Cybersecurity in Kenya: The Risk Is Real
Kenya's Communications Authority reported thousands of cyber threat incidents in the last year, targeting financial institutions, government systems, and private companies. Ransomware, phishing, and data breaches are not hypothetical risks — they are happening to Kenyan businesses right now, including small and medium enterprises.
The most frustrating part: most breaches are preventable. They happen not because of sophisticated attacks, but because of basic security hygiene gaps that are simple to fix when you know what to look for.
Here are the seven most common mistakes we see when we review Kenyan company infrastructure.
Mistake 1: Default Credentials Left Unchanged
Routers, network switches, IP cameras, NAS devices, and admin panels are often deployed with the factory default username and password (admin/admin, admin/password, etc.). Attackers scan for these automatically. A network device with default credentials is practically an open door.
Fix: Audit every network device and system. Change all default credentials immediately. Use a password manager to generate and store strong, unique credentials.
Mistake 2: No MFA on Business Email and Cloud Accounts
Business email compromise (BEC) is one of the most financially damaging cybercrimes in Africa. An attacker gains access to a company email account and intercepts payment instructions, redirecting bank transfers to their own account. The entry point is almost always a password — often obtained through phishing or credential stuffing.
Multi-Factor Authentication (MFA) stops this attack dead. Even if an attacker has your password, they can't log in without the second factor. Enable MFA on all Google Workspace, Microsoft 365, and cloud accounts immediately. No exceptions.
Mistake 3: Unpatched Servers and Software
Many Kenyan businesses are running web servers, WordPress installations, and software packages that haven't been updated in months or years. Every unpatched vulnerability is a potential entry point. The WannaCry ransomware attack that devastated organisations worldwide in 2017 exploited a Windows vulnerability for which a patch had been available for months.
Fix: Establish a patching schedule. Enable automatic updates where safe. Use a vulnerability scanner (Nessus Essentials is free) to find unpatched systems.
Mistake 4: No Proper Backup Strategy
Ransomware encrypts your data and demands payment for the decryption key. If you have a recent, offline backup, you restore and recover. If you don't, you either pay or lose everything. Many Kenyan businesses have backups — on the same server, or on a network drive that's always connected. Ransomware encrypts those too.
Fix: Follow the 3-2-1 rule. Three copies of data, on two different media types, with one copy offsite (cloud or physical). Test your restore process regularly.
Mistake 5: Overly Permissive User Access
Employees should only have access to the systems and data they need for their job. When everyone has admin access, a single compromised account can give an attacker full control. This is especially common in small companies where 'it's easier to just give everyone admin.'
Fix: Implement principle of least privilege. Audit user permissions quarterly. Remove access immediately when employees leave.
Mistake 6: No Security Awareness Training
The most sophisticated firewall in the world can't stop an employee from clicking a phishing link. Human error is the entry point for most cyber attacks. In Kenya, phishing emails impersonating KRA, Safaricom, MPESA, and company executives are common.
Fix: Run regular phishing simulations and security awareness training. It doesn't need to be expensive — even a monthly email with a real-world example of a current phishing campaign raises awareness significantly.
Mistake 7: No Incident Response Plan
When a breach happens — and at scale, it eventually will — the difference between a manageable incident and a catastrophic one is how fast and how correctly you respond. Most Kenyan businesses have no documented incident response plan. When something goes wrong, panic sets in and critical response time is wasted.
Fix: Document a simple incident response plan. Who gets called first? Who has authority to take systems offline? Where are the backups? Who informs customers? This doesn't need to be long — a single page is enough to prevent chaos.
Cybersecurity is not a one-time project. It's an ongoing practice. The goal is to make your business a harder target than your neighbour.
→ Need a security review? Talk to us at enchanted-tech.com