Companies and State must act now to improve cyber security

To fully appreciate why cyber crime merits a robust and well-coordinated security and policy response, one has to look no further than the billions that cyber criminals siphon each year from the Kenyan economy.

Kenyan companies conservatively lose Sh15 billion annually to cyber crime but this figure could be significantly higher, considering that most victims are not even aware that they are vulnerable.

A recent study on the state of cyber security in Kenya shows that 70 per cent of Kenyan businesses are vulnerable to cyber crime, yet most of them are ignorant of this.

The government is the most vulnerable to cyber criminals, according to the report. Banking is a close second due to its increasing reliance on technology and third parties to perform and enhance management and transfer of money. Financial services and mobile banking are ranked third in vulnerability.

The prospect of more than Sh15 billion being stolen each year through shadowy digital networks is terrifying, especially in an economic environment where private and public entities are forever grappling with budget constraints.

Part of the reason for the growing prevalence of cyber crime in Kenya is the country’s increasing digitisation, which has inadvertently exposed Kenyans to these crooks.

Furthermore, key stakeholders do not fully appreciate the full range of the risks they are exposed to or how to mitigate them.

The cyber security policies instituted in most Kenyan companies do not reflect the magnitude, complexity, and full range of risks they face. This hit-and-miss approach can be costly.

For instance, many organisations embrace the bring-your-own-device trend without factoring in the risks. This policy permits employees to bring personal mobile devices (laptops, tablets, and smartphones) to the work place and to use them to gain access to privileged company information and applications.

COMPROMISE CYBER SECURITY

Granted, this can help save costs and even act as an incentive to younger employees. However, it can compromise cyber security. Staff can access proprietary company information on their personal phones, including passwords, and share it with third parties either intentionally or unknowingly.

It is no surprise that employees (insider threats) account for 80 per cent of data-related fraud in Kenyan companies. Data fraud can include leaking sensitive confidential information or sharing trade secrets with competitors, both of which can cost billions in terms of reputational risks, lost business opportunities, and litigation.

Companies, therefore, need to be aware of the loopholes and understand how to seal them, while still giving their staff the privilege of using their own devices. Specialist risk managers can help seal these loopholes as well as other more complex ones.

The need for companies to contract specialist risk managers who can cut through the complexity of cyber security and deliver practical mitigation guidelines cannot be overstated.

No company is too big to be hacked. Leading US bank, J.P. Morgan, whose $235 billion market value is more than 10 times the $20 billion combined market value of all the listed firms on the Nairobi Securities Exchange, was not spared. The bank suffered a high-profile hack in August 2014, just two months after it had committed $250 million to cyber security.

Kenyan companies need to start making significant budgetary allocations to cyber security. More significantly, they need to understand that they cannot secure their businesses against cyber criminals through sporadic one-off spending. Mitigation efforts have to be consistent and long-term as cyber criminals are constantly evolving to beat the system.

Cyber security is no longer an IT challenge; it is a broader problem for individuals, businesses, and governments. This is a topic that needs detailed discussion if the loopholes through which more than Sh15 billion is stolen by cyber criminals each year are to be plugged.
 
Mr Shah is the chief executive officer, PKF Kenya. [email protected]