Remain vigilant to protect your data and digital systems

With the advent of digitisation, where most government and private sector services have gone online, people work from home and the wider use of social media, the cyber threat landscape has only grown wider.

This has led to complicated cyber-attacks that target financial systems, key physical infrastructure, government services, individual social media accounts and so on. They range from State-backed trans-national attacks and organised crime groups taking over social media accounts. These include the recently reported attack on Kenya’s e-citizen system, which supports provision of key government services.

Cyber-attacks usually interfere with the normal operations of digital systems, compromising their confidentiality, integrity and availability. They include distributed denial-of-service that involves sending a large amount of traffic to a service or system, causing overloading of its memory and processing resources and rendering it non-responsive. Others are identity theft and scamming, private data loss where sensitive personal information or intellectual property is targeted followed by demand for a ransom or threat to sell and expose them for financial gain.  Such attacks lead to loss of confidence in digital services and also enable cyberbullying.

In Kenya, there are laws and policies such as the Computer Misuse and Cyber Crimes Act 2016, Data Privacy Act 2019, Cyber Security Strategy 2022 and the National ICT policy. Tactically, the government of Kenya has established the National Cyber Security Response Centre, Cyber Crimes Unit and the Forensics Lab within the National Police Service. Regionally, the Protection of Personal Information Act (POPIA) in South Africa, Data Protection Act Uganda and Nigeria provide a framework for managing the cyber risks and privacy rights.

Cyber hygiene

The African Union Convention on Cyber Security and Data Privacy Protection 2000 provides an overarching framework. Internationally, there are many examples to learn from. The UK Cyber Security Strategy 2022-2030 sets very high standards of cyber hygiene while the European Union’s General Data Protection Regulation Act has been globally acclaimed. In the United States, executive orders 13636 & 13757, 13800 were issued by the president on the security of critical national infrastructure.

The following controls are generally advised for individuals and institutions. First, there should be secure networks and application security controls. This involves securing the networks’ architecture and frequently performing security assessment to ensure confidentiality, integrity and availability. Second, proper usage of social media is important. Only share necessary information to avoid fraud or impersonation.

Third, implement password managers that will ensure you don’t recycle passwords. Fourth, training staff and carrying out table-top exercises frequently to test preparedness to respond to cyber incidents. Fifth, secure devices management is key. For all mobile devices issued by enterprises, it is advisable to implement mobile device management solutions and mobile applications management solutions to remotely secure devices and ensure full encryption and remote wiping in case of loss. Sixth, for all services and applications provided on behalf of an enterprise by third-party vendors, ensure that minimum security standards of compliance are met with demonstrable documentation to ensure that no component can be used to piggy-back onto the enterprise systems.

Finally, always back up all sensitive and critical information and systems to ensure business continuity in case of faults or compromises.

Mr Okwero is a cyber security and data privacy consultant.