Cybersecurity in Kenya: A strategic business risk, not just an IT problem

Recent Kenyan cyber security data paints a stark picture: between January and March 2025, over 2.5 billion cyber threat events were detected, representing a more than 200 percent increase from the previous quarter, a trend reflecting not just higher threat activity but also broader digital engagement nationwide.

This escalation continued later in the year, with reports showing that Kenya recorded more than 4.3 billion cyber threat incidents between October and December 2025, underscoring the sheer scale and complexity of risks facing our national digital infrastructure.

These threats span system attacks, malware, distributed denial of service (DDoS) and brute‑force login attempts that target vulnerabilities in applications, networks and human behaviour, such as phishing.

Globally, attacking vectors are also evolving through the use of AI to craft highly convincing scams, deep fakes and automated intrusion attempts, meaning that complacency is no longer an option for any organisation with an online presence.

The economic impact of cybercrime is already significant in Kenya. A recent Serianu cyber security report estimated that losses from cybercrime across the country reached about Sh29.9 billion ($230 million) in 2025, driven by payment fraud, online and email scams, and impersonation attacks that exploit gaps in monitoring and authentication systems.

As the digital economy grows, financial services, telecommunications, healthcare, government agencies and even education sectors are increasingly on the radar of attackers seeking to capitalise on technology gaps and human error. The business implications of these trends are profound.

A successful cyber attack can disrupt operations for days, lead to regulatory penalties under data protection laws, erode customer trust, and impose heavy costs related to incident response, system recovery and legal liability.

It can also damage reputations that companies have spent years building. In an interconnected economy, one breach in a supplier, partner or service provider can cascade across entire value chains, causing systemic risk that extends far beyond the originally affected organisation.

Read: Kenya's AI imperative balancing innovation with cybersecurity preparedness

Addressing cyber risk, both in Kenya and globally, requires businesses to fundamentally change how they perceive and manage these threats.

Cybersecurity must be integrated into enterprise risk frameworks and overseen strategically by boards and leadership teams, rather than being delegated solely to IT departments.

This involves establishing robust identity and access management controls, embracing multi‑factor authentication, and instilling a culture of security awareness where employees recognise and resist social engineering and phishing attempts.

Organisations that invest in continuous monitoring, regular patching of vulnerabilities and scenario planning for breaches build resilience that protects both operational continuity and stakeholder confidence.

However, technology and governance alone are insufficient without appropriate financial protection. Cyber insurance is now a critical component of a comprehensive risk management strategy.

Unlike traditional policies that cover physical assets, cyber insurance is designed to address the unique financial consequences of digital incidents, including data breach notifications, forensic investigations, business interruption losses, regulatory fines and costs associated with restoring systems and reputations.

By transferring part of the economic burden of a breach, cyber insurance enables organizations to recover more quickly and with greater certainty, preserving liquidity and business viability in the aftermath of an attack.

Kenya’s digital landscape remains vibrant and full of potential, but rapid digital adoption has made us a compelling target for cybercriminals who are well‑resourced and opportunistic.

Businesses that treat cyber security as an afterthought will find themselves increasingly exposed, with consequences that run deep into their finances and futures.

Leaders must act now to embed cyber risk management into their strategic planning, invest in modern defences and partner with risk carriers to safeguard against the financial fallout of incidents that are no longer matters of “if”, but “when”.

In this era, cyber risk is a boardroom concern, a financial risk and a reputational imperative, one that demands investment, vigilance and a proactive approach if Kenyan businesses are to thrive securely in a digital world.

The writer is the CEO of APA Insurance Ltd