Home » Data Protection » Network Security

News

Experts: Kenyan Businesses Unprepared for Security Attacks

By Rebecca Wanjiku, IDG News Service (Nairobi Bureau)

April 29, 2008 —

The switch to more computerized information and processes has led to increased productivity and profits for many Kenyan companies, but information security has been neglected, according to IT experts in the country.

Many companies in Kenya adopt high-tech hardware and software, but very few are fully investing in information security and frequent audits to identify vulnerabilities, according to John Gichuki, an information security and forensic auditor.

Many businesses in Kenya are concerned with hardware security but there is little or no investment in periodic vetting of software.

"For instance, many corporate and government servers run on open source, which is good, but they have never hired experts to test the serversâ¬" ability to withstand attacks. The servers are still in default and information security is neglected," Gichuki said.

Because most of the open-source applications' source code is available online, hackers target vulnerabilities, forcing many organizations to constantly update the software.

High-profile companies like East African Breweries (EABL) and Safaricom have credited their success to adoption of ICT strategies.
EABL Managing Director Gerald Mahinda credited the company's rise in profit to its ability to consolidate its information needs into a single, integrated information system. EABL has heavily invested in SAP's ERP (enterprise resource planning) software package.

In their quests to emulate big performers like EABL, many organizations are investing in high-tech hardware and software -- but security issues have not been prioritized, a trend Gichuki credits to the fact that there have been no major cases of hackers inflicting heavy damage on companies.

But just as companies develop policies that address how employees use cars and other company property, Gichuki says that companies should develop information security policies that safeguard information.

When designing policies, it is important for an organization to identify the elements that make up the entire system, said Athar Bhatti, an IT expert. This blueprint allows the organization to map systems security and the areas to be addressed in order to build a proper policy from a security perspective.

"Information technology is the bridge between an organization's strategic objectives and their operational implementation. As most companies today are dependent on some form of IT function such as e-mail, any successful security penetration could be the same as taking over a real bridge," Bhatti said.

Using the bridge as the analogy, Bhatti says that once an attacker accesses a bridge, that attacker can misuse it. A competitor can steal data, delete vital data, slow down transactions and access client information, which will greatly affect efficiency in an organization.