As Kenya invests in technology, we need to find ways to deal with risks

Thursday July 24 2014

Equity Bank along Kimathi Street, Nairobi on

Equity Bank along Kimathi Street, Nairobi on October 25 2011. An investor has been allowed to amend his claim against Equity Bank following allegations that the lender is withholding proceeds of sale of his shares transferred to its chairman Peter Munga. FILE PHOTO |  NATION MEDIA GROUP

A few days ago, the Kenya Defence Forces Twitter handle was taken over by hackers. The same happened to the Twitter handle of the defence forces spokesman Emmanuel Chirchir.

Those familiar with the two accounts obviously noticed the change in tone in the updates, inconsistent as they were with traditional expectations from the forces and its spokesman.

It is not the first time that hackers have embarrassed the government. A few years ago, several government websites were hacked.

That said, these are the cases that we know of; what goes unreported?

In the private sector, recent news suggested Kenyan banks had lost in excess of Sh600 million in two months. In July, it was reported that the estimated annual bank losses, due to poor information protection, was in excess of Sh5 billion. Some say these are conservative figures. Nonetheless, they are staggering losses and someone has to pay.

Kenya has embraced the use of technology. We have seen the phenomenal use of cell-phones and with it, services that ride on the technology infrastructure.

M-Pesa has revolutionised the mobile money space and is perhaps the most successful service using this infrastructure.

But as we embrace technology, it is important to realise that nothing comes without risk. To get the full potential of any invention, one must weigh the gains and risks.

Unmitigated risks obviously lead to losses, which can be material as in the cases of banks. It could also be harmful to the reputation, leading to loss of confidence and trust.

For example, messages from the Kenya Defence Forces and its spokesman may lose their full weight if the source cannot be trusted. In financial services, customers may opt for alternative means of transacting if they lose confidence in the banking system.

As we invest in technology, we need to invest commensurately in associated risk management. We need to invest in information security.


As an information security practitioner of many years, I have observed the following in my day-to-day interaction with those in the same business in Kenya:

First, Kenyans don’t appear to take seriously breaches of the kind illustrated above. They seem to treat such happenings like “small irritants” that do not impact on their businesses.

For the private sector (and banks especially) they could simply underwrite these losses by passing them on to the consumer. A small marginal variation in interest rates can recoup losses of the magnitude mentioned.

Second, we need to make the conscious decision to invest in technology management and the risks associated with that technology. The country needs to put concerted efforts to develop skills in this area to tackle or forestall looming problems.

Third, the country seriously needs leadership in technology risk in the public and private sector. If there exists any, it is not felt.

Such leadership would be evangelistic in nature, pushing for an appreciation of technology risks and how to deal with them.

My experience in North America tells me that in Kenya and Africa, this area is very much under-funded and whatever little funding comes through will be spent on easy-to-acquire devices like Closed Circuit Television.


Fourth, many technology managers keep things obscure and profess security. I was once in a discussion with a senior official in government and heard things such as: “we cannot disclose what measures we have taken to protect government information because the same can be used by you people to target us.”

He failed to appreciate that you can still be hacked with the use of known reconnaissance approaches.

If we are serious about addressing this matter, let’s get some of our top talent, give them security clearance and challenge them to build systems that assure security.

A friend recently told the story of a manager who was protected by his benefactors, but who was not performing.

He would avoid bringing in talent that might help him build robust systems fearing such talent may also expose his failings! Only when the organisation was hit did they hire an external consultant whose report exposed the fraud the manager had perpetuated for years.

Dr Nyanchama is a director and managing consultant at Agano Consulting Inc, an ICT services firm with offices in Canada and Kenya .