Money & Banking
It is estimated that cyber crime cost Kenyan
businesses about Ksh 18 billion in 2016, according to
Global financial consulting firm Deloitte.In their African
Cyber Security Report 2016, Deloitte observes that the
banking industry is the leading risk sector noting that
Kenya recorded the highest loss in East Africa losing $171
Mn (KSh17.74Bn) to cyber criminals; Tanzania lost $85Mn
(KSh8.81Bn) while Uganda lost $35 Bn (KSh3.62Bn).
The threat landscape is quickly evolving and
progressive as hackers aremaking it more complicated
for banks and businesses in general to keep up with these
challenges. The industry as well has not kept up with this
changing landscape focusing on traditional perimeter
defenses, predisposing them to the attacks.
Small Medium Enterprises are more prone to these
attacks, since they are not able to allocate budgets
dedicated to protect themselves against cyber security
attacks unlike the larger enterprises with in depth
security systems in place.
Recent cyber security cases in Kenya
In February 2017 the Banking Fraud Investigations
Unit(BFIU) revealed photos of the most wanted
fraudsters’ one of them being a police officer attached
to the Cyber Crime Unit believed to be highly intelligent
with good knowledge in systems hacking.
In March 2017, the Kenya Revenue Authority (KRA),
several blue-chip banks, a parastatal and a supermarket
chain were some of the institutions penetrated by an
international cybercrime syndicate that took off with
hundreds of millions of shillings before they were all
seized in the same month.
Characteristic attacks and practical solutions
There are three main attacks used by hackers
frequently, the first being the impersonation attack
where the hackers get into the system by pretending to
be, for example, the CE0 through emails. The second is
the malicious URLs that link one to malicious websites.
The third means is by sending a piece of malware which
may be disguised as a document and when opened may
affect the entire system.
Companies and Banks need to carry out basic
security hygiene using patch systems where they are
patched at the right level.
SME’s that may not have skills and employees to
monitor their systems may go for a cloud based cyber
security system where the costs are low, alienating the
human skill to implement the security policies.
Employee collusion being one
of most frequently used means
for these attacks is impossible to
eradicate but banks should have a
framework of control systems to pick
up signs of collusion.
“There is something referred to as human firewall.
90 per cent of all attack in the that have happened
worldwide could have been prevented if people had
followed security policies of the organization, when
someone sends you an email one should be a little bit
suspicious and cautious before opening the email.”Says
Brian Pinnock, Security Expert at Mimecast.
“Employee collusion being one of most frequently
used means for these attacks is impossible to eradicate
but banks should have a framework of control systems
to pick up signs of collusion. There should be continuous
monitoring of employees’ activities and anomalies” says
Samresh Rhamjith, Leader, Cyber security at EY Africa.
Last year investigations by theBanking Fraud
Investigations Unit(BFIU)showed the fraudsters conspire
with employees of the targeted institutions who provide
them with access to the networks remotely using Remote
Access Tools (RATS) and manipulate records in the
computer system. The hackers use other tools such as key
loggers, Remote Access Tools (RATs) such as GoToMyPc,
Blackshades, Progdata and malware which they install
into a PC on the institution’s network.
Kenya was ranked third in Africa after Mauritius
and Rwanda for having a commendable cyber security
research and development program by The Global
Cyber SecurityIndex (CGI) 2017 report released on 15th
June 2017 at the World Summit on the Information
Society Forum 2017 in Geneva and the International
Telecommunications Union (ITU). The reality on ground
is that the country is still struggling to curb cyber security
issue and desperately trying to lay down and implement a
legislative framework.
There is hope that the CBK’s new cyber security
guidelines will improve the current situation while
adapting to the ever changing cyber threat landscape TB
NOVEMBER 2017 • THINK BUSINESS | 17