Financial institutions are top among sectors that get most compromised where cyber security is concerned. This was mentioned by the ICT Authority CEO Robert Mugo at the ongoing Africa Security Summit hosted by CIO East Africa in Nairobi. Robert attributed the high risk with the high financial gain that compromising banking and in general, financial institutions present.
Sometime back, ATM card skimming had become a major threat in Kenya and people lost quite chunk of money. The other threats to financial institutions and their clients include credit card details theft online as well as point of sale vulnerabilities. Mobile money is not spared either as we’ve had cases of mobile money accounts being drained of funds while the owners held onto their phones.
The second most compromised entity is the government, and according to Robert the motivation for hacking governments would be either political or financial. With politics it would be to show that the government was not doing as much as they should, while for financial it’s the same as with private sector threats, financial gain. With government it’s a bit complicated since sometimes vendors may have ended contractual agreements, leaving a security hole that can be exploited.
Mr. Mugo noted that in the 2016 Africa cyber-security report, losses were in the region of USD 2 billion in Africa relating to cyber-crime, and Kenya had losses amounting USD 175 million, Tanzania was USD 85 million, Uganda USD 35 million. This is quite significant, and those are only the reported cases, the numbers are definitely much higher if you put the unreported cases to consideration. Most institutions do not report cyber-security attacks.
“So it’s very important that people like CIO organize events such as Africa Security Summit to share what we call best practices, how to prevent these attacks from happening, how to detect when attacks happen and how to respond. What we advocate is a three way approach; prevent, detect and respond. In the event that prevention is not successful, to be able to detect and respond appropriately to these attacks. In the case of the recent Wannacry attacks, it’s basic practices that were avoided by people being affected by the malware,” commented Mugo.
“90 percent of security breaches can be prevented by basic practises that anybody can do, not necessarily requiring cybersecurity expert skillset. 10 percent are breaches by professional criminals that require cybersecurity experts.”
Robert defended the notion that Kenya was a hotbed of cyber-security at a fireside chat with CIO East Africa Chairman Harry Hare. “Kenya is not exactly a hotbed of cyber-crime, it’s just that we adopted technology more,” said ICT Authority CEO Robert Mugo. He added that the Kenya government is looking to spend USD 50 million in the next three years on computer security.
This will start with training in different levels starting with the presidential digital talent program where the government is imparting training which includes cyber-security training to the top 400 ICT graduates and then will give them assignments to implement things they have been trained on. The other level is training ICT professionals within government.
The target for each and every institution in government (ministers and state corporations) is to train at least ten people every year in information security, something that’s in their performance contracts. At the moment the performance contract component for state corporations and ministries is tied to training but in future the targets will start being more complex.