Many Kenyan agencies that heavily rely on the internet to conduct their core business have invested on some form of cybersecurity — especially in the last five years.
But as long as the people using this cyberinfrastructure do not appreciate their personal stake in cybersecurity, these investments often turn out to be a huge waste of money.
Every year sees cyberattacks growing in sophistication and risk. Just a few days ago the instant messaging app WhatsApp reported that hackers had managed to spy on private messages, and urged users to update their apps.
A more notable example is the worldwide WannaCry ransomware attack in May 2017 that targeted computers running the Microsoft Windows operating system.
The attackers encrypted data on these computers and demanded ransom payments in the bitcoin cryptocurrency.
Such threats have seen a growing number of local companies invest in managed security services, whereby they outsource third parties to implement, manage and maintain their security infrastructure.
In fact, as indicated by the just released Cyber Security Report 2018 by Serianu, Kenyan companies are spending more money on securing their systems than they are actually losing through security breaches.
According to the report, of the Sh29.5 billion lost to cybercrime, a whopping Sh20.6 billion was spent in anticipation of cybercrime and reputational damage to firms.
With such massive investments in cybersecurity, one would expect more vigilance among users.
Yet, this is seldom the case for many agencies — both public and private.
We only comply with the employer’s cybersecurity policies because it is a requirement, and not because we have a personal stake in the risks involved.
That is why many of us find our office computers restrictive since we cannot freely instal our favourite software, update a programme or download some files without first passing through the IT department.
Cybersecurity remains a mild inconvenience that we tolerate rather than a necessary personal responsibility with serious personal risks if neglected.
During the US presidential debates leading up to the 2016 election, one question that plagued Hillary Clinton was her use of her personal smartphone to send and receive official emails.
To many Kenyans, this may seem like an insignificant issue, one that did not warrant all the outrage and scrutiny that Mrs Clinton faced.
In fact, for many of us, the work email is one of the many email accounts on our personal smartphones.
Some Kenyans who work for companies that provide “work” smartphones still bypass this alternative and instead opt to manage their email on their personal smartphones and laptops.
A quick review of how cyberattacks happen reveals that criminals hack people before they hack computers.
All it takes is for the hacker to convince an email recipient to click on that link, download that file and instal that plug-in.
The technical work of cybercrime always follows and is dependent on the psychological work.
Employers must therefore appreciate the fact that sophistication of technology is no match for the psychological tactics cyber attackers use to get computer users to give up their security details.
Socially engineered fraud remains integral to the perpetration of cybercrime activities at both the individual and company levels.
What this means, for instance, is that if institutions only focus on securing the office Wi-Fi without sensitising their staff about home internet security, they are fighting a losing battle against cybercrime.
Cybersecurity training must be approached as a personal security matter before it is treated as an organisational policy.
Employees must see that vulnerabilities in their own personal devices and internet connection are a risk not just to their employer but to themselves.
This will not only lead to more robust data security and system protection for employers, but it will make for a more security-conscious workforce, thus rendering impotent the most important tool cybercriminals have — psychological manipulation.
The writer is the managing director of Adrian Group Limited; [email protected]