 billion in third place. The telecommunications, media and technology and other sectors are estimated to lose t about KES 2 billion and KES 1 billion respectively.
Serianu further conducted a technical assessment of the Kenyan cyber space by performing a scanning exercise of Kenyan IP addresses of publicly accessible administrative interfaces and which ordinarily are procured with a default password. The firm then catalogued popular network appliances, at least 5,000 internet routers and CCTV cameras, accessible over the Internet. Of all discovered devices, Makatiani said that most of the hacked devices were those that remained configured with their factory default settings.
Remarkably, three quarters of the IP addresses scanned during the study were found to be vulnerable to remote attacks. “Most of these devices have their administrative interfaces viewable from anywhere on the internet since their owners have failed to change the manufacturers’ default settings.
“Leaving factory default settings and administrator passwords is something that is overlooked due to poor information security training and awareness among employees and the common mwananchi” Paula pointed out. “Hackers have an easy time getting in because they have databases of default settings for these access points, networking devices and servers.”
The report warns that security breaches have become more sophisticated, with many involving attacks from staff. As a result of these emerging complications, the system down times caused by cybercrime attacks are getting longer with the average number of days to detect an attack in many organisations totaling to 120 days, more than double the days it took one year ago. The more complex ones easily take an additional 45 days to resolve.
Revealing the top four sources of these attacks, the report lists the US with the highest number at 20% followed by China, Russia and Venezuela at 19%, 11% and 10% respectively.