Cyberattacks in Kenya are on the rise. There's barely a day that goes by where you don't hear about a major data breach or an organisation that has unsuspectingly fallen victim to ransomware, spear-phishing or impersonation fraud. The government has seen the urgency and on 16 May signed the Computer Misuse and Cybercrimes Act into law.
And while most of the news coverage has focused on the perceived negatives of the legislation – including restrictions around freedom of expression and access to information - individuals should be pleased that cyber criminals will now face consequences.
According to a 2017 Serianu study, cybercrime cost Kenya Sh21.1 billion in 2017, so it seems that criminals have had free rein up until now.
Public and private organisations in Kenya are moving in their droves to the cloud. The benefits of cloud email providers like Office 365 are clear as businesses of all sizes can now benefit from its collaboration capabilities, improving productivity. However, what a lot of organisations don't realise is that while email is the number one business application used by companies, it's also the number one vector used to execute cyberattacks like malware delivery, phishing and Business Email Compromise. As businesses move to a cloud-based email environment, new challenges enter the landscape. The concentration of corporate mailboxes, and operational dependency on the Microsoft environment exposes many vulnerabilities.
It's therefore clear that the new cybercrime bill comes at a critical time and will go a long way in fighting the epidemic currently gripping the country. The new legislation will assist in capturing and prosecuting these cyber criminals but what happens if you're the victim of an attack before they manage to track these malicious actors down?
The cyber threat landscape has evolved dramatically, hackers are smarter and more sophisticated, they have formed communities and share ideas and pursuits. Many organisations think that defending against spam, viruses and malware is enough, but attacks have changed. Hackers moved on years ago to using malicious URL links found within emails and documents, and in recent years we've seen a significant increase in impersonation attacks using social engineering.
A recent global study by Mimecast and Vanson Bourne saw that 92% of surveyed organisations had seen targeted spear-phishing attacks with malicious links in the past 12 months. 87% had witnessed email-based impersonation attacks asking to initiate wire transfers. We're also seeing insider threats gaining traction and a recent trend of supply chain attacks from so-called 'trusted' third parties. The criminals are always one step ahead in this war and organisations are battling to keep up.
Unfortunately, organisations are relying on mediocre email security that only touches the surface when it comes to protecting their business from threats. C-level executives are failing to see the importance of having advanced security, leaving IT decision makers to fight an uphill battle.
Astonishingly, according to Serianu, as many as 10% of Kenyan organisations have zero budget allocated to cyber security products. Even more unbelievable is that this is an increase from 6% last year. Plus, the lack of skills in the country makes this war even harder – the study reports that there are only an estimated 1600 certified security professionals in Kenya.
With these factors in mind, it's not surprising that the government has had to take steps to help curb the growing instances of cybercrime, but it's apparent that for many organisations it's only a matter of time until they become the next victim. Relying on the basic security provided by cloud email providers is a huge risk that could dramatically impact productivity, business operations or even bottom line.
Furthermore, relying on defence only is no longer enough. Organisations need to be prepared for the possibility of a successful attack and have risk mitigation techniques in place. This involves ensuring the stability of your entire email environment before, during and after an attack, by implementing a cyber resilience strategy for email. So, if a breach occurs, you can keep email flowing with a continuity service and recover from ransomware quickly, with an archive service that allows you to recover data to the last known 'good' state.
The new cybercrime bill is a crucial move in Kenya's cybercrime war, but it's up to all organisations to play their part. Laws can only do so much to protect businesses; leadership teams need to take responsibility and create a culture with targeted programs geared towards safeguarding their employees, customers and business partners.
* By Brian Pinnock, Mimecast Africa and the Middle East.