How workers expose employers to cyber attacks

Ministry of ICT Principal Secretary Joseph Tiampati (right), Serianu CEO William Makatiani (centre) and Access Kenya Group Deputy CEO Kris Senanu during the launch of the Kenya Cyber Security Report 2014 in Nairobi last week. [Photo: Beverline Musili/Standard]

Kenya: Kenyan employees are unknowingly exposing their companies to cyber attacks through the use of personal devices to access company networks.

Data from a recently released cyber security report shows that with many companies in Kenya allowing their employees to bring their own devices to work, hackers are taking advantage of the poor security on these gadgets to access sensitive company information.

Enterprise mobility

“With the continued adoption of enterprise mobility, a growing percentage of workers are using their personal devices to access corporate resources,” states the report.

“When these devices are not secured, this introduces a wide range of security threats.”

.

Keep Reading business

•  NCPB sets in motion plans to compensate farmers for fake fertiliser
•  Governors reject revenue Bill, demand Sh439.5 billion allocation
•  Firm linked to fake fertiliser calls for arrest of Linturi, NCPB boss Premium
•  KPLC to pay Sh500 million for Nakumatt fire tragedy
•  Scented success: Passion for cologne birthed my venture Premium

In the past few years, the Bring Your Own Device (BYOD) policy has become commonplace in corporate Kenya, owing to the affordability and variety of portable consumer technology.

Many companies believe that encouraging and even facilitating their employees to use laptops, tablets and smartphones increases their productivity since they do not have to be physically present in the office to work.

At the same time, it cuts on operational costs as the company is saved the expense of purchasing new equipment, such as desktop computers.

However, this also presents a security threat to the company since many employees often take little or no steps to safeguard their portable devices from cyber threats.

Private data

“Most employees believe that since the device belongs to them, it is private and they have the prerogative to decide whether or not they are going to install security features,” said Mr Tyrus Muya, the head of information security and risk at technology company Cellulant.

“However, since employees use these devices to access company information like emails and transactions, attackers are using them as gateways into company servers and the private data of the company is compromised.”

One of the ways that users could compromise company data is by installing applications that could be loaded with Trojans that get into a system and proceed to give various instructions to a device.

Trojans can copy user data like passwords and usernames, and send these back to the hacker over the Internet. The hacker can even acquire administration rights over the device and virtually get into the organisation’s network via shared file settings.

The problem is set to get worse since more companies are adopting the BYOD policy unaware of the threats that unsecured portable devices pose to their networks.

New risks

This trend is introducing new risks such as loss, disclosure or corruption of corporate data on employee-owned devices, and incidents involving threats to or compromise of the corporate ICT infrastructure and other information assets, for instance, through malware infection or hacking.

These were part of the findings of the 2014 edition of the Kenya Cyber Security Report developed by the Telecommunications Service Providers of Kenya (TESPOK), in partnership with Serianu Limited and USIU’s Centre for Informatics Research and Innovation (CIRI).

The report details the scale and trends of cybercrime in the country, drawing from information gathered from Internet service providers and several private and public companies.

Last year, the number of cyber threats detected in the Kenyan cyberspace grew 108 per cent to 5.4 million attacks, up from 2.6 million attacks detected in 2012.

“The fastest-growing cyber threat was from anonymous proxy servers located in Kenya, where a total of 290,000 attacks originating from anonymous proxy servers were recorded, compared to 50,000 similar attacks in 2012,” said Mr Kris Senanu, the TESPOK chairman.

“Kenya is lagging behind other states in adopting a cyber-security policy that would guide interactions between the Government and the private sector. It is expected of the telecoms industry to ensure the security of the networks over which the public and business engage, regardless of the technologies used to meet consumer services demand.”

The cost of cybercrime in the country has been high, with the financial sector, which has been worst hit, suffering huge losses estimated to be between $10 million (Sh879.4 million) and $30 million (Sh2.6 billion) in the last 36 months.

[email protected]