Cyber criminals now preying on ignorant home Internet users, new study shows

 

A new report shows many Internet users have not reset their default device settings, exposing themselves to the risk of cyber attacks. PHOTO | FILE 

By OKUTTAH MARK

In Summary

Other findings

• Seventy (70) per cent of Kenyan businesses vulnerable to attacks
• Homes or businesses with low-cost routers, Closed Circuit Television Cameras most vulnerable.
• Annual cost of cybercrime in Kenya approximately Sh15 billion.
• The worst hit is the public sector with yearly Sh5 billion losses.
• The United States is the biggest source of attacks followed by China, Russia and Venezuela.

Home Internet users are the new target of cyber criminals, a study by Serianu - a cyber security firm in partnership with PKF Consulting and USIU Africa has revealed.

The study, titled The State of Cybersecurity in Kenya released yesterday shows that most home Internet users have not secured their networks with personal passwords, instead relaying on factory default settings which, the report noted are easy to hack.

A technical team conducting the study was able to gain access to at least 5,000 Internet routers and CCTV cameras, the study reveals, highlighting the potential risks home Internet users face, especially those doing online banking.

Serianu managing director William Makatiani said that most of the hacked devices were those that remained configured with their factory default settings.

“Most of these devices have their administrative interfaces viewable from anywhere on the Internet since their owners have failed to change the manufacturers’ default settings,” Mr Makatiani said.

“Leaving factory default settings and administrator passwords is something that is overlooked due to poor information security training and awareness among employees and the common mwananchi.”

The Kenya Cyber Security Report 2015 further reveals that the vast majority of private companies and public organisations remain exposed to cybercrime and internal IT fraud and that three quarters of the Internet Protocol (IP) addresses scanned during the study were found to be vulnerable to remote attacks.

“Our study revealed that 70 per cent of Kenyan businesses are vulnerable to cybercrime yet most of them remain ignorant of these vulnerabilities. Nearly all Internet devices in the Kenyan cyber space are vulnerable to attacks, exposing more companies and individuals to the risk of malicious insiders and cyber criminals,” said Makatiani.

He added that during the study, Serianu discovered that on average most medium sized organisations with over 70 employees in Kenya have at least two vulnerable computer servers and up to 15 infected computers that were already hacked into by cyber criminals.

The most vulnerable businesses and home owners are those that have installed low-cost home routers, Closed Circuit Television (CCTV) systems and public email servers on their networks.

The study puts the annual cost of cybercrime to Kenyan companies at Sh15 billion ($146 million).

A breakdown of the figures shows that the public sector is the worst hit losing approximately Sh5 billion per year followed by the financial services sector at Sh4 billion and manufacturing and industrial sectors at Sh3 billion in the third place. The telecommunications, media and technology and other sectors are estimated to lose between Sh1 billion and Sh2 billion respectively.

To counter this situation, Mr Makatiani said there is need for homes and small office Internet users to consult cyber security experts to ensure that they are not exposed.

Similarly, companies need to raise their degree of vigilance with IT teams required to invest more time and resources in auditing their entire systems and establishing modalities to reduce breaching incidents.

Security considerations

Paula Musuva Kigen, an associate director of cybersecurity at USIU-A’s Centre for Informatics Research and Innovation (CIRI), highlighted the need to have localised cyber intelligence research to have organisations appreciate and respond appropriately to the threat in the region.

She added that the report highlights the technology trends in areas such as cloud computing, Internet of things, near field communications and points out the cyber security considerations organisations need to make.

“Hackers have an easy time getting in because they have databases of default settings for these access points, networking devices and servers,” said Ms Kigen.

The firm reviewed publicly and privately available data from individual industries, complemented by interviews with business leaders and IT security practitioners. But it was much harder to establish the extent of financial losses by the public sector.

“Unlike many governments, Kenya has not established any mechanisms to track and calculate the losses made by public sector organisations to cybercrime,” he said.

“This makes them even more susceptible to such crimes such as website defacements and ransom demands from criminals before restoration.”

The report warns that security breaches have become more sophisticated, with many involving attacks from staff.

As a result of these emerging complications, the system down times caused by cybercrime attacks are getting longer with the average number of days to detect an attack in many organisations totalling to 120 days, more than double the days it took one year ago. The more complex ones easily take an additional 45 days to resolve.

Revealing the top four sources of these attacks, the report lists the US with the highest number at 20 per cent followed by China, Russia and Venezuela at 19, 11 and 10 per cent respectively.

mokutah@ke.nationmedia.com