Kenya is experiencing rapid growth in cyber threats, with 4.6 billion incidents reported in the past year, according to Safaricom’s Chief Corporate Security Officer, Nicholas Mulila, who opened the Safaricom Cybersecurity Summit.
He said the increase represents an 80 per cent rise in attacks, reflecting the country’s expanding digital footprint.
Mulila warned that many cyber risks stem from basic lapses in security. “Using your date of birth as your M-Pesa password is a red flag,” he said, stressing the importance of basic cyber hygiene for individuals and businesses alike.
He described Kenya as one of the fastest-growing cybersecurity markets, predicting that threats will continue to rise as digital investments expand.
The summit also revealed that efforts to curb fraud in mobile money and digital transactions have had some success.
Mulila said fraud levels have fallen by as much as 90 per cent, a decline attributed to increased monitoring, public education, and awareness campaigns, including messaging via adverts and SMS.
The Communications Authority of Kenya (CA) reports that threats remain persistent and evolving.
Over 4.5 billion cyber threat events were recorded in Q4 2024/25, an 80.7 per cent increase from the previous quarter, while Q1 2025/26 still saw over 842 million incidents.
The most common threats include system misconfigurations, often due to outdated infrastructure or poor risk awareness; ransomware attacks, which now use double extortion tactics targeting healthcare, finance, and manufacturing; and AI-powered phishing and social engineering attacks, including deepfakes.
DDoS attacks using IoT botnets have also surged, exemplified by the 2023 attack on the eCitizen platform.
Documented losses from cybercrime reached $83 million in 2023, with actual costs likely much higher. The financial services and e-government sectors remain primary targets.
The government was represented by Principal Secretary for the State Department for ICT and Digital Economy, Eng. John Tanui, CBS, who urged stronger collaboration between private sector companies and public agencies to improve the country’s digital resilience.
Mulila emphasised the growing threat landscape, noting that attacks are no longer hypothetical.
“Being cyber-attacked is an if, not a when,” he said. He called for robust systems to reduce the impact of successful attacks and enable rapid recovery.
As Kenya’s digital economy expands, experts warn that both government and businesses must invest in resilience, monitoring, and public education to safeguard critical systems and maintain trust in online platforms.
