Internet penetration exposes Kenyans to cybercrime

By Allan Olingo

Lack of internal measures to prevent cyber related crimes is to blame for the growing number of organisations that are losing confidential data.

Latest statistics from Communication Commission of Kenya indicates that by the end of last year, over 36 per cent of the population had access to Internet from 31.8 per cent recorded in 2010. This was a 14 per cent increase. This means that the rapid growth in Internet penetration is exposing more Kenyans to risk.

According to a PricewaterhouseCoopers 2011 Global Economic Crime Survey, two-thirds of businesses and other organisations in Kenya were victims of economic crime in the last 12 months.

The survey revealed that cyber crime now ranks as one of the top four economic crimes in Kenya, among Africa respondents and globally. Most respondents in Kenya see cybercrime threat coming from within Kenya, followed closely by Nigeria, while globally, Africa is seen as one of the main sources of cybercrime threats.

worrying trend

This is a worrying trend especially with a lax attitude from the majority of the vulnerable targets.

According to Salim Idd, an Internet security analyst, out of the 12 banks with a semblance of online and SMS Banking in Kenya, only three are ‘sufficiently secure’.

"The rest have serious flaws mostly because they are opening up their services to the US dollar interfaces (USSD), which is mostly un-encrypted, while GSM Interceptors are locally available and cost only USD 10,000," says Salim.

GSM Interceptors are a monitoring system that intercepts traffic in cellular GSM networks. This system is simple to use and does not require special technical knowledge in the field of computers and cellular system.

Salim says that it is a sad culture that we have where financial risk auditing is confused and replaced with security auditing. We see websites talking about having Secure Sockets Layer (SSL) in the pages, but the traffic is not encrypted, he notes.

Says Salim: "Few banks host data beyond their core data-centres. So, data corruption resulting from a hack would compromise their client’s information."

Interestingly, most of the banks’ back-ups are done daily at the end-of-day’s operation as a culture, so there is potential risk to lose 24 hours worth of data and transaction every day. This is a scenario that means data cannot be recovered even with raid and redundancy because it is not a disk failure. It is intentional and malicious compromise.

So how can they act in order to avoid being compromised?

no capability

In the survey, only 35 per cent of Kenyan respondents said that they had the capabilities to investigate cybercrime should it occur and just 24 per cent indicated that the overall responsibility for monitoring cybercrime rests with senior executives. This shows cyber crime is still not viewed as an organisation wide threat and is still mainly the responsibility of IT departments.

The state of cyber security in Kenya is simply woeful because no one wants to invest in basic security.

Salim says that a lot of things can be done by these financial institutions like the use of SSL certificates to provide transport-layer security to clients’ data.

taking precautions

Some of the precautionary measures that can be employed include securing all web applications against common attacks and having proper software update methodologies and procedures.

Salim notes that the software needs to be internally tested in a sandbox to pass quality analysis before being released to the public.

"It is better to have all these softwares out in the public late and stable than first and insecure. Therefore a full audit and forced compliance of all IT and security policies in all financial institutions, is recommended," he says.

Interestingly, from the PWC survey, it is only a total of 51 per cent of Kenyan respondents who indicated that they have in-house capabilities to detect and prevent cyber crime.

risk review

However, 31 per cent of Kenyan respondents reported that their organisation’s senior executives review the risks that cyber crime presents to the organisation on a quarterly basis. This is higher than the African average of 21 per cent and global average of 11 per cent, indicating that Kenyan senior executives have identified cyber crime as a priority and are being proactive in dealing with it compared to their African and global compatriots.

"We believe that CEOs and C-suite level executives should understand the threats posed from the Internet and take up the responsibility to prevent cyber crime in their organisations networking, while 64 per cent report that employee contracts refer to proper use of internal documentation and information," reads the PWC report.

Mr Idris Otieno, a web developer notes that Kenyan companies are witnessing a new wave of cyber threats that are generated from inside network.

"Most of the compromise comes from internal sources within the company like the persistent use of portable gadgets such as flash disks, mobile phones and social networks in offices. This is driving up attacks," says Otieno. The advancement in technology, ignorance and lack of research are currently the drivers of cyberspace insecurity, which is costing companies millions of shillings.

Says Otieno: "It is my plea to businesses dealing with sensitive clients information like the banks, financial institutions, stock brokerage firms and insurance companies to be more vigilant as Kenya is now more prone to cyber crime than before."