0111027203, 0111027200    info@kuscco.com     | Careers  | Office Mail | Swift Hr

Cybersecurity readiness of SACCOs in Kenya


By Brian Apanja and Mark Matabi


See the source image


The spanner in the works!


The appetite for digital financial services cannot be gainsaid. According to the 2019 Kenya Bankers Association’s (KBA) Customer Satisfaction Survey, customers’ preference for mobile, internet and ATM banking in 2019 stood at 57%, 34%, and 31% up from 49%, 16%, 15% respectively in 2018—a significant increase from one year to the next. While financial institutions were already pressed to provide digital financial services to customers, the current COVID-19 pandemic has proved to be the ultimate catalyst driving financial institutions to embrace technology like never before. Even the casual observer will tell you that digital is a fundamental piece in the business continuity equation.


The upward trajectory in use of digital services inevitably carries with it cyber risks. According to the Africa Cybersecurity Report by Serianu Ltd, cybercrime was estimated to cost the Kenya economy USD 210 million in 2017. A 2018 survey by the same firm reported that 97% of SACCOs in Kenya spend less than USD 10,000 a year on cybersecurity. While this may seem alarming, it is reflective of broader under-investment in cybersecurity in Kenya, as Serianu found that only 7% of Kenyan companies across the 12 sectors it surveyed in 2017 spent more than USD 10,000 a year on cybersecurity.


Are we there yet?


To understand the level of preparedness of SACCOs in Kenya to shield themselves and their members from cyber-attacks, The World Council of Credit Unions’ (WOCCU) through a USAID Cooperative Development Program (CDP) - Technology and Innovation for Financial Inclusion (TIFI) project, partnered with the Kenya Union of Savings and Credit Cooperatives (KUSCCO) and IRNet Coop Kenya (ICK) Limited to conduct a small survey of the cybersecurity readiness of SACCOs in Kenya.


The survey, which was conducted between April and May 2020 with 18 SACCOs, found that 5 out of these SACCOs had suffered a cyber-attack in the past, with 4 out of these 5 having no system for transaction monitoring. The SACCOs were however reluctant to divulge details about the nature and level of losses incurred during the attacks. There were 8 cases where SACCOs did not have a digital transformation strategy, 5 cases where there was no cybersecurity policy and 9 cases where there was no cybersecurity budget. The absence of critical policy documents leads to ineffectual implementation of digital technologies, which in turn begets operational and technical inefficiencies and associated financial costs that are difficult to manage down the road. Think of it as going shopping without a shopping list only to buy things that do not meet your needs and are costly to maintain.


The SACCOs indicated that the high cost of acquiring and maintaining ICT hardware and software, and the dynamic nature of cyberattacks were the major cybersecurity concerns that they have. They added that they are unable to keep up with these changes, and the situation is made worse by limited human resource capacity to handle threats as they emerge. Further, many members lack enough information or knowledge on the cybersecurity landscape and best practices that they should use to protect themselves, according to the SACCOs. They are oblivious to the sophisticated cyberattacks that face them while others do not take simple measures to protect sensitive information which leaves them open to attacks. Some members, due to illiteracy or trust, openly share their personal identification numbers with family members or close associates. Members are also susceptible to social engineering and phishing attacks.


From the survey, it was observed that the cybersecurity gaps could be symptoms of a larger problem. As an IT manager at one of the SACCOs pointed out, “SACCOs are not innovative! The benchmarking culture has changed to the copy-paste culture”. He laments the failures of the learning and collaboration efforts among SACCOs “that have brought with them many avoidable problems”. He recommends customization of solutions to fit unique situations.


Which way forward?


KUSCCO’s Education and Training Department has already taken a step in the right direction by providing training to SACCOs on building their cyber-resilience. During one such training, trainers recommended that SACCOs do not focus on the budget so much, rather, emphasis should shift to understanding the SACCO needs and the personnel capacity as well, adding that “cybercrime is a society issue not a technology issue”. Personnel training and good policies could address some of the challenges SACCOs face. Additionally, WOCCU provided an analysis of three core banking systems and laid out a benchmark for systems selection based on the suitability to SACCO needs, but is also efficient, secure, fast and cost effective.


According to IRNet, essential steps towards managing cyber-attack incidences include familiarization with the laws governing data collection and privacy, identification of essential data assets, mapping out virtual or physical threat points, reviewing terms and conditions of contracts with vendors, creating a cybersecurity incident response team and identifying their tasks and responsibilities, enabling automated activity logging and monitoring, and planning primary and secondary communication channels.


© 2023 Kenya Union of Savings & Credit Co-operatives Ltd. All Rights Reserved.