• Info@aganoconsulting.com
  • Call Us: +254 (20) 267-0743

Information Security in Kenya – Some Thoughts

Jan 26 2015

A few days ago the Kenyan Defense Force (KDF) twitter handle was compromised and taken over by hackers. The same happened to the twitter handle of KDF spokesman, Major Emmanuel Chirchir.

 

Those familiar with the two accounts obviously noticed the change in tone in the updates, inconsistent as they were with traditional expectations from the KDF and its spokesman.

By the time of writing this article, it was not clear whether the Kenyan authorities had regained control of the two accounts.

It is not the first time that hackers have embarrassed the government of Kenya. A few years ago, several government websites were hacked.

That said, these are the cases that we know of; cases that make it to the media. What goes unreported may be much more!

In the private sector, a recent news report suggested Kenyan banks had lost in excess of Ksh 600 million in two months. An earlier report in July 2014 estimated annual bank losses, due to poor information protection, to be in excess of Ksh 5 billion. Previously reports put the figure in the range of Ksh 1.5 – 2.5 billion. Some say these are conservative figures as a lot goes unreported.

Nonetheless, these are staggering losses and someone (usually the customer) gets to pay for.

Kenya has embraced use of technology in its affairs. We have seen the phenomenal use of cell phones and with it services that ride on the technology infrastructure. M-pesa, which has revolutionized the mobile money space, is perhaps the most successful of services riding on the technology infrastructure.

The country has also seen a rise in the number of incubation hubs for business suggesting there is no shortage of talent. Indeed, many young people aspire to make that next “killer app” that would revolutionize how we do things and enrich them in the process.

As we embrace technology, however, it is important that we realize that nothing comes without risk. To realize the full potential of any invention one must weigh the gains and risks associated to realizing those gains. Managing risks appropriately assures realization of optimal gains.

At the core of technology risks is information security. Without appropriate protection of information and the underlying infrastructure, an entity can pay dearly with respect to its investment.

Unmitigated risks obviously lead to losses, which can be material as in the cases of banks mentioned above. It could also be reputational harm, leading to loss of confidence and trust.

For example, messages from KDF and its spokesperson may lose their full weight if the source cannot be trusted. In financial services, customers may opt for alternative means of transacting if they lose confidence in the banking system.

As we invest and embrace technology, therefore, we need to invest commensurately in associated risk management. In this case, we need to invest in information security.

As an information security practitioner of many years, I have observed the following in my day to day interaction with those in the same business in Kenya:

Breaches Are Not Taken As Seriously as Should be the Case

In general, our people don’t appear to take seriously breaches of the kind illustrated above. They seem to treat such happenings as if they are “small irritants” that do not impact their businesses!

Yet the reputational loss of a government institution whose systems have been compromised can be far-reaching. Indeed, we may not know the extent of damage caused by the hackers in the case of twitter hacks of KDF and its spokesperson. What is clear is that any future updates from those two twitter accounts will be taken with a pinch of salt till such time as confidence is restored!

For the private sector (and banks especially) they could simply underwrite these losses by passing them to the consumer. A small marginal variation in interest rates can recoup losses of the magnitude mentioned! That sector, as financial services become more competitive information protection may offer competitive advantage.

 Insufficient Information Security Skills Base to Tackle Challenges

As a country we need to make the conscious decision to invest in the space of technology management, and especially technology risk management, information security being one of these. Starting with policy to education and certification programmes, the country needs to put in concerted efforts to develop needed skills in this area in order to tackle/forestall looming problems. Inevitably, material and reputational losses will be substantially higher than they are today.

With such skills tasked with challenges we face today, we would design, implement and continually monitor and respond to incidents based on best practices. (Note: there are no guarantees that one won’t be hacked but one can minimize such damage (reputation, loss/modification of information, etc.) with timely, appropriate response.

Lack of Leadership

The country seriously needs leadership in the technology risk space, both in public and private sectors; if there exists any, it is not felt. Such leadership would be evangelistic in nature pushing for appreciation of technology risks and how to deal with them. Such awareness would raise concern and thus assure allocation of commensurate resources (people, financing, technology, etc.) to confront the problem.

My experience in North America tells me that (in Kenya and Africa, in general) this area is very much underfunded and whatever little funding comes through would be spent on easy to acquire things like CCTV … some installed without requisite processes, skills, etc. and not assuring maximum return on investment.

Security by Obscurity

Many technology managers (and many others in management) treat information security with obscurity. They keep things obscure and profess security. I once was in a discussion with a senior official in government and heard things such as: we cannot disclose what measures we have taken to protect government information because the same can be used by you people to target us! He failed to appreciate that you can still be hacked with use of known reconnaissance approaches.

If we are serious (especially in government) to address this matter, let’s get some of our top talent, give them security clearance and challenge them to build robust systems that assure security.

A friend recently gave the story of a manager (a protégé of top management) that kept his job, protected by his benefactors but who many knew wasn’t performing. This manager could continually avoid bringing in talent that might help him build robust systems fearing that such talent may also expose his failings! Only when the organization was hit and top management was embarrassed with loss (material, reputational) did they hire an external consultant whose report exposed the manager’s fraud that he had perpetuated for many years! … long story short, he was given a soft landing, and slowly eased out of the organization.

Lesson to managers and decision-makers: get the right talent, skills and experience for the job if indeed you are committed to delivering in your mandate. The matter of awarding jobs and/or contracts based on connections rather than merit does come back to bite over time; it can be costly to you and your organization.

 Poor/Weak Compliance Regime

The country has an extremely weak compliance regime. Two examples.

In government, the Auditor General’s main focus is on financial audit as in the case reported recently is Kshs 327 billion unaccounted for. In its most mature stage, audits would be assessing comprehensively what would hamper the attainment of set objectives of (say) government departments and other state entities. … the office of Auditor General has hardly the capacity to deliver such comprehensive audit, and especially as it relates to technology, its specification, acquisition, deployment, management, and disposal and assessing associated risks accordingly.

In the private sector, take the example of banks. The regulator (the Central Bank of Kenya) routinely seeks compliance as a condition for being licensed and has a fairly standard compliance regime for the purpose. The fact is that the depth compliance assessment and verification with respect to technology is largely wanting! It is often the case that financial institutions file required documents whose content is hardly tested for verification of compliance. … the country has plenty of work to do in this space.

Conclusion

Let’s remember that technology, its embrace and use presents risks. Key among these are information security risks which need to be understood and mitigated in order to minimize damage. As a nation, we need to invest in the knowledge, expertise and experience in this area. Only then can we avoid inevitable losses be they material or reputational. Who knows whether proper management of this space can lead to a drop (however marginal) in the interest rate?

Dr Matunda Nyanchama is a Director and Managing Consultant at Agano Consulting Inc., an ICT services firm with offices in Canada and Kenya.

Read 20802 times
Rate this item
(0 votes)

38 comments

  • Jere
    Jere Friday, 19 February 2016 08:42 Comment Link

    Great post. I was checking continuously this blog and I\'m impressed!
    Very useful information specifically the last part :) I care
    for such info a lot. I was looking for this certain info
    for a very long time. Thank you and best of luck.

  • Fallon
    Fallon Friday, 12 February 2016 03:33 Comment Link

    Hi there would you mind letting me know which web host you're working with?
    I've loaded your blog in 3 completely different browsers and
    I must say this blog loads a lot faster then most. Can you suggest a good internet hosting provider at a fair
    price? Cheers, I appreciate it!

  • 銆愰€佹枡鐒℃枡銆戙€?6SS銆?SANTI 銈点兂銉嗐偅 2Way銈搞儱銈ㄣ儷銉愩儍銈?鈮狢PB4837/CPB4837X 銉儑銈c兗銈?銉愩儍銈?灏忕墿 銉忋兂銉夈儛銉冦偘 銈儵銉冦儊銉愩儍銈?銉戙兗銉?銉撱兗銈?銈广儜銉炽偝銉笺儷 鍒虹箥 绲愬寮?浜屾浼?銉戙兗銉嗐偅鈮?銈枫儯銉炽儜銉炽偞銉笺儷銉?銉栥儹銉炽偤
    銆愰€佹枡鐒℃枡銆戙€?6SS銆?SANTI 銈点兂銉嗐偅 2Way銈搞儱銈ㄣ儷銉愩儍銈?鈮狢PB4837/CPB4837X 銉儑銈c兗銈?銉愩儍銈?灏忕墿 銉忋兂銉夈儛銉冦偘 銈儵銉冦儊銉愩儍銈?銉戙兗銉?銉撱兗銈?銈广儜銉炽偝銉笺儷 鍒虹箥 绲愬寮?浜屾浼?銉戙兗銉嗐偅鈮?銈枫儯銉炽儜銉炽偞銉笺儷銉?銉栥儹銉炽偤 Saturday, 23 January 2016 04:55 Comment Link

    When I initially commented I clicked the "Notify me when new comments are added" checkbox and now each time a comment is added I get several emails with the same comment. Is there any way you can remove me from that service? Many thanks!

  • http://www.upm.cz/php/page/pandora/Pandora_Lotsa_Love_Charm_790174.html
    http://www.upm.cz/php/page/pandora/Pandora_Lotsa_Love_Charm_790174.html Friday, 22 January 2016 04:07 Comment Link

    I think this article is very helpful for people,it has solved my problem,thanks!

  • Christine
    Christine Monday, 04 January 2016 08:33 Comment Link

    Very true Dr. Matunda. Both the Government and private sector have not accorded system security the seriousness it deserves; a 2015 Kenya Cyber Security survey done by Serianu on 275 organizations (175 technical respondents and 100 non-technical respondents) showed that up to 57% rely on an in-house System Administrator to handle security functions while 13% don't know who handles security functions in the organization. Also many employers have not embraced the fact that an auditor with ICT background is better positioned as a systems auditor as compared to the 'renown' auditors with Finance /Accounting qualifications. I've always wondered why employers seeking for systems auditors keep describing the mandatory qualifications for the desired candidate as one with a Bachelor's degree in Accounting or Finance; must be a CPAK or CISA; experience auditing systems highly desirable; working experience with an ERP an added advantage..........I agree that it's a high time kenya embraces and invests in information security expertise.

  • boom beach for free
    boom beach for free Tuesday, 17 November 2015 11:36 Comment Link

    Superb publish. I'd been looking at constantly this web site exactly what astounded! Extremely helpful data especially the remaining phase :) I care for similarly info lots. I was interested in that certain information for just a number of years.. boom beach for free Thanks a lot plus best of luck.

  • anello b zero
    anello b zero Sunday, 15 November 2015 06:16 Comment Link

    The $132 dollars for the license for first timers, does that include the $100 for finger prints or will the total cost be $232 for a first timer issue?
    anello b zero http://www.topbulgari.net/it/

  • orologi cartier santos demoiselle
    orologi cartier santos demoiselle Saturday, 14 November 2015 10:49 Comment Link

    Deny what you can and make it sound like everything. While Pachauri addressed the computer issues (someone hacked his computer to harass a new employee), he ignored the full article’s references to a handwritten note and allegations of physical contact.
    orologi cartier santos demoiselle http://www.supercawatch.cn/it/

Login to post comments

We are proud to be a leading in consulting and ICT training company. We are happy to serve you. Follow us on:

Our Firm

  • What we do
  • About us
  • Opportunities
  • Opinions & News
  • Contact
  • Partners
  • Awards
  • Experience
  • Events Calendar
  • Media Gallery

Twitter Feed

Jerry Lewis, comedy king and master of slapstick, dies at 91 https://t.co/Y79EXj7Y9v
RT @PanAfricanUnity: The real destruction of Black Civilization came after the destruction of our KNOWLEDGE of SELF! #Sankofa https://t.co/…
Follow Matunda Nyanchama on Twitter

Contact Info

Ufundi Plaza,
Moi Avenue
Nairobi, Kenya 00200

+254-20-267-0743

This email address is being protected from spambots. You need JavaScript enabled to view it.

8.00 am to 5.00 pm