The goal of this awareness is to educate our employees on cyber threats and ways to avoid them. By doing so, they will be able to identify potential risks, respond appropriately, and protect customer data. This will help us prevent financial losses, maintain customer trust, and comply with regulations.

The relevance of this awareness

To protect the mission of the company: Implementing robust cybersecurity measures can help to protect customer data, prevent financial loss, and maintain the trust of customers. By raising awareness of cyber threats and training employees on how to identify and respond to potential risks, we can create a culture of cybersecurity and reduce the risk of a security breach.

Legal Compliance: As an institution, we are required to comply with various laws and regulations governing cybersecurity in microfinance institutions in Kenya. These laws include the Kenya Information and Communications (Amendment) Act, 2013, the Data Protection Act, 2019, the Banking (Amendment) Act, 2016, the National Payment System (NPS) Act, 2011, and the Cybersecurity and Protection Bill, 2021.

Brief Overview of Cyber Security Threats

Serianu, a Kenyan cyber security consultancy firm, estimated that cybercrime cost the Kenyan economy approximately $210 million in 2020. The report also highlighted that the COVID-19 pandemic had increased the number of cyber threats in Kenya, with cybercriminals exploiting the shift towards remote work and online activities

KE-CIRT, the institute responsible for national-level cyber incident detection and response, has noted significant growth in the total threats detected, from 23 million in 2018 to 110 million in 2020. KE-CIRT statistics for the second quarter of 2021 show that ransomware, malware, and phishing attacks are the most common cybersecurity risks.

Why are we a top target for cyberattacks as a microfinance institution?

• Financial gain: As a financial institution, we have valuable data that can be stolen, such as customer account information, financial transactions, and other sensitive financial information. This information can be used to commit fraud or sold on the dark web for a profit.
• Reputation damage: Our competitors can initiate a cyberattack that can lead to significant reputational damage, which can impact our ability to attract and retain customers and investors.
• Ideological motivation: Attackers may be motivated by an ideology, such as extremist views, and use the microfinance institution as a target to further their cause.

Potential Targets within our institution

• Infrastructure: We rely on computer systems, networks, and other infrastructure to operate efficiently. Attackers may target this infrastructure to disrupt operations, steal data, or spread malware.
• Employees: Attackers may target you as our employees with phishing attacks, social engineering tactics, or other methods to gain access to sensitive systems or data.
• Third-party vendors: We rely on third-party vendors to provide services such as IT support, data storage, and payment processing. Attackers may target these vendors to gain access to the microfinance institution’s systems or data.

How Employees are Targeted – Phishing

Case 1: Phishing Using Email

1. An employee receives an email that appears to be from a client, asking for assistance with a loan application.
2. The email asks the employee to click on a link to access the loan application form, which requires the client’s personal and financial information.
3. The email may use urgent language or offer a financial incentive to encourage the employee to act quickly and click on the link.
4. If the employee enters the client’s information into the form, the cybercriminal behind the attack can use it to steal the client’s identity or access their financial accounts.

Case 2: Phishing using Phone call – social engineering

1. An employee receives a phone call from someone claiming to be from the microfinance institution’s IT department.
2. The caller says that there has been a security breach and that the employee needs to change their login credentials immediately to avoid further issues.
3. The caller provides a sense of urgency and encourages the employee to act quickly to prevent any data loss or system damage.
4. The caller then asks the employee to provide their current login credentials and suggests a new password to use.
5. If the employee provides their login credentials, the cybercriminal behind the attack can use them to gain access to sensitive data or systems.

Case 3: Attack through the Service providers

1. One of our service providers receives an email that appears to be from our IT department.
2. The email requests that the service provider provide login credentials for their portal access in order to perform maintenance on the institution’s systems.
3. The email may use urgent language or suggest that the provider will be penalized for not complying.
4. If the service provider provides their login credentials, the cybercriminal behind the attack can use them to gain access to the microfinance institution’s sensitive data or systems.

Case 4: Attack through Manipulative Customers

Manipulative customers can be a potential threat in phishing attacks, especially if they are able to convince an employee to share sensitive information or perform an action that could compromise the security of the organization. These customers may use social engineering tactics, such as building a rapport with an employee or posing as a legitimate customer or vendor, to gain their trust and manipulate them into sharing sensitive information or performing an action, such as transferring funds or changing account details.

Why is phishing so effective?

1. Social engineering tactics: Phishing attacks use social engineering tactics to manipulate victims into providing sensitive information or clicking on links. These tactics prey on human emotions, such as fear, curiosity, and urgency, making it difficult for victims to recognize the attack.
2. Realistic-looking messages: Phishing attacks often use messages that look very similar to legitimate messages from reputable companies or individuals. This makes it difficult for victims to distinguish between a real message and a phishing message.

Common Signs of a Phishing Attacks

• Suspicious sender or domain
• Urgent or threatening language
• Grammatical or spelling errors
• Unexpected attachments or links
• Unusual requests for personal or sensitive information
• Suspicious URLs

Employee Precautions Against Phishing

• Verify sender and domain: Always verify the sender and domain of an email before opening it or clicking on any links.
• Be cautious of urgent or threatening messages: Be wary of emails that use urgent or threatening language, as this is a common tactic used in phishing attacks.
• Avoid unexpected attachments and links: Do not click on any unexpected attachments or links, especially if they come from an unfamiliar sender.
• Be wary of unusual requests for information: Be cautious of any requests for personal or sensitive information, especially if they seem unusual or out of place.
• Verify URLs: Always verify the URL of a website before entering any personal or sensitive information.

How to Respond to a Phishing Attack: Steps for Employees

• Do not respond: Do not click on any links, reply to the email, or provide any personal or sensitive information.
• Notify IT or security: Alert your IT or security team as soon as possible, forwarding the suspicious email or providing details about the attack.
• Delete the email: If you have not already done so, delete the suspicious email from your inbox and trash folders.
• Change passwords: If you have already clicked on any links or provided personal or sensitive information, change your passwords immediately for any relevant accounts.
• Monitor accounts: Keep an eye on your accounts for any unusual activity, and report any suspicious activity to your IT or security team.

Observance of the Zero Trust Policy by Employees

• Verify identity: Always verify the identity of anyone requesting access to sensitive information or resources before granting access.
• Practice the principle of least privilege: Only grant access to the resources that are needed to perform your job duties.
• Use strong authentication: Use strong passwords and two-factor authentication to protect against unauthorized access.
• Be aware of phishing attacks: Be vigilant and report any suspicious emails, phone calls, or other communications to your IT security team.
• Keep software up to date: Keep all software, including security software, up to date to ensure that it has the latest protections against emerging threats.
• Follow established protocols and procedures: Follow established protocols and procedures for accessing sensitive information or performing actions, such as seeking approval before making changes to systems or accessing sensitive data.
• Use company-approved devices and software: Only use company-approved devices and software for work-related activities, and avoid using personal devices or software for work tasks, as they may not have adequate security measures in place.

Conclusion

Protecting our institution against cyber threats is a shared responsibility. As employees, we play a critical role in safeguarding our customers’ data and financial assets. By staying vigilant, following best practices, and working together to identify and address potential vulnerabilities, we can help prevent cyber attacks and protect our institution. Let’s make cybersecurity a top priority and work together to ensure the safety and security of our institution and our customers