Dan Swinhoe (Africa)- Kenya: A Cyber-Criminal’s East African Holiday Destination

• 1

• Posted by Dan Swinhoe

• on June 21 2012

Kenya is fast becoming a major player in the IT sector. East Africa's biggest economy has undergone something of an IT revolution in recent years, with the sector outperforming other more traditional ventures such as agriculture and manufacturing for a few years now.

Mobile subscriptions actually outnumber adults in the country, and as with many markets, the rise of Kenya's Generation Y, combined with affordable smartphones, internet and social media have all been a key influence on this rise. Of the 17 million people on the internet, six million are mobile internet users, and that number is rising steeply. Kenya seems to be going towards a wholly mobile internet set up. But perhaps because so few people are hooked up at home (around 2% have home computers) this could be the reason Kenya is vulnerable and open to attacks.

Open Season for Hackers

Recently workers from the Kaspersky Lab said 20% of computers being used in Kenya are vulnerable to viruses, and the number is rising. They attributed 17% of that to the use of free software downloaded from the internet, saying ignoring updates left them vulnerable, and pointed to the government to create proper regulations on cyber-crime.

Meanwhile a research paper on Kenyan SMBs found some very worrying statistics. Less than half felt they had documented Information Security policy, roughly the same amount thought staff were properly trained to secure their computers properly at all times, less than half had a business continuity plan in the event of a disaster, while almost half weren't aware of international information security standards available for organizations to adopt. This level of can only be described as negligence and ignorance is dangerous, especially when novice hackers are targeting the country for fun and succeeding every time. Proper training and business strategies are key.
But it's not just ignorance and the possibility; Kenya's security problems are very real.Forensic experts are claiming cyber-crime poses the biggest challenge to organizations and the police, and already costs Kenya Almost Sh3 billion (£23 million) every year. Organizations are being urged to employ Forensic Certified Public Accountants (FCPA) to try and counter the problem. 

Aside from cyber-crime, your average ‘hacktivists' are targeting Kenya for fun and practice. Last year an Indonesian student-hacker known as direxer took down 103 government of Kenya web sites overnight. Part of an online Indonesian security forum known as Forum Code Security, direxer said he took down the web sites following tutorials from the forum. That followed a year after another hacker attacked and disabled the official police site and two university hacks, one to change exam results and another to clear student fees. Clearly this should cause concern. If government and academic institutional sites are being hacked so easily, there's nothing to say local businesses are in any more of a secure position. Luckily this blog offers some simple advice for basic security but there are some serious questions that need answering, not by blogs but by the government and the private sector to really address what is a lack of adequate protection.

Fighting Back

The business level reponses so far have seen Techno Brain, an IT solutions company, starting to offer hacking forensic courses to banks, government agencies and other corporates, while Kenya Methodist University (KeMU) launched string of professional courses in IT security, in an attempt to plug some of the holes these attacks have highlighted.

The government is moving in the right direction too. Last year they set up their own Computer Incident Response Team (CIRT) to combat the problem, which aims to deal with incidents, promote security, issue warnings, and generally try to address the issues the country has with security and bring it up to scratch with the rest of the world.

The government is also making some not so great decisions. Its new Information Protection bill has been labeled ‘flawed' by the Kenya chapter of the international body for professionals in audit and information security (ISACA), who said it was a step in the right direction but left holes open for misuse, while new monitoring devices installed by the Communication Commission of Kenya (CCK) are worryingly Big Brother. Though they promise they are for assisting in early detection and prevention of cyber-crime incidents, and have said, "It is a passive system and not a tool for spying on users. The system cannot be used to block access to the internet at all," the monitoring of the public web traffic could be very worrying for people.

Clearly Kenya has some serious security issues that need addressing. This isn't to say they are the only victims, as seen by the recent attacks on the likes of Sony and LinkedIn, but major government site being brought down by a lone student isn't good enough by any stretch of the imagination. A lack of knowledge and skilled workers also need to be tackled, otherwise East Africa's biggest economy may be become a hacker's paradise.