Kenyan businesses and agencies hit by cybercrime were last year forced to part with an average of $4.35 million (Sh561 million) to restore their services, Communications Authority has revealed.
This saw the country suffer losses amounting to $83 million (Sh10.71 billion), the second highest in Africa.
Data by the National Kenya Computer Incident Response Team Coordination Centre (KE-CIRT/CC), the body mandated to detect, protect, and respond to cyber threats, show that attackers are increasingly targeting national assets and financial institutions.
The Authority’s Director General, David Mugonyi, said that the most affected industries by volume of incidents and losses are financial services, government, fintech, hospitality, education, telecommunication, and manufacturing.
However, despite the initiatives to stop threats from external sources, insider threats and online frauds are the leading threats.
For instance, CA says that between April and June 2024, the National KE-CIRT detected 1.1 billion cyber threats targeted at Kenyan assets.
“The cost of cybercrime in Africa is staggering; last year Nigeria suffered losses amounting to $1.8 billion (Sh232.2 billion), Kenya $83 million (Sh10.71 billion), Uganda $67 million (Sh8.6 billion), Botswana $39 billion (Sh5 billion), and Lesotho $2.3 million (Sh296.7 million). The average data breach in Kenya in 2023 was $4.35 million (Sh561 million),” said Mugonyi.
The DG added that localised solutions are essential for handling cyber threats unique to Kenya and the region, such as cyberespionage, cyberterrorism, and other specialized threats that global frameworks may not adequately address.
The rising cost and complexity of cyber threats have prompted the government to initiate reforms that will lead to the consolidation of all cyber threat control units in ministries and semi-autonomous agencies into a single national unit.
According to the director of cybersecurity in the Ministry of ICT and Digital Economy, Yunis Omar, each one of the SAGAs is running a small cybersecurity arm, making it difficult to tackle emerging threats.
The plan will include an amendment to the National ICT Policy and an update to the National Cybersecurity Strategy to better address emerging digital security.
Omar emphasized the need for a "whole-government” approach, aiming to improve national visibility and strengthen Kenya’s cybersecurity posture through a cohesive framework.
“Cybersecurity, until recently, was being looked at in silos. For example, as a ministry, we have got several SAGAs like the communication authority, like the ICT authority, like the ministry itself that have been hosting independent cybercrime arms,” said Omar.
This step, the ministry said, aligns with ongoing policy initiatives, including an amendment to the National ICT Policy and an update to the National Cybersecurity Strategy, to better address emerging digital security challenges.
“There is an amendment going on at the moment. We have actually the national ICT policy, and in it we have the national cybersecurity policy that's being amended,” said Omar.
Mugonyi said that the authority continues to enhance its collaboration framework with various local and international partners to strengthen the cybersecurity legislative framework and facilitate the decisive and judicious resolution of cybercrime incidents.
These solutions, CA says, will deal with unique cybercrime situations across different jurisdictions.
It says that a one-size-fits-all technical approach does not cover threats such as cyberwarfare, cyberespionage, state-sponsored cyberattacks, cyberwarfare, and cyberterrorism.
“Likewise, digital progress demands consistent global efforts to secure the digital realm. This calls for strategic, technical, legal, policy, and security capabilities that transcend the sectors and borders,” said Mugonyi.