Kenya is now one of the most targeted cyber economies in Africa. The Communications Authority of Kenya has consistently reported hundreds of millions of cyber threat events per quarter, with system attacks and brute-force attempts dominating the mix. For CISOs in Nairobi, Mombasa, and across the EAC, the question is no longer whether you will be targeted — it is whether your controls will hold when you are.
This post breaks down the Kenya cybersecurity trends shaping board-level decisions right now, and what to do about each one.
Ransomware Has Moved From Opportunistic to Targeted
Groups like LockBit affiliates, BlackCat/ALPHV remnants, and newer brands such as RansomHub have shown clear interest in African financial services, telcos, and government-adjacent contractors. The pattern in Kenya mirrors what we have seen across the continent: initial access through phished credentials or unpatched edge devices (Fortinet, Ivanti, Citrix), followed by lateral movement over flat networks, then double extortion.
What is different in 2024–2025:
- Faster dwell-to-encryption time — some intrusions move from access to encryption in under 72 hours.
- Data theft without encryption — extortion-only attacks are rising because they are cheaper to run and harder to detect.
- Targeting of MSPs and SaaS providers — one compromised vendor cascades into dozens of Kenyan clients.
Expert tip: If your incident response plan still assumes you will have days to react, rewrite it. Assume hours.
ODPC Enforcement Is Reshaping Compliance Budgets
The Office of the Data Protection Commissioner has moved past the awareness phase. Enforcement notices and penalties under the Kenya Data Protection Act, 2019 have been issued across sectors — digital lenders, schools, hospitality, and media among them. Fines have reached the multi-million-shilling range, and the ODPC has shown willingness to name organisations publicly.
What this means practically:
- Data Protection Impact Assessments (DPIAs) are no longer optional for high-risk processing.
- Cross-border data transfers need documented safeguards, particularly for cloud workloads hosted outside Kenya.
- Breach notification timelines (72 hours) are being tested in real cases.
If your last privacy review was the registration exercise in 2022, you are behind. Kenya Data Protection Act Compliance Service
Cloud Misconfiguration Is the Quiet Crisis
Most Kenyan enterprises we assess have moved meaningful workloads to AWS, Azure, or Microsoft 365. Few have matured their cloud security posture to match. The most common findings from our cloud reviews:
- Publicly exposed S3 buckets or Azure Blob containers holding customer PII
- Over-privileged IAM roles with no MFA on console access
- Disabled or unmonitored CloudTrail / Azure Activity logs
- Legacy authentication still enabled in Microsoft 365 tenants
- Lack of conditional access policies, so a stolen password = full mailbox access
Attackers do not need zero-days when an intern's account can read the finance director's inbox from anywhere in the world.
Mobile Money and API Fraud Are the New Frontline
Kenya's payments ecosystem — M-PESA, PesaLink, card rails, and the growing open-banking integrations — is a magnet for fraud. We are seeing three patterns dominate:
1. API abuse against fintech endpoints with weak rate limiting or broken object-level authorisation (BOLA), the top issue in the OWASP API Security Top 10.
2. SIM swap fraud chained with credential stuffing to drain accounts.
3. Insider-assisted fraud at agent and customer-service tiers, often invisible to perimeter controls.
The Central Bank of Kenya's Guidance Note on Cybersecurity for the Banking Sector, and the broader push toward operational resilience, now expects boards to evidence active testing of these scenarios — not just policies on paper.
What to Prioritise in the Next 12 Months
If you do nothing else, focus here:
- Run an external penetration test annually, plus an API-focused test if you operate fintech or USSD services.
- Mature identity — MFA everywhere, conditional access, privileged access management.
- Build a 72-hour breach response playbook aligned to ODPC obligations and CBK guidance.
- Map your third parties — vendor compromise is now a leading initial access vector.
- Test backups by restoring, not by hoping.
The organisations that fare best in Kenya's threat environment are not the ones with the biggest budgets. They are the ones with the clearest priorities.
Ready to assess your posture? Contact SecureZaidi for a free consultation and find out where your organisation actually stands against the threats targeting Kenya today.