In today’s rapidly digitising world, cyber risk has transcended IT departments to become a core business risk—one that every executive, board member, and strategist must confront head-on.
In Kenya, opportunities created by digital platforms, mobile money, e-commerce and cloud services have grown exponentially. However, exposure to cybercrime has also increased. Recent Kenyan cyber security data paints a stark picture: between January and March 2025, over 2.5 billion cyber threat events were detected, representing a more than 200 percent increase from the previous quarter, a trend reflecting not just higher threat activity but also broader digital engagement nationwide. This escalation continued later in the year, with reports showing that Kenya recorded more than 4.3 billion cyber threat incidents between October and December 2025, underscoring the sheer scale and complexity of risks facing our national digital infrastructure.
These threats span system attacks, malware, distributed denial of service (DDoS) and brute‑force login attempts that target vulnerabilities in applications, networks and human behaviour, such as phishing. Globally, attacking vectors are also evolving through the use of AI to craft highly convincing scams, deep fakes and automated intrusion attempts, meaning that complacency is no longer an option for any organisation with an online presence. The economic impact of cybercrime is already significant in Kenya. A recent Serianu cyber security report estimated that losses from cybercrime across the country reached about Sh29.9 billion ($230 million) in 2025, driven by payment fraud, online and email scams, and impersonation attacks that exploit gaps in monitoring and authentication systems. As the digital economy grows, financial services, telecommunications, healthcare, government agencies and even education sectors are increasingly on the radar of attackers seeking to capitalise on technology gaps and human error.
The business implications of these trends are profound. A successful cyber attack can disrupt operations for days, lead to regulatory penalties under data protection laws, erode customer trust, and impose heavy costs related to incident response, system recovery and legal liability. It can also damage reputations that companies have spent years building. In an interconnected economy, one breach in a supplier, partner or service provider can cascade across entire value chains, causing systemic risk that extends far beyond the originally affected organisation. Addressing cyber risk, both in Kenya and globally, requires businesses to fundamentally change how they perceive and manage these threats. Cybersecurity must be integrated into enterprise risk frameworks and overseen strategically by boards and leadership teams, rather than being delegated solely to IT departments. This involves establishing robust identity and access management controls.