More than half of saccos are yet to implement data recovery plans though the sector has suffered major cyberattack attempts during the Covid-19 pandemic period, a new survey shows.
The survey has exposed huge vulnerabilities in the sacco IT systems that have more than a trillion shillings in assets and members’ savings.
Some 111 saccos were surveyed, including 40 in the Coast region, 30 in Nairobi, 10 each in the Rift Valley, Central and Eastern, five in Western and Nyanza and one in North Eastern.
In October last year, saccos were reported to be losing the equivalent of Sh6.23 million per month or Sh208,000 daily through software vendors engaged by saccos.
Though there has been a consistent increase in cybersecurity budgets over the past three years, partly attributed to increasing attacks, sacco boards were yet to make the issue a top priority.
Some saccos opt to outsource the work of protecting their systems to poorly vetted consulting firms, thus compromising their clients’ savings and personal information.
The latest Serianu sacco cybersecurity report (2020) shows that even after hiring such firms to offer IT services, a majority of the saccos do not regularly audit their vendors, and some of those that do are often pushed to act only when a problem occurs.
“(Some) 42 percent of the saccos have no monitoring and alerting activities in place and 16 percent only track their vendor’s activities on their networks when a problem occurs,” the report notes.
Government efforts to curb the spread of Covid-19 favour online transactions. The financial sector is undergoing a digital transformation, with banks like Equity reporting that 98 percent of its transactions are now outside its branches while over 90 percent of KCB transactions are digital.
Some 38 million Kenyans also rely on M-Pesa for their daily transactions, pushing saccos to keep up with the digital finance revolution.
“(A) majority are doing so by developing a website for communication purposes and to offer basic transactions through an app connected to M-Pesa and to a partner bank for ATM transactions,” noted Dr David Cracknell, the director of First Principles Consulting.
He observes that except for some of the largest saccos that have invested heavily in new systems, such as the Kenya Police, Harambee and Unaitas, it is still difficult for most saccos to meet the digital transformation challenge head-on.
For example, he says, “Only a few saccos have started to offer easy access to small loans through mobile phones.”
There are over 22,000 registered cooperative societies in Kenya. Of these, 13,000 are saccos (Savings and Credit Cooperative Societies) whose critical role in facilitating investment cannot be underestimated.
Some 175 of these are deposit-taking saccos regulated by the Sacco Societies Regulatory Authority (SASRA).
Martin Mwangi, a lead cybersecurity consultant at Serianu, notes in the report that the lack of adequate cybersecurity controls has made it possible for cybercriminals to continue compromising enterprise networks and systems.
“Successful cybersecurity programmes are those that are modelled around the understanding of an organisation’s risks, vulnerabilities and threats,” he notes.
The survey advises every sacco to be keen on whether there are rogue devices and software in their networks with malicious intent, and invest in antivirus software, firewalls and email security gateways to enable timely detection and prevention of malware attacks.
Other attacks may come in the form of unauthorised user accounts modifications, social engineering attacks and unauthorised database modification.
Cynthia Wandia, the CEO and co-founder of Kwara, urges local saccos to take advantage of the digital revolution and move from being manual organisations to fully automated entities like banks and insurance service providers.
Technology providers, she says, have tried and failed to copy and apply solutions made for the traditional banking model to sacco market.
“Saccos and other cooperatives stand to benefit the most from the adoption of cloud computing technology that only provides a more cost-effective solution for digitisation, but also more secure platforms for managing data and transacting,” she says.
By December 2020, some 175 deposit-taking saccos held assets worth Sh627.68 billion and deposits amounting to Sh431.46 billion. They had disbursed Sh474.77 billion in loans.
But that number of saccos excludes hundreds of non-deposit-taking saccos that had not been brought under the regulatory oversight of Sasra by the end of that year.
The 175 regulated saccos have 4.097 million active members and 1.372 million dormant members.
Deposit-taking saccos allow members to deposit and save their money, which they can withdraw at any time just as banks.
A majority of these saccos are for farmers (42 per cent), teachers (23 per cent), communities (18 per cent), government (18 per cent) and the private-sector (5 per cent).