The role of Kenyan Legal Professionals in Cybersecurity 0 1343

  • Over 26.7 million Kenyans are currently online and engaging in digital transactions daily.
  • According to UN Research, at least one out of ten mobile money transactions in the World occur in Kenya.
  • These statistics make Kenya a prime target for cybercriminals who, according to the National Cybersecurity Strategy, published by the Ministry of ICT, have continued to evolve in terms of the complexity and severity of their attacks.
  • Unfortunately, Kenya shows a staggering lack of awareness and investment in cybersecurity solutions wit around 96% of all organisations investing less than $5000 in cybersecurity.
Kenya cybercriminal activity

According to the words of the Honorable Warren E. Burger, lawyers and judges remain necessary to society, so long as it is a place where men and women are gathered, as they must fulfil the noble role of healing conflict and providing reason as a lubricant to the rigours of the socio-economic engine which ought to drive the development of any civilisation.

Moreover, it is the role of the legal minds of society to act as sentinels, standing guard against man’s threat unto himself, his own inclination towards self-enrichment at the detriment of the common good in its entirety.

As such, society gives the highest of legal minds the power to influence, pass or ratify policies, to ensure their safety and continuity against the overwhelming urges of vices, human wickedness and in certain cases, natural catastrophes.

The legal minds of Kenya can thus be termed as, not only stewards of conflict resolution,but also as sentinels, who wield the power of policy-making to safeguard the development and evolution of the socio-economic organs of the nation-state whose well-being remains pivotal to Her survival.

Kenya is facing an exponential increase in cybercriminal activity

The digital wave has hit Kenya, and its effect upon our economy has been immensely positive. With the development of innovative products such as Safaricom’s M-Pesa money transfer service, as well as iCow, a farming digital product that has optimized dairy farmers’ productivity, the consumer market has developed an appetite for sound, data-centric solutions in order to enhance the various socio-economic activities present within Kenya.

The effect of digitisation in our economy has been significant. Since the advent of M-PESA, more than 73.1% of Kenyans are now formally banked.

In addition, according to the Quarterly Statistics Report for the Financial Year of 2016 (April-June 2016), mobile data/ internet subscriptions stood at 26.7 million during the quarter marking an increase of 8.3 per cent from 24.7 million subscriptions posted in the preceding quarter. The number has grown remarkably by 35.0 per cent from the same period of the previous year.

This essentially means that over 26.7 million Kenyans are currently online and engaging in digital transactions daily.

Kenya also boasts the largest mobile money transaction service in the World. According to UN Research, at least one out of ten mobile money transactions in the World occur in Kenya.

These statistics make Kenya a prime target for cybercriminals who, according to the National Cybersecurity Strategy, published by the Ministry of ICT, have continued to evolve in terms of the complexity and severity of their attacks.

The evolution of cyber threats between 2006 and 2012 are an iconic example. These threats include; Advanced Persistent Threats, Botnet Threats, Converged Threats, Cyberterrorism and Next Generation DoS (inclusive of DDoS).

The socio-economic impact of cybercrime in Kenya has been immense. According to a Serianu Cybersecurity Report, Kenya’s losses as at 2016, stood at a whopping $185m, a sharp increase from the estimated $100m lost in the previous year.

Notably, when cybercriminals face justice, only about 2% of prosecutions are successful. This can be attributed to the lack of proper regulation regarding data protection and cybersecurity, and the lack of appropriate measures to collect sufficient evidence to enable criminal prosecution.

The Legal Profession and the unique risks posed to them by cybercriminals

 

Kenya cybercriminal activity

Numerous professions in Kenya are facing digitisation as well. The legal industry has not been an exception. With the incorporation of modern filing systems, the use of e-mails and digital devices such as mobile handsets and laptops within law firms and legal offices, sensitive client data is being transacted and stored at a digital level across various platforms in various forms. Cybercriminals are aware of this and can exploit the gaps present in various ways.

A staggering lack of awareness and investment in cybersecurity solutions

Notably, around 96% of all organisations in Kenya invest less than $5000 in cybersecurity. A significant percentage of these sampled organisations consist of law firms, financial institutions, NGOs and governmental bodies where legal and compliance advisors safeguard the agenda of their respective institutions.

Around 96% of all organisations in Kenya invest less than $5000 in cybersecurity Click to Tweet

This highlights how low a priority cybersecurity is for institutions who are the custodians of sensitive data which can be compromised for profit by cybercriminals.

Man-in-the Middle Attacks

Legal practitioners often handle particularly sensitive internal or external, i.e. client information to carry out their mandate. An ideal example would be where numerous clients correspond with their hired advocates via e-mail, transacting confidential documents and data over the Internet with the faith that those communication channels are encrypted or secure. This makes law firms particularly prime for man-in-the-middle attacks.

A man-in-the-middle occurs where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

An example would be where files were intercepted over the network, and redirected to hostile parties, who then changed the details of those files and dropped them back into the firm’s filing system.

The entire scam could go on for months, until all the data is collected and collated by the criminals, and subsequently utilised in a terrible heist of client funds.

Various rights of the client had been substantially breached, such as their constitutional right to privacy and, if the law firm had no cybersecurity measures in place, a valid claim under the tort of negligence, as the advocate in question had failed to fulfil an essential duty of care in protecting the client’s information.

The loss of a client’s data integrity

The loss of a client’s data integrity remains one of the largest risks for any legal enterprise. This is due to its resultant effect which is a substantial erosion of trust and an adverse breach of the client confidentiality relationship which is part and parcel of the legal profession.

Data leaks can lead to truly disastrous results for any legal practice once their clients’ data is made public by hackers, regardless of their motivation. A prime example could be the occurrence of the Panama Papers leak in 2015.

The Panama Papers are 11.5 million leaked documents that detail financial and attorney–client information for more than 214,488 offshore entities. The documents, which belonged to the Panamanian law firm and corporate service provider Mossack Fonseca, were leaked in 2015 by an anonymous source, some dating back to the 1970s.

The leaked documents contain personal financial information about wealthy individuals and public officials that had previously been kept private.

While offshore business entities are legal, reporters found that some of the Mossack Fonseca shell corporations were used for illegal purposes, including fraud, tax evasion, and evading international sanctions.

The damage to the reputation of the legal enterprise was immeasurable and to date, their clients’ data remains available for scrutiny for members of the Press and the public.

Ransomware

Cybercriminals are also targeting legal enterprises because of the urgency of the data required. Law firms require constant updates of their: research material regarding continuing court cases, recordings of proceedings, updated legal documents and documentary evidence.

Moreover, legal enterprises must be able to quickly retrieve, edit, update and restore their work files within those particular systems. This makes them prime targets for malicious attacks which lock users out of their various digital filing and retrieval systems.

A prime example of this would be the deployment of ransomware within a law firm’s IT environment. Ransomware, as the name suggests, demands the payment of ransom in Bitcoin, upon encryption of computer files within a system.

Other variations of ransomware, known as lock-screen ransomware lock out users from accessing the computer system and demand payment in Bitcoin to unlock and gain access.

Conclusion

A joint awareness campaign

In collaboration with numerous law firms in Kenya, ESET East Africa is engaging with certain legal practitioners based in Kenya’s digital market to raise awareness regarding the numerous risks present for their enterprises as well as the nation with the advent and growth of cybercrime within Kenya.

This will be done through joint events, programs and training sessions to sensitize legal enterprises about their issues.

Policy recommendations

As a driver of thought leadership across the globe, the ESET brand is honoured to collaborate with the lawyers and cybersecurity specialists in suggesting cybersecurity policies designed to safeguard the Kenyan populace from the evolved threat of cybercrime within Kenya.

Previous ArticleNext Article

Safer Internet Day 2019 0 205

Working together with your children for a better online experience

Beginning in 2004, Safer Internet Day has grown to become one of the landmark events in the online safety calendar. And this year’s theme, ‘Together for a better internet’, encapsulates a lot of the discussion we are seeing around online safety and cybersecurity. The topic is too complex a minefield for any of us to bear sole responsibility and, like all good things in life, we need to work together to bring about the best possible future.

What does it mean to work together where online safety is concerned? It could be an IT security company working closely with a consultation of parents to develop products, or parents and teachers working to ensure the online education of our young people. But what about children themselves? We put a lot of onus on finding the right solutions and products to protect our kids online, but one day those kids will grow up and live without online parental control. We should think about the best way to prepare them; ‘together for a better internet’ should mean working with our children to educate, inform and protect them, so they can stand the best possible change of making the right decisions for themselves.

That’s not to say that software doesn’t play a crucial role, and ESET would encourage all parents to take care over choosing the right parental control software on the family computer. When you are doing this though, we advise you do it together with your kids. Talk them through the programmes you’re installing and select your privacy settings together, discussing why you are doing it and the kinds of threats you’re protecting the family against. As part of this conversation you can talk to your children about what they’re doing online, who they’re talking to and what kinds of things they need to be careful about in day to day online. Many kids see control settings on the internet as a block to them having fun; what they need is someone to explain their function and reasoning. By having this discussion, you’re giving your kids an element of control and responsibility over their online activities which, when paired alongside the rules and software we all need to protect ourselves, should produce better results when it comes to their internet education.

The internet is such an integral part of our lives that the earlier you start talking to kids, involving them and teaching them about their online worlds, the better the results. Creating an open dialogue will always be more effective than just putting your foot down.

Set an example; whatever you expect your kids to do, make sure you are also doing. The online world represents dangers for all of us and we can all benefit from a few more precautions. If you’re asking your kids to cover their webcam when they’re not using it, then make sure you also do it. If you’re restricting their screen time, then think about setting yourself some boundaries as well. With the damaging effects of too many screens on our health and wellbeing, it’s unlikely to have any negative repercussions.

ESET’s software, such as its ESET Parental Control, places a large emphasis on parents and children working together. It helps them to navigate online, manage what apps and websites they use, and decide – together – what’s good for them. One of the key features is age-based filters which helps to manage which apps children can and cannot access, allowing parents to consider the right restrictions for their children and to not just impose a blanket ban. Other features include setting time limits on when children can play on their devices and creating exceptions that kids can request. Parents can even send their children messages which they must acknowledge before they can continue to use their devices.

It’s elements such as these that allow children to be involved in the monitoring of their safety, and truly help parents to work together with their kids for a better internet and the best possible online world.

 

Play it safe during FIFA 2018 0 891

We do realize that you’ve been caught up in the hurly-burly of the FIFA World Cup, but surely you have a few minutes to spare and peruse our roster of tips to stay safe online not only during the soccer spectacle. While you’re at it, recognize that no single player, no matter how stellar, is enough to put you on a path to success. In fact, being even one player short can be enough to trip you up. What should the pillars of your cybersecurity game plan be, then?

#1 A stitch in time saves nine

Last year went down in history for two serious cyber-incidents – the WannaCryptoroutbreak and the Equifax hack – that served up powerful reminders of the merits of swiftly squashing security bugs. 2017 also saw the highest number of  vulnerabilities reported.

So the number one player in you security team is updates. In your home settings, making sure that automatic updates are enabled for your operating system and software is an easy step to take to keep attackers away.

 

#2 Prune your team

Get rid of that disgruntled bench-warmer who ends up sapping your team’s morale. Software that you hardly ever use can become a liability simply by increasing your attack surface. To further reduce the possible entry points for cybercriminals, you may also want to disable unused services and ports, and ditch programs that have a track record of vulnerabilities.

For your browser, consider blocking ads and removing all but the most necessary of browser add-ons and plugins. While you’re at it, shut down the accounts that you no longer need and use your high-privilege, or admin, account only for administrative tasks.

#3 Practice strong password hygiene

One of the easiest ways to protect your online identities consists in using a long, strong and unique password or better still, passphrase, for each of your online accounts. It may well come in handy if your login credentials leak, for example due to a breach at your service provider – which, in fact, is far too common a scenario. Further, just as you’d never share your teams tactics with your opponents, you should never share your password with anybody.

If you’re like most people and find the need to remember many username/password combinations overwhelming, consider using a password manager, which is intended to store your passwords in a “vault”.

#4 Look before you leap

Even if you have the most complex of passwords or passphrases, be aware of where you input them.

Online, everything is just a click away, and scammers are keenly aware of that. In their pursuit of your personal information, they use social engineering methods to sucker you into clicking a link or opening a malware-laden attachment.

5 questions to ask yourself before clicking on a link are:

  1. Do you trust the sender of the link?
  2. Do you trust the platform?
  3. Do you trust the destination?
  4. Does the link coincide with a major world event like the FIFA worldcup? (Cyber criminals tend to be opportunistic this way)
  5. Is it a shortened link?

#5 Add a factor

When aiming for secure accounts, you need to up your ante by using two-factor authentication, particularly for accounts that contain Personally Identifiable Information (PII) or other important data. The extra factor will require you to take an extra step to prove your identity when you attempt to log in or conduct a transaction. That way, even if your credentials leak or your password proves inadequate, there is another barrier between your account and the attacker.

#6 Use secure connections

When you connect to the internet, an attacker can sometimes place himself between your device and the connection point. To reduce the risk that such a man-in-the-middle attack will intercept your sensitive data while they are in motion, use only web connections secured by HTTPS (particularly for your most valued accounts) and use trusted networks such as your home connection or mobile data when performing the most sensitive of online operations, such as mobile banking. Needless to say, secure Wi-Fi connections should be underpinned by at least WPA2 encryption (or, ideally, WPA3as soon as it becomes available) – even at home – together with a strong and non-default administrator password and up-to-date firmware on your router.

Be very wary of public Wi-Fi hotspots. If you need to use such a connection, avoid sending personal data or use a reputable virtual private network (VPN) service, which keeps your data private via the use of an encrypted “tunnel”. Once you’re done, log out of your account and turn off Wi-Fi.

#7 Hide behind a firewall

A firewall is one of your key defensive players. Indeed, it is often thought of as the very first line of defense. It can typically be a piece of software in your computer, perhaps as part of anti-malware software, or it can be built into your router – or you can actually use both a network- and a host-based firewall. Regardless of its implementation, a firewall acts as a brawny bouncer that, based on predetermined rules, allows or denies traffic from the internet into an internal network or computer system.

#8 Back up

A backup is the kind of player who doesn’t get much time on the pitch, but when he does get the nod, he can “steal the show”. True, we might have spoken ill of bench warmers earlier, but a reliable backup is definitely not the kind of player to spoil your team’s chemistry.

Your system cannot usually be too – or completely – safe from harm. Beyond a cyber-incident, your data could be compromised by something as unpredictable as a storage medium failure. A backup is an example of a measure that is corrective in nature, but that is fully dependent on how hard you “practiced”. Or, as Benjamin Franklin put it, “by failing to prepare, you are preparing to fail”. It will cost you some time and possibly money to create (time and time again) your backups, but when it comes to averting (data) loss, this player may very well save the day for you.

#9 Select security software

Even if you use your common sense and take all kinds of “behavior-centered” precautions, you need another essential addition to your roster. At a time when you’re pitted against attackers who are ever more skilled, organized and persistent, dedicated security software is one of the easiest and most effective ways to protect your digital assets.

A reliable anti-malware solution uses many and various detection techniques and deploys multiple layers of defense that kick in at different stages of the attack process. That way, you’re provided with multiple opportunities to stymie a threat, including the latest threats, as attackers constantly come up with new malicious tools. This underscores the importance of always downloading the latest updates to your anti-malware software, which ideally are released several times a day. Top-quality security software automates this process, so you needn’t worry about installing the updates.

#10 Mobiles are computers, too!

Much of this article’s guidance also applies to smartphones and tablets. Due to their mobility, however, these devices are more prone to being misplaced or stolen. It is also of little help that users tend to view security software as belonging in the realm of laptops and desktops. But mobile devices have evolved to become powerful handheld computers and attackers have been shifting their focus to them.

There’s a number of measures you can take to reduce risks associated with mobile devices. They include relying on a secure authentication method to unlock your device’s screen, backing up the device, downloading system and app updates as soon as they’re available (preferably automatically, if possible), installing only reputable apps and only from legitimate stores, and making sure to use device encryption if it’s not turned on by default.

A dedicated mobile security solution will also go a long way towards enhancing your protection from mobile threats. This includes a scenario whereby your device goes missing, so you are then able to use the suite’s anti-theft and remote-wipe functionalities.

#11 Be aware

The final team member is, in fact, you – the keeper. Stay vigilant and cyber-aware and educate yourself on safe online habits. Don’t ever say, “it won’t/can’t happen to me”, because everyone is a potential target and victim. Recognize that one click is enough to inflict major damage on yourself and others, and that breaking good security practices for the sake of convenience may come back to bite you worse than Luis Suárez did in 2014. After all, how secure we are is largely dependent on how we use the technology.

So there you have it. You may want to enjoy the soccer now.