Africa: The rise of BYOD & corporate data threats

In 2013, a leading telecommunications service provider in Kenya sacked 33 employees over cases of economic crime, including accounting fraud and asset misappropriation. Similarly, a leading commercial bank employee was charged with defrauding the bank of Sh60 million (US$670,000).

These are just some of the findings of Kenya Cyber Security Report 2014 that highlighted the grave situation that corporations have found themselves in following the adoption of technology. Fundamentally, it stressed how dangerous those employees armed with the latest gadgets can be to companies.

This situation is also worsening. Numerous smartphone brands have been launched in Africa recently and new companies such as Wiko Mobile from France and Infinix from Hong Kong have landed in most African countries. These have taken advantage of the low smartphone penetration and now, most people in Nairobi at least, have now upgraded to a state of the art gadget.

This is a double edged sword. With smartphones being able to access company emails and documents, they could pose a threat and act as a soft spot for hackers to gain sensitive information. This would be especially true in Africa where smartphone adoption in companies is not looked at favourably.

Disgruntled employees could also use these gadgets to gain access to unauthorised data and sell it to the highest bidder from the comfort of their homes. According to the Kenya Cyber Security Report 2014, the country saw a rise in corporate espionage and fraud due to the fast growth of use of technology in companies.

The report said, “In 2013, there was an increase in cases of cyber espionage. Cyber criminals either sponsored by states or individual organisations are using highly sophisticated and carefully constructed methods to gain access to a network and steal information quietly.”

The unstructured bring your own device

Significantly, there are no policies in place in most companies when it comes to what gadgets can be used to access company details and documents. Moreover, when employees acquire a new device, most do not present it to the IT department to be authorised to access company data or even gain basic protection.

“Bring your own Device (BYOD) is growing rapidly in Africa, and a number of companies all over the country are implementing BYOD into their organisations, especially given the benefits that can be derived,” Bethwel Opil, the Channel Sales Manager at Kaspersky Lab East Africa tells IDG Connect.

“As technology continues to evolve we believe that the concept of BYOD will remain one that businesses invest in. While the idea of BYOD is certainly a strong one - as it can improve productivity in the work place by giving employers the ability to access emails from anywhere in the world - companies should not forget that the rapid development of mobile devices and operating systems has also attracted the attention of cybercriminals, who are using the concept of BYOD to their benefit,” he warns.

Most growing middle level companies do not think of what gadgets their employees use to gain access to their emails when they are away from the office.

The Kenya Cyber Security Report 2014 noted that: “With the continued adoption of enterprise mobility, a growing percentage of workers are using their personal devices to access corporate resources. When these devices are not secured, this introduces a wide range of security threats. Our research suggests that this trend is only increasing; many employees in Kenyan organisations are using their personal devices to access business applications and resources.”

Opil believes that this gap will raise the insecurity levels in companies if the right measures are not enforced. The tactics vary, Opil explains. Employees’ notebooks or smartphones can be stolen to try access information from it. Mostly social engineering is used to gain access to company’s data. Here, employees are tricked into downloading software that they believe will benefit them but which inadvertently steals their data.

“Such attacks are usually well prepared, targeted at a specific organisation or a group of organisations in a specific sector, and made to operate unnoticed,” Opil adds.

The insider threat

Companies are also under siege even from their own employees especially when they can bypass the current systems and engineer their own protocols.

The report says that the increase in insider threats goes hand-in-hand with the wide adoption of cashless systems. The report showed that the insider threat landscape in many Kenyan organisations is becoming more complex with multiple risks that are currently being managed by multiple point technologies.

“The scope of the problem only intensifies as business models continue to evolve with increased mobility, a growing mix of users, and geographically diverse business offices.”

“The risk posed by the high percentage of employees with laptops, mobile phones, PDAs, multiple email accounts, and access to applications and databases makes addressing the insider threat a substantial challenge. Reducing the vulnerabilities posed by internal users needs to be a key priority in Kenyan organisations’ security strategies,” the report said.

The report continues to suggest that the insider attacks which are deliberate are fuelled by disgruntlement, revenge, competitive advantage and blackmail. Most of the users already have access to the systems and so detection becomes difficult.

Some employees are well versed with online systems and they can easily not leave any trail behind.

Securing the future

Kenya and its companies are losing millions of dollars due to these intentional breaches. The issue cannot be stopped simply by legislation from the top management in companies. However, there are solutions that can protect companies from outright espionage.

“We advise companies to ensure they have comprehensive security software in place that is up-to-date. This then also requires organisations to make certain that those employees who operate the internal IT systems are professionals who understand the importance of security and are aware of the realities of cyber threats,” Opil says.

“If the right systems and people are put in place, businesses will find it easier to manage cybercrime and make sure that they don’t fall victim to such attacks.”

Mid level companies and others that are on the growth path, might not have the resources to detect and restrict alien devices. But general education and limiting document sharing through email in the interim, will help to share policy as the company grows.

“To mitigate these risks companies should have good security policies, understood and followed by employees. For example if an employee’s mobile device is stolen, they should act according to the policies, inform the right people within the organisation who can block the device and wipe data on it, or even identify its location,” Opil concludes.


« The state of science in Iran


The Islamic State online: ISIL's many accounts »
Vincent Matinde

Vincent Matinde is an international IT Journalist highlighting African innovations in the technology scene.

  • Mail


Do you think your smartphone is making you a workaholic?