The World Council of Credit Unions’ (WOCCU) through a USAID Cooperative Development Program (CDP) – Technology and Innovation for Financial Inclusion (TIFI) project, partnered with the Kenya Union of Savings and Credit Cooperatives (KUSCCO) and IRNet Coop Kenya (ICK) Limited to conduct a small survey of the cyber security readiness of SACCOs in Kenya
The cooperative movement in Kenya has become a major target for cyber-attacks by sophisticated criminals targeting the Sacco movement’s colossal financial resources. Sadly, the majority of the Sacco’s have made minimal or no investments in cyber security to protect the resources at their disposal.
The Kenya Union for Savings and Credit Cooperatives (KUSCCO) said the appetite for digital financial services cannot be gainsaid because it involves billions of shillings that criminals target every day. According to the 2019 Kenya Bankers Association’s (KBA) Customer Satisfaction Survey, customers’ preference for mobile, internet and ATM banking in 2019 stood at 57%, 34%, and 31% up from 49%, 16%, and 15% respectively, a significant increase from a year before.
Even the casual observer will tell you that digitalization is a fundamental piece of the business continuity equation. But it is being grossly abused by relentless cyber criminals who are intent on looting cash from the institutions
The survey documents that while financial institutions were already pressed to provide digital financial services to customers, the eruption of the deadly COVID-19 pandemic has proved to be the ultimate catalyst driving financial institutions to embrace technology like never before.
It states in part: “Even the casual observer will tell you that digitalization is a fundamental piece in the business continuity equation. But it is being grossly abused by relentless cyber criminals who are intent on looting cash from the institutions.” The report says that the upward trajectory in the use of digital services inevitably carries with it cyber risks.
According to the Africa Cyber Security report by Serianu Ltd, cybercrime was estimated to cost the Kenya economy USD 210 million in 2017. A 2018 survey by the same firm reported that 97% of SACCOs in Kenya spend less than USD 10,000 a year on cyber security. While this may seem alarming, it is reflective of broader under-investment in cyber security in Kenya, as Serianu found that only 7% of Kenyan companies across the 12 sectors it surveyed in 2017 spent more than USD 10,000 a year on cyber security.
To understand the level of preparedness of SACCOs in Kenya to shield themselves and their members from cyber-attacks, The World Council of Credit Unions’ (WOCCU) through a USAID Cooperative Development Program (CDP) – Technology and Innovation for Financial Inclusion (TIFI) project, partnered with the Kenya Union of Savings and Credit Cooperatives (KUSCCO) and IRNet Coop Kenya (ICK) Limited to conduct a small survey of the cyber security readiness of SACCOs in Kenya.
The survey, which was conducted between April and May 2020 with 18 SACCOs involved, found that 5 out of these SACCOs had suffered cyber-attacks in the past, with 4 out of these 5 having no system for transaction monitoring.
The report states that: “the SACCOs were however reluctant to divulge details about the nature and level of losses incurred during the attacks. There were 8 cases where SACCOs did not have a digital transformation strategy, 5 cases where there was no cyber security policy and 9 cases where there was no cyber security budget.”
The SACCOs indicated that the high cost of acquiring and maintaining ICT hardware and software, and the dynamic nature of cyber-attacks were the major cyber security concerns. They added that they are unable to keep up with these changes, and the situation is made worse by limited human resource capacity to handle the multi-billion shilling threats as they emerge
It says that the absence of critical policy documents leads to the ineffectual implementation of digital technologies, which in turn begets operational and technical inefficiencies and associated financial costs that are difficult to manage down the road. “Think of it as going shopping without a shopping list only to buy things that do not meet your needs and are costly to maintain,” says the report.
The SACCOs indicated that the high cost of acquiring and maintaining ICT hardware and software, and the dynamic nature of cyber-attacks were the major cyber security concerns that they have. They added that they are unable to keep up with these changes, and the situation is made worse by limited human resource capacity to handle the multi-billion shilling threats as they emerge. “Further, many members lack enough information or knowledge on the cyber security landscape and best practices that they should use to protect themselves,” according to the SACCOs.
The KUSCCO report documents that they (Saccos) are oblivious to the sophisticated cyber-attacks that face them while others do not take simple measures to protect sensitive information which leaves them open to attacks. Some members, due to illiteracy or trust, openly share their identification numbers with family members or close associates. Members are also susceptible to social engineering and phishing attacks.
From the survey, it was observed that the cyber security gaps could be symptoms of a larger problem. As an IT manager at one of the SACCOs pointed out, “SACCOs are not innovative! The benchmarking culture has changed to the copy-paste culture”. He laments the failures of the learning and collaboration efforts among SACCOs “that have brought with them many avoidable problems”. He recommends the customization of solutions to fit unique situations. It says KUSCCO’s Education and Training Department has already taken a step in the right direction by providing training to SACCOs on building their cyber-resilience. During one such training, trainers recommended that SACCOs not focus on the budget so much, rather, emphasis should shift to understanding the SACCO needs and the personnel capacity as well, adding that “cybercrime is a social issue, not a technology issue”.
Personnel training and good policies could address some of the challenges SACCOs face. Additionally, WOCCU provided an analysis of three core banking systems and laid out a benchmark for systems selection based on the suitability to SACCO needs, but is also efficient, secure, fast and cost-effective.
According to IRNet, essential steps towards managing cyber-attack incidents include familiarization with the laws governing data collection and privacy, identification of essential data assets, mapping out virtual or physical threat points, reviewing terms and conditions of contracts with vendors, creating a cyber-security incident response team and identifying their tasks and responsibilities, enabling automated activity logging and monitoring, and planning primary and secondary communication channels.
There’s no story that cannot be told. We cover the stories that others don’t want to be told, we bring you all the news you need. If you have tips, exposes or any story you need to be told bluntly and all queries write to us [email protected] also find us on twitter.