Digital payments are progressively entering the mainstream, in correlation to the increased access, use, and adoption of ICTs in Kenya. However, the transition to and eventual adoption of digital payments will bear its own risks, in the form of cybersecurity risks.
Against this backdrop, “A study paper on human-centred cybersecurity: Kenyan Fintech sector” was authored by KICTANet and commissioned by Trust4Cyber-Flagship Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH.
The study maps the cybersecurity landscape in Kenya with a focus on the financial sector, and advocates for a human centric approach in cybersecurity. Human elements of cybersecurity are frequently overlooked or assumed while entities focus on adopting new technologies, processes, and standards as a way of security. This is despite the fact that 9 out of 10 cyber breaches in companies are a result of human error as observed in a study “Psychology of Human Error”.
The study notes the progress made in the development of the legal, institutional and regulatory frameworks to promote cybersecurity within the financial services sector in order to ensure secure digital transactions.
In addition, the study seeks to map out all relevant stakeholders in the field of cybersecurity in Kenya with a specific focus on actors from within the financial sector. The stakeholder groups include the government, academia, civil society, technical community, and the private sector.
The study comprehensively identifies the cybersecurity threats faced in Kenya, cybersecurity trends developing across the continent, and expands on the challenges posed by the cybersecurity threats.
Cybersecurity threats in Kenya
KE-CIRT, the institute responsible for national-level cyber incident detection and response, has noted a significant growth in the total threats detected, from 23 million in 2018 to 110 million in 2020. KE-CIRT statistics for the second quarter of 2021 show that ransomware, malware, and phishing attacks are the most common cybersecurity risks.
Concerningly, this upward trend can be attributed to the rise in impersonation, online fraud, and online abuse cases arising from increased internet access and use. Data breaches, theft of proprietary information, financial damage, reputational loss, equipment destruction, distributed denial of service, illegal access to vital systems, and theft of personally identifiable information are all consequences of these attacks.
Trends in the region
According to the 2021 Interpol report on African Cyber Threat Assessment, the top five cyberthreats in Africa are online scams, digital extortion, business email compromise, ransomware, and botnets. In addition, the report notes that criminals take advantage of variations in law enforcement capabilities across physical borders to continue with cyber-attack activities.
African countries have reported a sharp increase in the number of online banking scams, including instances of banking and credit card fraud. Online scams are also the highest reported cyberthreat to law enforcement agencies in Africa. Furthermore, the COVID-19 pandemic has contributed to the increase in business email compromise threat that targets businesses and organisations that rely heavily on wire transfer transactions.
Cybersecurity challenges to the fintech sector
Below is a summary of the cybersecurity challenges faced by the fintech sector:
- Loss of Funds due to Cyber-Attacks: Studies assessing the cybersecurity environment of 148 banks in Sub-Saharan Africa (SSA) noted that 85 percent of the banks had experienced cyberattacks and had, on average, incurred losses of $770,000 with a single malware-infected computer costing $9,707;
- Limited data on breaches: It is difficult to obtain data on cyber-attacks and data breaches in the financial sector largely due to the fact that previously, there was no requirement on financial institutions to report on incidents of breaches or the losses incurred;
- Few skilled staff and awareness: Cyberattacks are heavily reliant on the human weakness element, and as such, staff without cybersecurity and cyber hygiene training remain a viable vulnerability for threat actors to exploit. Therefore, the CBK is leading the development of minimum standards for supervision of cybersecurity in the East African Community region. CBK is ensuring enhanced skills for its staff to be able to respond to evolving digital financial services risks with a focus on cyber resilience. This is because cyber-attacks rely on weaknesses in the human element
- Wide use of pirated software – With Kenya ranking among the top 20 pirating countries, the hidden cost of using pirated software is the likelihood of encountering nasty, unwanted code, either in the software itself, via code that can get downloaded, or installed along with the pirated software.
- Funding: Cybersecurity budgets in many entities is reported to be less than 1 percent and many organisations had a zero-budget allocated to cybersecurity. It is therefore important that more resources are directed towards hiring and retention of talent, knowledge and capacity building, and an upgrade of infrastructure to increase cyber resilience.
- Prosecution capacity: Despite several arrests and arraignment in Kenya, threat actors have never been successfully prosecuted. There is a lack of prosecution capacity in Kenya with several high-profile cybersecurity cases dragging on for many years without being concluded or terminated without prosecution.
- Managing evidence: Kenya faces a serious challenge of safeguarding and securing evidence and ensuring proper chain of custody of evidence, vital for guaranteeing successful prosecution. Prosecuting organs should have adequate training on handling digital evidence and making it admissible in a court of law.
- Information Security Gaps: Financial institutions need a clear strategy to manage, improve, and appraise their processes. Using a risk-based approach to cybersecurity (like using the Capability Maturity Model Integration – CMMI model) can be instrumental in addressing cybersecurity challenges as organisations will be able to evaluate their biggest threats, assess vulnerabilities, and reserve resources for those threats.
The study developed human-centric cybersecurity recommendations for the below stakeholders:
- The Kenyan Government is called upon to:
- Promote a human-centred and multistakeholder approach in the implementation of cybersecurity strategies;
- Review the outdated cybersecurity strategy;
- Develop a national cybersecurity policy;
- Develop and implement a national cyber hygiene programme targeting users of financial services;
- Enhance cybercrime information sharing, intelligence, joint cooperation between regional actors in the detection and responses to cyber incidents and the prevention of cybercrimes; and
- To regularly conduct national cybersecurity assessments based on international standards.
- The Private Sector should commit to:
- Investing resources towards hiring and retention of skilled personnel, knowledge and capacity building, and an upgrade of infrastructure, tools and software, as well as in cybersecurity strategies;
- Develop cyber hygiene programmes for their users;
- Ensure compliance with data protection laws; and
- Collaborate with other stakeholders in handling cyber incidents.
- The Civil Society has to play a crucial role in:
- Developing cyber hygiene programmes targeted at the public;
- Monitoring and reporting on the effectiveness measures put in place by the government and the financial sector; and
- Enhancing collaboration with other stakeholders.
- International development partners are called upon to:
- Support civil society organisations to conduct research, advocacy and training;
- Collaborate with other stakeholders;
- Invest in capacity building programmes, information sharing, knowledge and technology transfer; and
- Promote international cooperation to strengthen the synergies and capabilities between global and national actors including academia, business, government, media and civil society.
The full report is accessible: https://toolkit-digitalisierung.de/app/uploads/2022/03/GIZ-2022-A-study-paper-on-human-centred-cybersecurity.pdf