Study on ‘actual’ cost of data breaches to Kenyan firms in the offing

By Steve UMIDHA

The Communications Authority (CA) is considering a comprehensive scrutiny of the actual cost of cyber threats to Kenyan firms amid growing concerns of organizations reporting multiple data breaches.

Speaking on the sidelines at the ongoing Cybersecurity Conference, CA’s director general Ezra Chiloba said the authority could soon commence a study in partnership with key stakeholders to determine how much local firms lose when cyber criminals penetrate their systems.

“The amount quoted last week for instance (cybercrime cost), shows how much is lost on the global arena, locally we do not have an exact projection, and this calls for a study which we can only undertake in collaboration with our partners,” offered Chiloba.

Adding that, “the Authority will continue to enhance network infrastructure and cybersecurity resilience for ICT services in Kenya.”

Last week the Cybersecurity Ventures – a tracker and researcher for the global cyber economy estimated that global cybercrime costs could grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015, cautioning that attacks are likely to increase in frequency.

Closer home, since March, 2020 – companies continue to report increased instances of pony-trekking mainly through password compromises due to the unprecedented changes in the way firms and their employees are currently forced to do business.

Investments in security are at an all-time high, yet successful cyberattacks are still on the rise, both in number and sophistication. While innovations in technology power new strategic initiatives, it also opens new doors for cyber criminals.

In the last quarter report for example, CA yesterday revealed that a howling 69million cyber threats or cases were detected across Kenyan companies – meaning hacking activities targeting corporations have spiked since the pandemic hit as digital thieves took advantage of weakened security as the pandemic forced new work-from-home policies.

So much so that experts are now concerned that without increased investments and collaboration, ransomware attacks from cyber criminals could further expose more businesses.

“We recognize that cyber security is very complex and requires the whole ecosystem and an end-to-end approach in products and solutions. We are committed to building the capacity of Kenya, Kenyan businesses and Kenyans to manage cyber security,” noted Adam Lane, a representative from technology company, Huawei.

Costs associated with cybercrimes are difficult to quantify. Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.

Data breaches have cost companies hundreds of millions of dollars in lawsuits globally, with regulators like the Communications Authority (CA) determined to crack the whip on reckless collectors, controllers and processors of people’s data.

“We shall consistently set realistic ICT targets for improving telecommunications infrastructure and access to ICT services countrywide through various regulatory, policy and legal interventions,” offered Chiloba.

Attempts by the government to solve some of those concerns saw Kenyan legislatures pass the Computer and Cybercrimes Bill into law and assented to by the former President Uhuru Kenyatta.

The Computer Misuse and Cybercrimes (amendment) Bill, 2021 also seeks to protect unreported cases from financial institutions who are major targets of cybercrime activities. It is estimated that Kenya banks in 2017 lost a staggering Sh18 billion in a crime which has also not spared government institutions.

Banking fraud schemes involve social engineering, where criminals attempt to deceive individuals by performing confidence tricks. This also occurs when someone attempts to take funds or other assets from a financial institution or from customers of that institution by posing as a bank official.