In a new report on Cyber Crime in Kenya, it has been revealed that in excess of 80% of Kenyans connected to the Internet are vulnerable to cyber crime and online criminal attacks.
The study, titled The State of Cyber Security in Kenya was carried out by Serianu, a cyber security consulting firm in partnership with PKF consulting and USIU Africa and it seeks to show that the vast majority of private companies and public sector organizations also remain very exposed to cyber crime and internal IT fraud within the organization.
Presenting the results of the study yesterday, Serianu Managing Director William Makatiani said that these had been published into a report – Kenya Cyber Security Report 2015 that is available for public access.
“Our study revealed that 70% of Kenyan businesses are vulnerable to cyber-crime yet most of them remain ignorant of these vulnerabilities. Nearly all internet devices in the Kenyan cyber space are vulnerable to attacks, exposing more companies and individuals to the risk of malicious insiders and cyber criminals,” said Willian Makatiani, MD at Serianu.
He also added that during the study, his company – Serianu – discovered that on average most medium sized organizations with over 70 employees in Kenya have at least two vulnerable computer servers and up to 15 infected computers that were already hacked into by cyber criminals.
The most vulnerable businesses and/or home owners are those that have installed low cost home routers, Closed Circuit Television (CCTV) systems and public email servers on their networks.
According to Makatiani, the best way to counter this is for installers of these home & office internet access systems to work with cyber security experts to ensure that their clients remain un-exposed.
Companies also need to keep vigil online by raising their degree of vigilance and awareness and IT teams are required to invest more time and resources in auditing their entire systems and establishing modalities to reduce breaching incidences.
Serianu’s study also reports that the annual cost of Cyber Crime to Kenyan companies is estimated to be KES 15 billion (USD146 Million) and this amount, affirms Makatiani, is based on Serianu’s estimates from their 2015 cyber security study. The firm reviewed publicly and privately available data from individual industries, complemented by interviews with business leaders and IT security practitioners. But it was much harder to establish the extent of financial losses by the public sector.
Kenya, unlike many other governments, has not established any mechanisms to track and calculate the losses made by public sector organizations to Cyber Crime and this makes this country even more susceptible to such crimes such as website defacements as was seen a couple of months back when some hackers defaced several government websites. It also leads to ridiculous ransom demands from criminals before restoration of service on these websites.
The online study further breaks down the losses per industry, citing that the most affected actually is the public sector having losing approximately KES 5 Billion annually followed closely by the financial services sector at KES 4 Billion. Manufacturing and industrial-companies come 3rd at KES 3 Billion.
Coming in 4th and 5th are the telecommunications, media and technology and other sectors that are estimated to lose about KES 2 Billion and KES 1 Billion respectively.
Serianu conducted a technical assessment of the Kenyan cyber space by performing a scanning exercise of Kenyan IP addresses of publicly accessible administrative interfaces and which ordinarily are procured with a default password. The firm then catalogued popular network appliances, at least 5,000 internet routers and CCTV cameras, accessible over the Internet.
Of all discovered devices, Makatiani said that most of the hacked devices were those that remained configured with their factory default settings.
Remarkably, 3 in every 4 IP addresses scanned during the study were found to be vulnerable to remote attacks simply because their owners refused to change the manufacturer’s default settings once they installed and configured the equipment.
This report warns that security breaches have become more sophisticated, with many involving attacks some even emanating from internal staff.
As a result of these emerging complications, the system down times caused by cyber crime attacks are getting longer with the average number of days to detect an attack in many organizations totaling almost 120 days (almost 4 entire months), more than double the days it took in the 4th quarter of 2014.
More complex hacking and cyber crime incidences easily take an additional 45 days to resolve bringing the entire cycle to 165 days in total.
According to the report, the top 4 sources of these Cyber Crime attacks are:
- The United States records the highest number at 20%
- China recorded at 19%
- Russia at 11%
- and Venezuela at 10%