Listen to This Article Enhance your reading experience by listening to this article.

A total of 188 million accounts were breached by fraudsters in three months to March this year, a new report by the Communications Authority (CA) shows, noting that weak systems accounted for a chunk of overall cyber-attacks among Kenyan firms.

In its findings, the authority estimates that over 153 million of system vulnerabilities were detected during that period – which are flaws in a computer system that weaken the overall security of the device or system.

Further, CA’s quarter sector statistics report released Monday showed that common security threats sprang from electronic payments through credit and debit card frauds.

In addition to attacks becoming more sophisticated, CA noted that threat actors are showing clear preferences for certain techniques, with notable shifts towards credential harvesting and ransomware, as well as an increasing focus on Internet of Things (IoT) devices.

Malware attacks also remain one of the most preferred routes by attackers, according to CA figures with over 26 million such attacks detected during the quarter under review.

Hacking activities

The latest findings by the authority come on the heels of a spike in hacking activities targeting corporations since the onset of Covid-19 pandemic as digital thieves took advantage of weakened security with more people working from home.

Companies started reporting increased instances of pony-trekking, mainly through password compromises, due to the unprecedented changes in the way firms and their staff are currently forced to do business.

Password compromises and insider threats are considered the biggest cyber threats, with just over half of the businesses in Kenya today operating under co.ke domains having experienced cybersecurity breaches during the period under review. These figures come amid calls seeking closer study on the exact cost of data breaches on local businesses and their damaging impact. 

Indeed, the Communications Authority of Kenya (CA) last year said it was considering comprehensive scrutiny of the actual cost of cybercrime on Kenyan firms amid concerns that a number of organisations are reporting multiple data breaches.

Director General Ezra Chiloba said the authority would start a study in partnership with key stakeholders to determine how much local firms actually lose when cyber criminals penetrate their systems.

“The amount quoted last week for cybercrime cost, shows how much is lost on the global arena, locally we do not have an exact projection, and this calls for a study which we can only undertake in collaboration with our partners,” he said on the sidelines of a cyber security conference in October last year.

The Authority, Chiloba said at the time that it will continue to enhance network infrastructure and cybersecurity resilience for ICT services in Kenya.

Kenyan savings and credit co-operative societies (Saccos) for instance lost Sh106 million in the 17 months to March 2021 due to cyber theft. According to IBM, the average cost of a data breach in the financial industry is $5.85 million. 

As digital transformation engulfs the financial sector, mobile banking and payment apps have become one of the top targets by cybercriminals.

Cyber economy

Last year Cybersecurity Ventures – a tracker and researcher for the global cyber economy estimated that global cybercrime costs could grow by 15 per cent per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015, cautioning that attacks are likely to increase in frequency.

A 2021 digital fraud report by Credit Reporting agency, TransUnion also indicates that Kenyan banks are estimated to lose over $121 million every year to fraudsters through identity theft.