The digital economy is no longer a convenience — it is the backbone of commerce, government, healthcare, and society. Yet as organisations race to digitise, the adversaries probing their defences race just as fast, if not faster. Cybersecurity and organisational resilience are no longer purely technical concerns confined to IT departments. They are board-level imperatives, strategic differentiators, and, increasingly, matters of national survival.

Understanding the Threat Landscape

Cybercriminals today operate with the sophistication of enterprise businesses. Ransomware-as-a-Service (RaaS) platforms allow low-skill actors to deploy devastating attacks at scale. LockBit claimed responsibility for the 2024 attack on South Africa’s Government Pensions Administration Agency, forcing a full system shutdown — demonstrating how criminal ecosystems now offer turn-key attack capabilities.

In Kenya alone, the Communications Authority reported 2.54 billion cyber threat incidents in Q1 2025 — a 201.7% increase from the prior quarter. Africa loses an estimated 10% of GDP annually to cybercrime. These are not abstract statistics. They represent disrupted hospitals, drained bank accounts, compromised government systems, and fractured public trust.

2.54B Cyber threat incidents in Kenya in Q1 2025 alone — up 201.7% quarter-on-quarter
$83M Kenyan cybercrime losses in 2023, 2nd highest in Africa after Nigeria’s $1.8B
10% Africa’s estimated annual GDP loss to cybercrime (UN Economic Commission for Africa)

In Kenya and Africa, the dominant threat vectors include AI-powered phishing (KE-CIRT/CC estimates 90% of attacks begin with phishing), mobile malware such as Anubis, AhMyth, and Hiddad targeting M-Pesa and mobile banking integrations, cloud misconfigurations that rose 18–25% as a breach vector in 2024, and ransomware-as-a-service increasingly deployed in healthcare, finance, and government.

The Serianu Africa Cybersecurity Report 2024/2025 describes Africa’s situation as a “perfect storm”: 570 million internet users and 855 million mobile data subscriptions, all against a backdrop of expanding attack surfaces, legacy infrastructure, and a skills deficit leaving most organisations materially underprepared. An estimated 94% of Kenyan systems contain exploitable vulnerabilities.

The Role of Boards & Executives

The Serianu report dedicates an entire section to the “Boardroom Cyber Risk Language Divide” — the profound disconnect between the technical language of cyber teams and the strategic language boards require. The Central Bank of Kenya’s Prudential Guidelines, the CMA’s Cybersecurity Guidelines, and the CA’s Framework for Cybersecurity in Critical Information Infrastructure all place explicit accountability on boards for technology risk oversight.

1
Which threat actors are most likely to target our sector and what is our exposure?

Boards must maintain visibility over sector-specific threats — not only generic risks — and demand evidence of active threat intelligence programmes aligned to their operating context.

2
How is our cybersecurity posture continuously monitored and reported to this board?

Boards should receive structured quarterly dashboards translating technical risk into business language: incident severity, detection times, compliance posture, and vendor risk exposure.

3
Are third-party and supply chain risks fully reflected in our cyber risk register?

Technology audit scope must explicitly include vendor environments, cloud configurations, and API integrations — not just internally managed systems.

4
What incident response plans exist, and when were they last tested with executive participation?

Vendor-specific breach playbooks and executive tabletop exercises are essential. Managing communications during a breach requires preparation that cannot begin when the crisis is already live.

5
Is our CISO able to escalate critical risks directly to this board without organisational barriers?

Organisations where the CISO cannot raise a critical risk directly to the board are structurally unable to respond to existential threats. The CISO must have a direct line to the CEO and Board Audit or Risk Committee.

Cyber Defence: Practical Controls & Standards

Effective cyber defence is layered, integrated, and adaptive. No single control is sufficient. The following framework reflects current best practice for organisations operating in high-threat environments.

Zero Trust & Identity Access Management

Enforces MFA, least-privilege, and PAM. Assumes no implicit trust even within the network perimeter — critical for Kenya’s mobile-first, borderless environments.

EDR / XDR

Behaviour-based threat detection, continuous monitoring, and automated response replacing traditional antivirus. Kaspersky’s 2025 Kenya report recommends XDR as a critical defensive layer.

SOC / CSOC

24/7 monitoring and threat hunting. CA Kenya established a Cyber Security Operations Centre for the ICT and Telecom sector in 2024 — a model the private sector must mirror.

Email Security & Anti-Phishing

Gateway protection combined with realistic simulated phishing exercises — not annual tick-boxes, but training that builds genuine security culture at every level.

Patch Management

Systematic, rapid patching of vulnerabilities. KE-CIRT/CC identifies inadequate patching as a leading breach contributor — it must be treated as a security control, not IT housekeeping.

Backup & Recovery (3-2-1)

Three copies, two media types, one air-gapped or offsite — tested regularly. Without isolated backups, organisations face a choice between paying ransoms or catastrophic data loss.

Standards & Frameworks Applicable in Kenya & Africa

  • ISO/IEC 27001:2022 — Information security management
  • NIST CSF 2.0 — Cybersecurity risk management
  • ISACA COBIT 2019 — IT governance objectives
  • IIA Global Internal Audit Standards 2025
  • NIST AI Risk Management Framework 1.0
  • CBK ICT Supervision Guidelines (mandatory)
  • CMA Cybersecurity Guidelines
  • Kenya Data Protection Act 2019
  • Computer Misuse & Cybercrimes Act 2018
  • Kenya National Cybersecurity Strategy 2022–2027
  • AU Malabo Convention on Cyber Security
  • SOC 2 Type II — Cloud & SaaS provider assurance

Kenyan Regulatory Imperative

Kenya’s Data Protection Act 2019 (Section 43) requires data controllers to ensure any data processor — including vendors — provides sufficient guarantees to implement appropriate technical and organisational security measures. Non-compliance carries penalties of up to KES 5 million or 1% of annual turnover. Compliance with these frameworks is not the ceiling. It is the floor.

Business Continuity & Incident Response

Resilience begins before an attack occurs. A robust Business Continuity Plan defines how critical operations will be maintained during and after a cyber incident. Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) must be defined and tested — not merely documented. Africa-specific continuity risks extend beyond cyberattacks: undersea cable damage (Kenya, 2024), power outages, and urban-rural connectivity gaps must all be incorporated.

When an attack succeeds — and at current incident rates the question is when, not if — the quality of incident response determines the outcome. The average global dwell time between initial compromise and detection was 194 days in 2023 (IBM). Every day of undetected access multiplies the damage.

  • Preparation Before the IncidentPolicies, playbooks, trained teams, pre-retained IR firms, executive briefings, and tabletop exercises. Build the muscle before you need it.
  • Detection Identify & ScopeIdentify, scope, and classify the breach using SIEM platforms, threat intelligence feeds, and AI-driven anomaly detection to shrink dwell time.
  • Containment Limit the Blast RadiusIsolate affected systems, limit spread, and preserve forensic evidence for investigation and regulatory reporting obligations.
  • Recovery Eradicate & RestoreRemove the threat actor, restore systems from clean validated backups, and confirm integrity before returning to full operations.
  • Review Post-Incident LearningDocument lessons learned, improve controls, and meet regulatory notification obligations under Kenya’s Data Protection Act 2019.

Key Risk Categories

Understanding risk categories enables organisations to design effective frameworks aligned to regulatory expectations from the CBK, CMA Kenya, and continental frameworks like the AU Convention on Cyber Security and Personal Data Protection.

Data Breach & Leakage

Poor encryption, weak access, cloud misconfiguration, and insider threats. Requires data classification, DLP, and encryption at rest and in transit.

Operational Disruption

Ransomware on MSPs, cloud outages, API failures. BCP/DR plans and redundant providers with SLA-enforced RTO/RPO are essential defensive architecture.

Regulatory & Compliance

Vendor non-compliance and audit gaps expose organisations to DPA 2019, CBK, and CMA penalties. Contractual cybersecurity clauses and right-to-audit are now mandatory.

Cyber Supply Chain

The SolarWinds and 3CX model — malicious code in trusted software updates — is increasingly active across Africa. SBOM, code signing, and vendor attestations are critical.

AI-Powered Attacks

Deepfake impersonation, AI-generated phishing at scale, and polymorphic malware that rewrites itself to evade detection are operational threats today, not theoretical ones.

Fourth-Party Risk

African vendors rarely disclose subcontractor relationships proactively. Nth-party supply chain mapping and vendor transparency requirements must be contractually enforced.

Resilient Digital Operating Environments

A resilient digital operating environment does not assume attacks will be prevented. It is designed to withstand, adapt to, and recover from them. Four principles anchor resilient architecture:

Redundancy

Eliminate single points of failure in critical systems and data pathways through multi-cloud, failover systems, and redundant connectivity.

Segmentation

Limit the blast radius of any breach through micro-segmentation, VLANs, and Zero Trust network access controls.

Observability

Know the state of every system, user, and data flow at all times through SIEM, CSPM, continuous audit logging, and KRI dashboards.

Supply chain security requires vendor cyber due diligence, contractual security standards, tiered vendor criticality assessments (Critical/High/Medium/Low), and continuous third-party risk monitoring through platforms such as BitSight and SecurityScorecard — moving beyond point-in-time assessments.

Leading Tools in Modern Cybersecurity & Assurance

CrowdStrike Falcon / Defender XDR EDR/XDR
Endpoint detection, behavioural analytics, and automated response at machine speed — enabling small security teams to operate across complex enterprise environments.
Splunk / Microsoft Sentinel SIEM
Real-time threat detection, event correlation, and incident triage across complex hybrid environments supporting SOC operations and IT audit evidence collection.
Wiz / Prisma Cloud Cloud
Cloud Security Posture Management — detecting misconfigurations and policy violations across multi-cloud environments as organisations accelerate cloud adoption.
BitSight / SecurityScorecard TPRM
Continuous vendor cybersecurity risk scoring and supply chain monitoring — moving beyond point-in-time assessments to live vendor posture intelligence.
AuditBoard / ServiceNow IRM GRC
Integrated GRC platforms for risk registers, control automation, compliance workflow management, and board-ready assurance reporting across the enterprise.
Darktrace / Vectra AI AI Security
AI-driven threat hunting, anomaly detection, and real-time incident triage — enabling rapid identification of novel attack patterns before they crystallise into breaches.

Several trends will define the cybersecurity landscape over the next three to five years. Organisations that prepare proactively will lead; those that defer will face regulatory correction and preventable incidents.

AI: The Double-Edged Sword

Defenders are deploying AI for behavioural analytics, automated threat hunting, and predictive risk scoring. Simultaneously, attackers weaponise AI for deepfake impersonation, personalised phishing at scale, and polymorphic malware. The AI vs. AI war is operational now.

Quantum-Safe Cryptography

Quantum computing advances threaten current encryption standards. NIST published its first post-quantum cryptographic standards in 2024. Organisations handling sensitive long-duration data must begin migration planning now — this is a five-year planning horizon, not a distant concern.

Increased Regulatory Scrutiny

CBK and African regulators will mandate stricter vendor oversight requirements. Expect TPRM frameworks to become mandatory for Tier 1 and 2 banks aligned to the EU’s DORA model. CA Kenya’s enhanced mandate signals rising compliance obligations across regulated sectors.

Cyber Insurance Maturity

Cyber insurance penetration in Africa remains extremely low relative to exposure. As underwriters improve risk modelling for the African market, organisations with mature security practices will access better coverage at lower premiums — a direct financial incentive for resilience investment.

Real-Time Regulatory Reporting Assurance

Regulators are moving toward continuous supervisory data feeds. Assurance functions must certify the integrity of data pipelines feeding regulatory reporting systems — a new frontier for technology audit in Kenya’s banking and telecoms sectors.

Conclusion: Resilience Is a Strategic Choice

Cybersecurity and resilience in 2026 are not technical problems with technical solutions. They are strategic challenges requiring board commitment, executive accountability, cross-functional investment, and cultural transformation. For Kenyan and African organisations navigating rapid digital growth, the choice is stark: build resilience proactively, or pay for its absence catastrophically.

The threat landscape will not stabilise. AI-powered attacks will grow more sophisticated. Criminal ecosystems will become more organised. The infrastructure that underpins daily life — mobile money, government services, healthcare — will become an ever-more attractive target. The organisations and nations that invest in threat readiness, robust cyber defence, tested business continuity, empowered boards, and resilient digital architectures will not just survive this era. They will lead it.

Sentinel Assurance Partners — Cybersecurity & Technology Risk Services

Sentinel Assurance Partners provides specialist cybersecurity services across Kenya and East Africa — spanning cyber threat readiness and assessment, cybersecurity audit and assurance, board and executive cyber advisory, incident response planning and testing, business continuity and resilience, third-party and supply chain risk management, cloud security assurance, and regulatory compliance advisory. We combine deep technical expertise with regulatory fluency to help boards, audit committees, and executive management govern cyber risk with confidence.