Cybersecurity in Kenya: The Growing Threat Landscape and National Response

Kenya's rapid digital transformation has made it one of Africa's most connected nations, but this connectivity comes with escalating cyber risks. With 2.54 billion cyber threat incidents detected in just the first quarter of 2025 — a 201.7 per cent increase from the previous quarter — Kenya faces an increasingly sophisticated threat landscape that impacts government institutions, businesses, and individual citizens alike. Understanding the cyber threat environment, legal frameworks, and protective measures is essential for anyone operating in Kenya's digital economy.

The Scale of Cyber Threats in Kenya

Kenya ranks among the most targeted countries in Africa for cyber attacks. The Communications Authority of Kenya (CA) reported over 4.5 billion cyber threat events during the April–June 2025 period alone, representing an 80.70 per cent increase from the previous quarter. In 2023, the CA reported KES 10.7 billion (approximately USD 83 million) in losses to cybercrime, placing Kenya second in Africa behind Nigeria.

System misconfiguration and brute force attacks remain the most prevalent attack vectors, while ransomware incidents have surged dramatically. The healthcare sector experienced a 95 per cent increase in ransomware attacks, escalating from 20 to 39 cases in a single month. Manufacturing leads as the most targeted sector for ransomware, representing 26.23 per cent of all incidents, with threat groups like LockBit, Cl0p, and RansomEXX operating actively in Kenya.

Public administration, information services, and the finance sector account for over 43 per cent of all cyber incidents, highlighting the growing risk to Kenya's critical infrastructure. Internet Service Providers and cloud service providers remain key targets, with cloud security incidents rising by approximately 18–25 per cent in 2024.

Common Cyber Threats Targeting Kenyans

Phishing and Social Engineering: Phishing remains the most common attack vector targeting Kenyan individuals and organisations. Attackers create convincing replicas of banking portals, M-Pesa interfaces, and government service websites to harvest credentials. SMS-based phishing (smishing) targeting mobile money users is particularly prevalent given Kenya's high mobile money adoption rates.

SIM-Swap Fraud: Criminals collude with or impersonate telecommunications employees to transfer a victim's phone number to a new SIM card, gaining access to mobile banking, M-Pesa, and two-factor authentication codes. This fraud type has prompted specific legislative attention in the 2025 amendments to the Cybercrimes Act.

Ransomware: Increasingly sophisticated ransomware attacks target businesses and government institutions, encrypting data and demanding payment for its release. Small and medium enterprises (SMEs) are particularly vulnerable due to limited cybersecurity budgets and awareness.

Data Breaches: Nearly 750,000 email-password combinations and 18,865 credit card records belonging to Kenyan users have been found exposed on dark web marketplaces, according to security researchers. These breaches affect banking, e-commerce, and government platforms.

Business Email Compromise (BEC): Sophisticated attacks targeting corporate email systems have resulted in significant financial losses for Kenyan businesses, particularly those engaged in international trade and cross-border transactions.

Kenya's Cybersecurity Legal Framework

Kenya has developed a comprehensive legal framework addressing cybercrime and data protection. The Computer Misuse and Cybercrimes Act of 2018 established the foundational legal structure for prosecuting cyber offences. Key provisions criminalise unauthorised access to computer systems, cyber espionage, identity theft, cyberstalking, and the publication of false information.

The Act created the National Computer and Cybercrime Coordination Committee (NC4), which coordinates cybersecurity efforts across 11 government agencies including the National Intelligence Service, the Directorate of Criminal Investigations, and the Central Bank of Kenya. The Kenya Computer Incident Response Team – Coordination Centre (KE-CIRT/CC), established in 2014, serves as the national point of contact for cyber incident reporting and response.

The Computer Misuse and Cybercrimes (Amendment) Act 2025, assented to by President William Ruto on 15 October 2025, addresses emerging threats including SIM-swap fraud, phishing, and cyber harassment. The amendment broadens NC4's mandate to include authority to issue directives making websites or applications inaccessible if they promote unlawful activities. However, civil society organisations have raised concerns that certain provisions could be used to suppress legitimate online expression and restrict press freedom.

Data Protection Framework

The Data Protection Act of 2019 established Kenya's data privacy regime, creating the Office of the Data Protection Commissioner (ODPC) as the regulatory authority. The Act requires organisations to obtain consent before collecting personal data, implement appropriate security measures, and report data breaches within 72 hours of discovery.

Data controllers and processors must register with the ODPC, and the Act provides for penalties of up to KES 5 million or imprisonment for up to 10 years for serious violations. The Act applies to all data processing activities within Kenya, as well as processing of data relating to Kenyan citizens regardless of where the processing occurs, giving it extraterritorial reach.

The Critical Information Infrastructure and Cybercrime Management Regulations of 2024 further strengthened protections for essential services including energy, telecommunications, financial services, and healthcare systems, requiring operators to implement specified cybersecurity standards and report incidents to KE-CIRT/CC.

Cybersecurity Industry and Workforce

Kenya's cybersecurity industry has grown rapidly to address escalating threats, with both local and international security firms establishing operations in Nairobi. The Africa Cybersecurity Report by Serianu consistently highlights Kenya as a leading market for cybersecurity services in East Africa.

However, Kenya faces a significant cybersecurity skills gap. The demand for qualified cybersecurity professionals far exceeds supply, with many organisations struggling to recruit and retain talented security staff. Universities including Strathmore University, the University of Nairobi, and Jomo Kenyatta University of Agriculture and Technology offer cybersecurity programmes, but graduation rates remain insufficient to meet industry demand.

Protecting Yourself from Cyber Threats in Kenya

Individuals and businesses can take several practical steps to enhance their cybersecurity posture. Enable two-factor authentication on all accounts, particularly M-Pesa and banking applications. Never share PINs, passwords, or OTPs with anyone, including people claiming to represent Safaricom or your bank. Verify the authenticity of websites before entering credentials by checking for HTTPS and correct domain names.

For businesses, implement regular security assessments, maintain updated software and systems, conduct employee cybersecurity awareness training, and develop incident response plans. Report cyber incidents to KE-CIRT/CC through their reporting portal or hotline at +254-703-042700. The National KE-CIRT/CC provides advisories and threat intelligence to help organisations stay informed about emerging threats.

As Kenya continues its digital transformation journey through initiatives like the Digital Economy Blueprint and expanding e-government services, cybersecurity will remain a critical challenge requiring coordinated effort from government, the private sector, civil society, and individual citizens to build a resilient and secure digital ecosystem.