The Kenya Bureau of Standards (KEBS) recently fell victim to a ransomware attack orchestrated by the Rhysida ransomware group. As a consequence, 739 GB of KEBS’ data was exposed and made public. The data includes sensitive information such as employee records, financial data, and product testing data. The exposure of this data could have a number of negative consequences for KEBS including damage to reputation, financial losses, and increased risk of further attacks.
Ransomware is a type of malware that encrypts a victim’s files or system and demands a ransom payment in exchange for the decryption key. Ransomware attacks can target individuals or organisations, and they can be devastating as they can cause loss of data, financial losses, and reputational damage.
Other recent ransomware attacks on the Kenya Airports Authority and Naivas Supermarket are examples of how devastating these attacks can be. The KAA attack did not have a significant financial or operational impact, and the Authority claims that no sensitive data was stolen. However, the attackers released 514 GB of data, including procurement plans, physical plans, site surveys, invoices, and receipts on the Internet. The Naivas attack, on the other hand, exposed private information including invoices, agreements, and customer data to possible manipulation by unknown actors. In addition to these attacks, it is rumoured that the e-citizen portal has been down for some time this week due to cyber attacks on the platform.
Cybersecurity laws and policies in Kenya
The Kenya Information and Communications (Amendment) Act, (KICA) defines cyber security as the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyber environment. To protect our systems, networks and devices, the government created various policies and laws namely: the National Information Communications and Technology (ICT) Policy Guidelines, 2020; KICA and the Computer Misuse and Cybercrimes Act, 2018 ( CMCA).
The National Kenya Computer Incident Response Team (National KE-CIRT) was established by the Communications Authority as part of its mandate under KICA to mitigate cyber security threats by detecting, preventing, or responding to them, issuing cyber security advisories, and enhancing cyber hygiene awareness.
Kenya has ratified the African Union Convention on Cyber Security and Personal Data and is hence bound by its provisions under Article 2(6) of the Constitution. The Convention sets out in its preamble that it requires member states to respect and promote fundamental freedom and rights contained in the instruments adopted within the framework of the African Union and United Nations. Kenya is a member of the Global Cybersecurity Agenda whose main role is to build security and confidence in the use of Information Communication Technologies.
The Data Protection Act and Data Protection Regulations also provide guidelines to organisations on how to handle personal data and the rights data subjects have. Additionally, it provides the procedures that are necessary to report a data leak to the office of the Data Protection Commissioner.
In addition to the above laws and policies, Kenya has the National Computer and Cybercrimes Coordination Committee established under the Computer Misuse and Cyber Crimes Act of 2018. This body is tasked with coordinating national cybersecurity security matters to enable timely and effective prevention, detection, prohibition, response, investigation, and persecution of computer cybercrimes.
With this vast number of policies, laws and bodies tasked with enhancing cyber security, it can be concluded that the cybersecurity problems Kenya is experiencing are not due to a lack of laws but due to human error leading to breaches.
According to a study by IBM, 95% of cybersecurity breaches result from human error. Human error in cybersecurity accounts for either unintentional or lack of action that results in a data breach. It includes activities like downloading infected software and keeping a weak password or compromising the IP address.
The types of human errors in cybersecurity can be categorised into skill-based and decision-based errors. Skill-based errors are generally minor errors that occur while carrying out a daily task. It is often the result of negligence due to inattentiveness, tiredness or distraction. On the other hand, decision-based errors are the ones where the user makes a faulty decision. Decision-based errors result from a lack of knowledge, skills and information about a specific circumstance. It further includes inaction during a particular scenario too.
Mis-delivery, including sending information to the wrong recipient, is the fifth most common cause of all cybersecurity breaches. Email services often auto-suggest an email address to increase the user’s convenience, which increases the risk of sending an email to the wrong person if not carefully checked. The other most common reason for a cybersecurity breach is keeping passwords which are extremely popular and are therefore easy to guess. Also, many users keep reusing their passwords for accessing one service or another. Additionally, users also save these passwords in a careless manner which makes it easier to land hands on them.
How to solve human error
Privilege control: ensure that your users only have access to the data and functionality that they need to perform their roles. This reduces the amount of information that will be exposed even if the user commits an error that leads to a breach.
Password management: as password-related mistakes are a main human error risk, distancing your users from passwords can help reduce risks. Password manager applications allow your users to create and store strong passwords without having to remember them or risk writing them down on post-it notes. You should also mandate the use of two-factor authentication across your business to add an extra layer of protection to your accounts.
Train employees on all core security topics: as human error can manifest in a huge variety of different ways, it is essential that you train employees to a basic level on any security topics that they may encounter in their day-to-day work activities. Use of email, internet and social media, as well as phishing and malware training are just some of the topics that training should cover.
Encourage discussion: One of the best ways to ensure that security stays at the forefront is to get people talking about it. Bring up discussion topics around security – and ensure that they are relevant to your end-users’ day-to-day work activities so they are more likely to get engaged. This will help them see what they can each do personally to help keep up the security of your organisation.